cbcvebase.
CVE-2003-0605
published 2003-08-27

CVE-2003-0605: The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.80%
99.0th percentile
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.

Detection & IOCsextracted from sources · hover to see the quote

port135
port139
port445
port539
port666
port4444
bytes
05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
bytes
05 00 00 03 10 00 00 00 E8 03 00 00 E5 00 00 00 D0 03 00 00 01 00 04 00 05 00 06 00 01 00 00 00 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE 74 2C 96 D2
bytes
20 00 00 00 00 00 00 00 20 00 00 00 5C 00 5C 00
bytes
5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00
bytes
01 10 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 00 00 00 00
bytes
46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 46 00 58 00
  • The exploit targets TCP port 135 (primary) but also works on ports 139, 445, and 539 — monitor for malformed DCE/RPC BIND requests (starting with 05 00 0B 03) on all four ports.
  • Detect the characteristic RPC BIND packet header bytes 05 00 0B 03 followed by the DCOM interface UUID a0 01 00 00 ... C0 00 00 00 00 00 00 46 ... 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 in the TCP payload.
  • The exploit request payload contains the distinctive MEOW (4D 45 4F 57) marker and MARB (4D 41 52 42) strings embedded in the DCE/RPC request — alert on these byte sequences within RPC traffic on port 135/139/445.
  • The shellcode NOP sled prefix in the exploit is a repeated Unicode-safe sequence 46 00 58 00 4E 00 42 00 — detect this pattern in RPC request payloads as a strong indicator of exploitation attempt.
  • After successful exploitation, the attacker connects back to a bind shell on the victim; monitor for unexpected inbound connections on port 666 (default) or 4444 originating from a previously targeted host.
  • The Blaster/MSblast/LovSAN worm exploits this CVE; DCE implementations including HP OpenView may hang or terminate upon receiving the malformed exploit packets — monitor for RPC service crashes or hangs following inbound port 135 traffic.
  • The request3 buffer encodes a UNC-style path \\<host>\C$\123456111111111111111111.doc in little-endian Unicode — detect oversized UNC path strings in DCOM RPC requests as an exploitation indicator.
  • ·The exploit supports multiple target offsets across Windows NT SP4/SP5/SP6, Windows 2000 (no SP through SP4) in English, Chinese, Polish, German, Japanese, Korean, Mexican, and Kenyan locales, and Windows XP SP0/SP1/SP2 — a single return address will not cover all targets; detection must rely on payload byte patterns rather than specific return addresses.
  • ·The exploit is functional on ports beyond 135 (also 139, 445, 593) — perimeter filtering of only port 135 is insufficient to block exploitation.
  • ·A return-into-libc variant of this exploit (rpc!exec) was demonstrated to bypass non-executable memory protections including OverflowGuard and StackDefender — NX/DEP-based mitigations alone are not sufficient to prevent exploitation.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.