CVE-2003-0352
published 2003-08-18CVE-2003-0352: Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.63%
99.9th percentile
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0352, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
bytes↗
05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
- →Monitor for creation of msblast.exe in the Windows system directory and its execution as a process. ↗
- →Alert on DCOM RPC bind requests to the ISystemActivator interface UUID (4d9f4ab8-7d1c-11cf-861e-0020af6e7c57) over TCP port 135. ↗
- →Look for excessive outbound TCP traffic to windowsupdate.com as a DoS payload indicator from infected hosts. ↗
- →Watch for systems crashing with error code 0xC0000005 (access violation), which is a symptom of exploitation or infection. ↗
- →Detect DCERPC ISystemActivator bind attempts on SMB port 445 using the Snort/Suricata rule matching the byte pattern |A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F within DCERPC bind PDUs (SID 2102193). ↗
- →Scan for the RPC DCOM bind string byte sequence (bindstr) sent to port 135 as an indicator of active exploitation attempts. ↗
- ·Under some configurations the RPC Endpoint Mapper may receive traffic via port 80, so blocking only 135/139/445/593 may not fully prevent exploitation. ↗
- ·The universal Metasploit target uses multiple return addresses for NT 4.0 SP3-6a, Windows 2000, XP, and 2003 in a single request, meaning a single malformed packet can exploit multiple OS versions simultaneously. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r23f-ff9f-8vcc: Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process h
ghsa_unreviewed·2022-05-03·CVSS 7.5
CVE-2003-0746 [HIGH] GHSA-r23f-ff9f-8vcc: Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process h
Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm.
GHSA
GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0528 [HIGH] GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.
GHSA
GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0813 [HIGH] CWE-367 GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.
GHSA
GHSA-gf79-rq99-fffp: Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4
ghsa_unreviewed·2022-04-29
CVE-2003-0352 [HIGH] GHSA-gf79-rq99-fffp: Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
GHSA
GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0715 [HIGH] GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.
VulnCheck
Microsoft Windows Out-of-bounds Write
vulncheck·2003·CVSS 7.5
CVE-2003-0352 [HIGH] Microsoft Windows Out-of-bounds Write
Microsoft Windows Out-of-bounds Write
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://advisories.checkpoint.com/defense/advisories/public/2007/cpai-0000-000.html; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=libr
Suricata
GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt
suricata·2010-09-23
CVE-2003-0352 GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt
GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:14; metadat
Exploit-DB
Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
exploitdb·2011-01-11
CVE-2003-0352 Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
Microsoft RPC DCOM Interface - Remote Overflow (MS03-026) (Metasploit)
---
##
# $Id: ms03_026_dcom.rb 11545 2011-01-11 17:56:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft RPC DCOM Interface Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability
was originally found by the Last Stage of Delirium research group and has been
widely exploited ever since. This module can exploit the English versions of
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windo
Exploit-DB
Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026)
exploitdb·2003-09-16
CVE-2003-0352 Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026)
Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026)
---
#include
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,
Exploit-DB
Microsoft Windows - DCOM RPC Interface Buffer Overrun
exploitdb·2003-08-11
CVE-2003-0352 Microsoft Windows - DCOM RPC Interface Buffer Overrun
Microsoft Windows - DCOM RPC Interface Buffer Overrun
---
source: https://www.securityfocus.com/bid/8205/info
A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.
This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.
** There have been unconfirmed reports that Windows 9x systems with cer
Metasploit
MS03-026 Microsoft RPC DCOM Interface Overflow
metasploit
MS03-026 Microsoft RPC DCOM Interface Overflow
MS03-026 Microsoft RPC DCOM Interface Overflow
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Huntress
Blaster Malware: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 7.5
[HIGH] Blaster Malware: Analysis, Detection, Removal | Huntress
## Blaster Malware
Published: 12/22/2025
Written by: Lizzie Danielson
## What is Blaster Malware?
Blaster, also known as the MSBlast or Lovesan worm , is a worm-type malware that exploits vulnerabilities in Microsoft Windows operating systems. It is infamous for exploiting a weakness in the DCOM RPC service to self-propagate across networks. Blaster's primary functionality is to disrupt infected systems and cause widespread network congestion, making it highly disruptive and dangerous for businesses.
## When was Blaster first discovered?
Blaster was first discovered in August 2003. It rapidly gained notoriety after leveraging a critical Windows vulnerability and quickly spreading around the globe.
## Who created Blaster?
The individuals or groups responsible for creating Blaster re
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007079.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007357.htmlhttp://marc.info/?l=bugtraq&m=105838687731618&w=2http://marc.info/?l=bugtraq&m=105914789527294&w=2http://www.cert.org/advisories/CA-2003-16.htmlhttp://www.cert.org/advisories/CA-2003-19.htmlhttp://www.kb.cert.org/vuls/id/568148http://www.securityfocus.com/bid/8205http://www.xfocus.org/documents/200307/2.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026https://exchange.xforce.ibmcloud.com/vulnerabilities/12629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A194https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2343https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A296http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007079.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007357.htmlhttp://marc.info/?l=bugtraq&m=105838687731618&w=2http://marc.info/?l=bugtraq&m=105914789527294&w=2http://www.cert.org/advisories/CA-2003-16.htmlhttp://www.cert.org/advisories/CA-2003-19.htmlhttp://www.kb.cert.org/vuls/id/568148http://www.securityfocus.com/bid/8205http://www.xfocus.org/documents/200307/2.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026https://exchange.xforce.ibmcloud.com/vulnerabilities/12629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A194https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2343https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A296
2003-08-18
Published
Exploited in the wild