CVE-2005-3252

Snort - Stack-based Buffer Overflow via Back Orifice Preprocessor

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2005-3252. PoCs published by Metasploit, xort, xwings, including Metasploit module exploits/linux/ids/snortbopre.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the Back Orifice pre-processor module in Snort versions 2.4.0 to 2.4.3. It uses a UDP-based payload to achieve remote code execution, typically gaining root or administrative privileges.

Description

Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16834

This exploit targets a stack buffer overflow in the Back Orifice pre-processor module in Snort versions 2.4.0 to 2.4.3. It uses a UDP-based payload to achieve remote code execution, typically gaining root or administrative privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort 2.4.0, 2.4.1, 2.4.2, 2.4.3
No auth needed
Prerequisites: Network access to the target Snort sensor · UDP port 9080 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by xort · cremotewindows
https://www.exploit-db.com/exploits/1313

This exploit targets a buffer overflow in Snort's Back Orifice preprocessor (CVE-2005-3252) by sending a maliciously crafted UDP packet. It includes shellcode for a connect-back shell to port 21 on a specified IP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort 2.4.0-2.4.2
No auth needed
Prerequisites: Network access to target's UDP port 9000 · Target running vulnerable Snort version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by xwings · rubyremotelinux
https://www.exploit-db.com/exploits/1314

This exploit targets a buffer overflow vulnerability in Snort 2.4.0-2.4.2's Back Orifice preprocessor. It crafts a malicious packet with shellcode to achieve remote code execution via a UDP socket.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort 2.4.0-2.4.2
No auth needed
Prerequisites: Network access to the target's UDP port 9080 · Snort with vulnerable Back Orifice preprocessor enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rd · cremotelinux
https://www.exploit-db.com/exploits/1272

This exploit targets a buffer overflow in Snort's BackOrifice preprocessor (CVE-2005-3252) by crafting a malicious UDP packet with encrypted headers and shellcode. It leverages stack manipulation to achieve remote code execution, specifically a bind shell on port 31337.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort with BackOrifice preprocessor (spp_bo)
No auth needed
Prerequisites: Network access to vulnerable Snort instance · Knowledge of target's stack layout and return addresses
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by KaiJern Lau · rubyremotelinux
https://www.exploit-db.com/exploits/10026

This exploit targets a stack overflow in the Back Orifice pre-processor module in Snort versions 2.4.0 to 2.4.3. It uses a UDP-based payload with encryption to achieve remote code execution, typically gaining root privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort 2.4.0, 2.4.1, 2.4.2, 2.4.3
No auth needed
Prerequisites: Network access to the target Snort sensor · UDP port 9080 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ids/snortbopre.rb

This Metasploit module exploits a stack buffer overflow in the Back Orifice pre-processor of Snort versions 2.4.0-2.4.3, allowing remote code execution with root privileges via a maliciously crafted UDP packet.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Snort 2.4.0, 2.4.1, 2.4.2, 2.4.3
No auth needed
Prerequisites: Network access to target's UDP port 9080 · Vulnerable Snort version with Back Orifice pre-processor enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Vendor Advisory third-party-advisory x_refsource_iss
http://xforce.iss.net/xforce/alerts/id/207
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/175500
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0505.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15131
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2138
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17559
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/20034
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0010.html
Various Sources x_refsource_confirm
http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17220
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-291A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015070
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17255

Scores

EPSS 0.8390
EPSS Percentile 99.7%

Details

Status published
Products (3)
sourcefire/snort 2.4.0
sourcefire/snort 2.4.1
sourcefire/snort 2.4.2
Published Oct 18, 2005
Tracked Since Feb 18, 2026