cbcvebase.
CVE-2007-2711
published 2007-05-16

CVE-2007-2711: Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.71%
99.1th percentile
Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.

Affected

1 ranges
VendorProductVersion rangeFixed in
tinyirctinyidentd<= 2.2

Detection & IOCsextracted from sources · hover to see the quote

port113/tcp
bytes
\xeb\x20 followed by ', 28 : USERID : UNIX :'
bytes
\xeb\x20\x2c\x20\x32\x38\x20\x3a\x20\x55\x53\x45\x52\x49\x44\x20\x3a\x20\x55\x4e\x49\x58\x20\x3a\x20
bytes
\x77\x13\x83\x7c (jmp *%esi, XP kernel32.dll)
bytes
\xb1\x63\xd9\x77 (jmp *%esi, W2K rpcrt4.dll)
  • Detect exploit attempts by monitoring TCP port 113 (ident) for inbound connections containing the byte sequence 0xEB 0x20 followed by the ASCII string ', 28 : USERID : UNIX :' — this is the fixed exploit header present in both public PoC and Metasploit module.
  • Alert on ident (TCP/113) requests exceeding ~523 bytes; the exploit constructs a payload of exactly 523 bytes including NOP sled and shellcode to trigger the stack buffer overflow.
  • Flag payload space of 400 bytes with bad chars \x00\x0d\x20\x0a on TCP/113 as consistent with Metasploit module exploitation of this CVE.
  • Presence of return address 0x7c2d15e7 or 0x77f46eda packed little-endian within a TCP/113 request body is a strong indicator of targeted exploitation of CVE-2007-2711.
  • ·The Metasploit return addresses (0x7c2d15e7 for Win2k SP4 EN, 0x77f46eda for WinXP SP2 IT) are OS/SP/language-specific; attackers targeting other platforms will use different addresses, so absence of these exact values does not rule out exploitation.
  • ·The standalone PoC uses a different return address (0x7c831377 from XP kernel32.dll) than the Metasploit module; both target 'jmp *%esi' / 'call esi' gadgets but from different modules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.