CVE-2006-3252
published 2006-06-27CVE-2006-3252: Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.63%
99.1th percentile
Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary code via a long GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| algorithmic_research | privatewire_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized HTTP GET requests targeting the PrivateWire Online Registration Facility; the exploit sends a GET request with an ~8192-byte URI path. ↗
- →Look for the jmp-ecx stub bytes (6A 19 58 01 C1 FF E1) embedded within an HTTP GET URI, used as the post-overflow trampoline. ↗
- →The exploit targets ADMCREG.EXE on TCP port 80; monitor for abnormally large GET requests (>8000 bytes) to this process. ↗
- →Known bad characters filtered by the exploit payload encoder are: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b — their absence in a long URI may indicate encoded shellcode. ↗
- →Return addresses used across Windows 2000/2003 targets all point to jmp esp gadgets in USER32.DLL; correlate crash/exploit attempts with EIP values 0x77e3c289, 0x77e3cb4c, 0x77e3af64, 0x77e388a7, 0x77e3c256, 0x77d74c94. ↗
- ·The exploit offsets are calculated relative to the PrivateWire installation path length (default C:\Cipgw); a non-default installation path shifts the RET overwrite offset and may cause the exploit to fail or behave differently. ↗
- ·The default target is Windows 2000 English SP4 (index 4); other SP/OS targets require explicit selection and use different jmp-esp gadget addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Private Wire Gateway - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-3252 Private Wire Gateway - Remote Buffer Overflow (Metasploit)
Private Wire Gateway - Remote Buffer Overflow (Metasploit)
---
##
# $Id: privatewire_gateway.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.
require 'msf/core'
class Metasploit3 'Private Wire Gateway Buffer Overflow',
'Description' => %q{
This exploits a buffer overflow in the ADMCREG.EXE used
in the PrivateWire Online Registration Facility.
},
'Author' => 'Michael Thumann ',
'License' => MSF_LICENSE,
'Version
Exploit-DB
PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)
exploitdb·2006-10-29
CVE-2006-3252 PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)
PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
##
# From the author:
# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.
##
package Msf::Exploit::privatewire_gateway_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Private Wire Gateway Buffer Overflow (win32)',
'
Metasploit
Private Wire Gateway Buffer Overflow
metasploit
Private Wire Gateway Buffer Overflow
Private Wire Gateway Buffer Overflow
This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility.
No writeups or analysis indexed.
http://secunia.com/advisories/20812http://securityreason.com/securityalert/1152http://securitytracker.com/id?1016382http://www.securityfocus.com/archive/1/438329/100/0/threadedhttp://www.securityfocus.com/bid/18647http://www.vupen.com/english/advisories/2006/2549https://exchange.xforce.ibmcloud.com/vulnerabilities/27430http://secunia.com/advisories/20812http://securityreason.com/securityalert/1152http://securitytracker.com/id?1016382http://www.securityfocus.com/archive/1/438329/100/0/threadedhttp://www.securityfocus.com/bid/18647http://www.vupen.com/english/advisories/2006/2549https://exchange.xforce.ibmcloud.com/vulnerabilities/27430
2006-06-27
Published