cbcvebase.
CVE-2003-0349
published 2003-07-24

CVE-2003-0349: Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
82.54%
99.6th percentile
Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.

Detection & IOCsextracted from sources · hover to see the quote

path/scripts/nsiislog.dll
filenamensiislog.dll
uaNSPlayer/4.1.0.3917
uaNSPlayer/2.0
otherxClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}
otherMX_STATS_LogLine:
bytes
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x81\xeb\x4d\x43\x22\x11
  • Detect exploitation attempts by monitoring for large HTTP POST requests to /scripts/nsiislog.dll with a User-Agent of NSPlayer/* and a Pragma header containing xClientGUID.
  • The exploit buffer begins with the header value 'MX_STATS_LogLine: ' followed by a large padding block; detect this string in POST body content to nsiislog.dll.
  • The Metasploit module checks for the string 'NetShow ISAPI' in the response body to confirm the vulnerable endpoint is present.
  • The exploit payload space is 1024 bytes with bad characters \x00\x2b\x26\x3d\x25\x0a\x0d\x20; use these constraints when writing shellcode-detection signatures.
  • SEH overwrite offsets for targeting: Windows 2000 pre-MS03-019 at offset 9988, post-MS03-019 at offset 14088; Windows XP pre-MS03-019 at offset 9992.
  • The exploit sends a POST body exceeding 16384 bytes (buffer created as rand_text_alphanumeric(256)*64) to trigger the SEH overflow; alert on POST requests to nsiislog.dll with Content-Length above 16000.
  • ·The module also works against the 'patched' MS03-019 version of nsiislog.dll, meaning MS03-019 patched systems remain exploitable and should not be considered fully remediated until MS03-022 is applied.
  • ·The default target in the Metasploit module is 'Brute Force' (target index 0), meaning exploitation attempts may cycle through multiple SEH offsets and return addresses rather than using a single fixed value.
  • ·The standalone exploit hardcodes the return address 0x40F01333 for Windows 2000 nsiislog.dll version 4.1.0.3917; different DLL versions use different offsets (e.g., 4.1.0.3931 uses offset 14092).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.