cbcvebase.
CVE-2005-3252
published 2005-10-18

CVE-2005-3252: Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP…

PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.50%
99.6th percentile
Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.

Affected

3 ranges
VendorProductVersion rangeFixed in
sourcefiresnort
sourcefiresnort
sourcefiresnort

Detection & IOCsextracted from sources · hover to see the quote

portUDP/9080
portUDP/9000
bytes
2a 21 2a 51 57 54 59 3f
bytes
*!*QWTY?
bytes
\xed\xac\xef\x0d
bytes
\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8\x8e\x30\x01\x83\xeb\xfc\xe2\xf4
bytes
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x7a\x69\x66\x53
bytes
\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80
  • Exploit packets are XOR-encrypted using the BO key-stream (seed 0, PRNG: holdrand = holdrand * 214013 + 2531011). Detection should look for UDP packets starting with the encrypted form of '*!*QWTY?' with payload length exceeding 1024 bytes sent to Snort's listening port.
  • The BO PING packet type byte is 0x01 (TYPE_PING). Exploit packets carry type=0x01 immediately after the 8-byte magic and 8-byte length+ID fields.
  • Exploit UDP packets are typically ~1400 bytes (PACKETSIZE 1400) or ~1069-1096 bytes depending on the exploit variant. Oversized UDP datagrams to Snort's BO preprocessor port matching the BO magic header are a strong indicator.
  • The default exploit target port used by multiple public exploits is UDP/9080; a secondary variant uses UDP/9000. Monitor for large UDP packets to these ports containing the BO magic string.
  • Snort versions 2.4.0 through 2.4.2 are confirmed vulnerable; 2.4.3 is the patched version. Identify unpatched Snort instances in the environment.
  • ·The exploit XOR-encrypts the entire BO packet (including the magic header) using a deterministic PRNG seeded at 0 with an empty password (key=31337). A simple plaintext string match for '*!*QWTY?' in UDP payload will NOT detect the exploit traffic; detection must account for the encrypted form or trigger on packet size/structure anomalies.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.