cbcvebase.
CVE-2007-1674
published 2007-04-18

CVE-2007-1674: Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.86%
99.4th percentile
Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.

Affected

1 ranges
VendorProductVersion rangeFixed in
landesklandesk_management_suite

Detection & IOCsextracted from sources · hover to see the quote

processaolnsrvr.exe
otherret=0x00423554
otherNtSetInformationProcess pointer 0x0044ec84 (pointer to 0x2 to disable NX)
  • Monitor for large UDP packets (>280 bytes) sent to port 65535/UDP targeting aolnsrvr.exe; the exploit sends an overly long alphanumeric string of at least 1024 bytes over UDP to trigger the stack buffer overflow.
  • In the non-NX exploit path, the return address overwrite occurs at offset 280 bytes into the payload, followed immediately by the return address and shellcode — look for UDP payloads to port 65535 with a 280-byte alphanumeric prefix followed by a 4-byte little-endian address.
  • For NX-bypass variants, the exploit constructs a 1024-byte alphanumeric buffer with ROP gadgets embedded at specific offsets (280, 296, 300, 304, 308, 312, 324, 332, 652, 684) — anomalous structured UDP payloads of exactly 1024 bytes to port 65535 should be investigated.
  • Successful exploitation runs shellcode under SYSTEM privileges via aolnsrvr.exe; alert on unexpected child processes or network connections spawned from aolnsrvr.exe.
  • ·The Metasploit module targets only Aolnsrvr version 4.0 across Windows 2000/2003/XP platforms; the ROP gadget offsets and return address (0x00423554) are specific to this binary version and may not apply to other builds.
  • ·The payload space is constrained to 336 bytes with a stack adjustment of -3500; shellcode exceeding this space will not function correctly with this exploit.
  • ·The NX-bypass path uses hardcoded image base 0x00400000 and process info offsets (0xed for 2003 SP1-2, 0xe4 for XP SP2); these are ASLR-incompatible and assume a fixed load address for aolnsrvr.exe.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.