CVE-2007-4006
published 2007-07-26CVE-2007-4006: Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unknown impact and remote attack vectors, aka ZD-00000034. NOTE: this information is based…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
34.48%
98.2th percentile
Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unknown impact and remote attack vectors, aka ZD-00000034. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mike_dubman | windows_rsh_daemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit targets RSH daemon on TCP port 514. Detect oversized RSH requests (>1024 bytes) to port 514 from source ports in the range 512–1023, which is required for the exploit to succeed. ↗
- →The exploit payload begins with a distinctive null-byte pattern: two repetitions of (\x00 + 1 random byte) followed by \x00, then 1024 bytes of alphanumeric-upper encoded data. Look for RSH traffic to port 514 containing leading null bytes followed by large alphanumeric blocks. ↗
- →The Metasploit module uses AlphanumUpper encoder with a stack-adjustment prepend stub \x81\xc4\xff\xef\xff\xff\x44. Presence of this byte sequence in RSH traffic is a strong indicator of exploitation. ↗
- →The standalone exploit (exploit-db 4222) drops a bind shell on TCP port 9999. Monitor for unexpected listening services on port 9999 on Windows hosts running rshd. ↗
- →The vulnerable software is rshd from http://rshd.sourceforge.net. Detect presence of this process on Windows hosts as an attack surface indicator. ↗
- ·The exploit requires the client source port (CPORT) to be in the range 512–1023 for the RSH protocol handshake; network controls blocking non-privileged source ports to TCP/514 will not mitigate this attack. ↗
- ·The NVD advisory explicitly flags this CVE as based on a vague advisory from a vulnerability sales organization (WabiSabiLabi) that does not coordinate with vendors; duplicate CVEs may exist. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qq35-r26p-ch7c: Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1
ghsa_unreviewed·2022-05-01
CVE-2007-4006 [MEDIUM] GHSA-qq35-r26p-ch7c: Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1
Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unknown impact and remote attack vectors, aka ZD-00000034. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.
GHSA
GHSA-vqv3-6cp5-xgwr: Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-4005 [MEDIUM] CWE-119 GHSA-vqv3-6cp5-xgwr: Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1
Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap CVE-2007-4006.
No detection rules found.
Exploit-DB
Microsoft Windows RSH daemon - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-4006 Microsoft Windows RSH daemon - Remote Buffer Overflow (Metasploit)
Microsoft Windows RSH daemon - Remote Buffer Overflow (Metasploit)
---
##
# $Id: windows_rsh.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows RSH daemon Buffer Overflow',
'Description' => %q{
This module exploits a vulnerabliltiy in Windows RSH daemon 1.8.
The vulnerability is due to a failure to check for the length of input sent
to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit
to be successful.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 91
Exploit-DB
Microsoft Windows RSH daemon 1.7 - Remote Buffer Overflow
exploitdb·2007-07-24
CVE-2007-4006 Microsoft Windows RSH daemon 1.7 - Remote Buffer Overflow
Microsoft Windows RSH daemon 1.7 - Remote Buffer Overflow
---
/*
Attached and in-line is an exploit for a newly announced item on
the WabiSabiLabi auction block. I hope this completely devalues the
item so that the original finder dies of starvation.
DON'T SELL BUGS THROUGH WABISABILABLA
USE EXPLOITS TO HACK COMPUTERS INSTEAD
Exploit is for a stack overflow in http://rshd.sourceforge.net. It
took about 35 minutes to find the bug and exploit it on Win2k3
using the information provided to the public by WabiSabiLabi.
Expect exploits for the rest of the auction items in the next week.
Mayber sooner if Simon @ snosoft.com stops trying to cyber with me
LOLOLOLOLOLOL niggerdongs.
J
*/
#include
#include
#include
#include
#include
#include
#define ESIZ 1 + 1 + 1 + 1 + 1 + 1028
int
main (i
Metasploit
Windows RSH Daemon Buffer Overflow
metasploit
Windows RSH Daemon Buffer Overflow
Windows RSH Daemon Buffer Overflow
This module exploits a vulnerability in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit to be successful.
No writeups or analysis indexed.
2007-07-26
Published