cbcvebase.
CVE-2001-0241
published 2001-06-27

CVE-2001-0241: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.03%
99.7th percentile
Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.

Detection & IOCsextracted from sources · hover to see the quote

urlGET /NULL.printer HTTP/1.0
path/NULL.printer
filenamemsw3prt.dll
otherReturn address: 0x732c45f3 (Windows 2000 English SP0-SP1)
othermsw3prt.dll call ebx gadgets: 0x6A8C3105, 0x6A8C317F, 0x6A8C3267, 0x6A8C32AD, 0x6A8C3DB9, 0x6A8C3DC2, 0x6A8C3E23, 0x6A8C4D88, 0x6A8C4DD1, 0x6A8C4DFB, 0x6A8C5383, 0x6A8C5395, 0x6A8C565D, 0x6A8C6437, 0x6A8C6451, 0x6A8C66C2, 0x6A8C66FB, 0x6A8C6B04, 0x6A8C6B1D, 0x6A8C73A4, 0x6A8C73D8, 0x6A8C73F4, 0x6A8C9C55, 0x6A8C9C86, 0x6A8CCF13, 0x6A8CCF4B, 0x6A8CCF62
commandGET http://<buf>/NULL.printer?<payload> HTTP/1.0
bytes
\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a
  • Detect HTTP GET requests targeting the .printer ISAPI extension path /NULL.printer, which is the specific URI used in all known exploit variants for CVE-2001-0241.
  • Alert on HTTP requests to any *.printer URI where the Host: header exceeds ~420 bytes, as this is the overflow trigger condition documented across all exploit PoCs.
  • Detect the exploit check pattern: HTTP GET /NULL.printer followed shortly by a second request with Host: header padded to 257+ bytes ('X'*257), which is the Metasploit check() fingerprint.
  • The exploit overwrites an exception frame to control EIP; the return address 0x732c45f3 is used for Windows 2000 SP0-SP1 targets and can be used as a memory signature in exploit traffic.
  • The vulnerable DLL is msw3prt.dll; presence of this DLL loaded in inetinfo.exe combined with IIS 5.0 on Windows 2000 SP0/SP1 indicates an exploitable configuration.
  • HTTP response containing 'Error in web printer' to a GET /NULL.printer request confirms the .printer ISAPI extension is active and the target may be vulnerable.
  • An HTTP 500 response to a GET /NULL.printer request with an oversized Host header (257+ bytes) is a strong indicator of successful overflow trigger.
  • ·If Web-based Printing has been configured via Group Policy, attempts to disable or unmap the .printer ISAPI extension through Internet Services Manager will be silently overridden, leaving the system exposed even after apparent remediation.
  • ·Windows 2000 automatically restarts IIS when it detects the web server is unresponsive after a crash, meaning the attack may leave no persistent crash evidence and the administrator may be unaware of exploitation.
  • ·The Metasploit module targets only Windows 2000 SP0 and SP1; the exploit may require multiple attempts if IIS is left in a hung state after a successful compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.