CVE-2005-0581

CA License Client and Server 0.1.0.15 - Multiple Buffer Overflow via GCR Request and GETCONFIG Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2005-0581. PoCs published by Metasploit, hdm, aushack, MC, including Metasploit module exploits/windows/license/calicclnt_getconfig.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in CA BrightStor ARCserve Backup 11.0 via a crafted request to the lic98rmtd.exe service on port 10202. It achieves remote code execution by overflowing the buffer with a payload containing a return address and shellcode.

Description

Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16414

This is a Metasploit module exploiting a stack buffer overflow in CA BrightStor ARCserve Backup 11.0 via a crafted request to the lic98rmtd.exe service on port 10202. It achieves remote code execution by overflowing the buffer with a payload containing a return address and shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup 11.0
No auth needed
Prerequisites: Network access to the target system · Target system running CA BrightStor ARCserve Backup 11.0 with lic98rmtd.exe service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16745

This Metasploit module exploits a stack-based buffer overflow in the CA License Server via an excessively long GETCONFIG packet, allowing remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates License Server (multiple versions)
No auth needed
Prerequisites: Network access to the CA License Server on port 10202 · Vulnerable version of the CA License Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16744

This exploit targets a buffer overflow vulnerability in the Computer Associates License Client service (CVE-2005-0581). It sends a maliciously crafted GETCONFIG request to trigger the overflow and execute arbitrary payloads on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates License Client (CA License Client)
No auth needed
Prerequisites: Network access to the target system · Target system must be running the vulnerable CA License Client service · Attacker's IP must be resolvable by the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
cremotewindows
https://www.exploit-db.com/exploits/859

This exploit targets a stack overflow vulnerability in Computer Associates License Service (CVE-2005-0581). It includes shellcode for a reverse shell and supports multiple Windows versions by using different return addresses to bypass stack protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates License Service v1.61 and below (eTrust, Unicenter, BrightStor, etc.)
No auth needed
Prerequisites: Network access to the target service on port 10203 (or custom port) · Target system running vulnerable version of Computer Associates License Service
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm, aushack · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/license/calicclnt_getconfig.rb

This Metasploit module exploits a buffer overflow vulnerability in the CA License Client service (CVE-2005-0581) by sending a maliciously crafted GETCONFIG request. It leverages a fake CA License Server to trigger the overflow and achieve remote code execution on vulnerable Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates License Client (versions affected by CVE-2005-0581)
No auth needed
Prerequisites: Network access to the target system · Target system must be able to resolve the attacker's IP address · CA License Client service must be running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm, aushack · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/license/calicserv_getconfig.rb

This Metasploit module exploits a stack-based buffer overflow in the CA License Server via a malformed GETCONFIG packet, allowing remote code execution on vulnerable Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates License Server (versions up to 2005)
No auth needed
Prerequisites: Network access to the target's CA License Server (port 10202)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/license_gcr.rb

This Metasploit module exploits a stack buffer overflow in CA BrightStor ARCserve Backup 11.0 via a crafted request to the lic98rmtd.exe service on port 10202. It leverages a JMP ESP instruction to execute arbitrary payloads, with bad character restrictions and stack adjustments for reliability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup 11.0
No auth needed
Prerequisites: Network access to port 10202 · Target running vulnerable version of CA BrightStor ARCserve Backup
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110979326828704&w=2
Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=210&type=vulnerabilities
Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=215&type=vulnerabilities
Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=213&type=vulnerabilities
Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=214&type=vulnerabilities

Scores

EPSS 0.7125
EPSS Percentile 98.7%

Details

Status published
Products (1)
broadcom/license_software 0.1.0.15
Published May 02, 2005
Tracked Since Feb 18, 2026