cbcvebase.
CVE-2003-0201
published 2003-05-05

CVE-2003-0201: Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
84.50%
99.7th percentile
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

Affected

86 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64
compaqtru64

Detection & IOCsextracted from sources · hover to see the quote

port139
port139
commandSMBtrans2 (SMB command 0x32)
urlhttp://www.digitaldefense.net/labs/advisories/DDI-1013.txt
urlhttp://seclists.org/bugtraq/2003/Apr/103
bytes
\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90
bytes
linux_bindcode: \x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80...
bytes
exploit_data: \x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90
  • The exploit packet begins with the fixed 6-byte NetBIOS header \x00\x04\x08\x20 followed by \xff\x53\x4d\x42\x32 (SMB magic + trans2 command byte). Alert on this exact byte sequence on TCP/139.
  • The exploit fills the buffer with 0x90 NOP sleds (3000 bytes) and inserts a short JMP (0xEB 0x70) at offset 1096/1097 of the buffer. Detecting a large NOP sled followed by a short JMP inside an SMBtrans2 payload is a strong indicator.
  • The Metasploit BSD/Solaris variants overwrite the return address at a fixed offset (1055 for BSD, 1103 for Solaris) within a 1988-byte random-text pattern sent inside the SMBtrans2 request. Payload size of exactly 1988 bytes inside trans2 is a detection signal.
  • The exploit authenticates anonymously (uid=100) before sending the malicious trans2 packet. Monitor for SMB session setup with uid=100 immediately followed by a large SMBtrans2 request on port 139.
  • Connect-back shellcode uses hardcoded port 0xb0ef (45295 decimal). Monitor for outbound TCP connections from smbd to unexpected hosts on port 45295 after an inbound SMBtrans2 anomaly.
  • The bind shellcode opens a listening shell on port 0xb0ef (45295). After exploitation, scan for unexpected listeners on TCP/45295 on Samba servers.
  • The Mac OS X PPC Metasploit module brute-forces return addresses between 0xbffffdfc and 0xbfa00000 in steps of 512, sending repeated SMBtrans2 exploit packets. Repeated SMBtrans2 connections from the same source IP in rapid succession is a bruteforce indicator.
  • ·The vulnerability affects Samba versions 2.2.0 through 2.2.8 (and Samba-TNG 0.3.1 and earlier). Samba 2.2.8a and later are patched. Ensure version detection is scoped to this range to avoid false positives on patched installs.
  • ·The BSD Metasploit module notes it exploits systems 'that do not have the noexec stack option set' — systems with non-executable stack (e.g., OpenBSD 3.2 with W^X) require a different ROP/ret-into-libc approach and different return addresses, so detection signatures based on shellcode NOP sleds may not fire on those targets.
  • ·The exploit requires a successful SMB session setup (smb_login) before sending the malicious trans2 packet. Detection rules that only inspect unauthenticated traffic will miss the exploit payload.
  • ·CVE-2003-1332 (reply_nttrans overflow in Samba 2.2.7a and earlier) is explicitly a different vulnerability from CVE-2003-0201 (call_trans2open). Do not conflate detection signatures for the two; the attack vectors and SMB commands differ.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.