cbcvebase.
CVE-2006-5780
published 2006-11-07

CVE-2006-5780: Stack-based buffer overflow in nfsd.exe in XLink Omni-NFS Server 5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet to port 2049…

PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.49%
99.1th percentile
Stack-based buffer overflow in nfsd.exe in XLink Omni-NFS Server 5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet to port 2049 (nfsd), as demonstrated by vd_xlink.pm.

Affected

1 ranges
VendorProductVersion rangeFixed in
xlink_technologyomni-nfs_server

Detection & IOCsextracted from sources · hover to see the quote

port2049/tcp
processnfsd.exe
filenamevd_xlink.pm
urlhttp://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm
otherReturn address: 0x00401843 (Omni-NFS Server 5.2 nfsd.exe call ebx / Windows 2000 SP4)
  • The exploit packet structure begins with a 4-byte record mark (length | 0x80000000), followed by fixed NFS RPC fields: xid=1, msg_type=0, rpcvers=2, prog=100005, vers=1, proc=1. Alert on this exact sequence on port 2049/tcp.
  • Monitor for execution of nfsd.exe spawning unexpected child processes or network connections, which may indicate successful exploitation and shellcode execution.
  • The exploit payload uses a stack adjustment of -3500 bytes (0x81 0xc4 0x54 0xf2 0xff 0xff) prepended to the encoder; this byte sequence near the start of a payload on port 2049 is a strong exploit indicator.
  • ·The exploit targets only Windows 2000 SP4 English with a hardcoded return address; other OS versions or patch levels will require different return addresses and are not covered by these indicators.
  • ·Payload space is constrained to 336 bytes (Metasploit module) or 427 bytes (original vd_xlink.pm); null bytes (0x00) are bad characters and must be avoided in shellcode.
  • ·The EXITFUNC is set to 'process', meaning successful exploitation will terminate the nfsd.exe process after shellcode runs, which may cause a detectable service crash.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.