cbcvebase.
CVE-2006-3252
published 2006-06-27

CVE-2006-3252: Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.63%
99.1th percentile
Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary code via a long GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
algorithmic_researchprivatewire_gateway

Detection & IOCsextracted from sources · hover to see the quote

  • Detect oversized HTTP GET requests targeting the PrivateWire Online Registration Facility; the exploit sends a GET request with an ~8192-byte URI path.
  • Look for the jmp-ecx stub bytes (6A 19 58 01 C1 FF E1) embedded within an HTTP GET URI, used as the post-overflow trampoline.
  • The exploit targets ADMCREG.EXE on TCP port 80; monitor for abnormally large GET requests (>8000 bytes) to this process.
  • Known bad characters filtered by the exploit payload encoder are: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b — their absence in a long URI may indicate encoded shellcode.
  • Return addresses used across Windows 2000/2003 targets all point to jmp esp gadgets in USER32.DLL; correlate crash/exploit attempts with EIP values 0x77e3c289, 0x77e3cb4c, 0x77e3af64, 0x77e388a7, 0x77e3c256, 0x77d74c94.
  • ·The exploit offsets are calculated relative to the PrivateWire installation path length (default C:\Cipgw); a non-default installation path shifts the RET overwrite offset and may cause the exploit to fail or behave differently.
  • ·The default target is Windows 2000 English SP4 (index 4); other SP/OS targets require explicit selection and use different jmp-esp gadget addresses.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.