CVE-2003-0714
published 2003-11-17CVE-2003-0714: The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.39%
99.5th percentile
The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
META repeated 16384 times (heap-smashing string)
- →Detect unauthenticated XEXCH50 verb usage on SMTP port 25 — a patched server only allows XEXCH50 after NTLM authentication, so any XEXCH50 command issued before authentication is a strong indicator of exploitation attempt. ↗
- →Alert on SMTP server response '354 Send binary data' to an unauthenticated XEXCH50 request — this confirms the server is vulnerable and actively responding to the exploit probe. ↗
- →Detect XEXCH50 with a negative size argument (e.g., XEXCH50 -1 2) on SMTP — this is the specific trigger for the heap overwrite primitive used in both the PoC crash and the Metasploit exploit. ↗
- →Detect XEXCH50 with an extremely large size argument (e.g., 33554432 / 32MB) on SMTP — used by the Metasploit module to pre-fill the heap with shellcode before triggering the overflow. ↗
- →Monitor for multiple rapid SMTP reconnections (10 in quick succession with only HELO) following an XEXCH50 exchange — this reconnect sequence is used by the Metasploit module to trigger the heap corruption. ↗
- →Flag SMTP sessions where EHLO is sent with a single random alpha character followed immediately by XEXCH50 — this is the exploit's fingerprint for the check and attack setup phases. ↗
- ·The exploit is highly unreliable and may require up to 100 connection attempts before achieving code execution; detection logic should account for repeated connection attempts from the same source IP. ↗
- ·The Metasploit module's bad character list excludes null bytes, newlines, carriage returns, spaces, colons, equals, plus signs, and double-quotes from payload encoding — payload network signatures must account for these constraints. ↗
- ·The exploit uses SEH-based exit function, meaning the shellcode exit method targets structured exception handlers — post-exploitation forensics should examine SEH chain manipulation in inetinfo.exe. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
exploitdb·2010-11-11
CVE-2003-0714 Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (MS03-046) (Metasploit)
---
##
# $Id: ms03_046_exchange2000_xexch50.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow',
'Description' => %q{
This is an exploit for the Exchange 2000 heap overflow. Due
to the nature of the vulnerability, this exploit is not very
reliable. This module has been tested against Exchange 2000
SP0 and SP3 running a Windows 2000 system patched to SP4. It
normally takes between one
Exploit-DB
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)
exploitdb·2003-10-22
CVE-2003-0714 Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)
---
#!/usr/bin/perl -w
##################
##
# ms03-046.pl - hdm metasploit com
# This vulnerability allows a remote unauthenticated user to overwrite big chunks
# of the heap used by the inetinfo.exe process. Reliably exploiting this bug is
# non-trivial; even though the entire buffer is binary safe (even nulls) and can be
# just about any size, the actual code that crashes varies widely with each request.
# During the analysis process, numerous combinations of request size, concurrent
# requests, pre-allocations, and alternate trigger routes were examined and not a
# single duplicate of location and data offset was discovered. Hopefully the magic
# combination of data, size, and setup will be found to allow this b
Metasploit
MS03-046 Exchange 2000 XEXCH50 Heap Overflow
metasploit
MS03-046 Exchange 2000 XEXCH50 Heap Overflow
MS03-046 Exchange 2000 XEXCH50 Heap Overflow
This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106682909006586&w=2http://www.cert.org/advisories/CA-2003-27.htmlhttp://www.kb.cert.org/vuls/id/422156http://www.securityfocus.com/bid/8838https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-046http://marc.info/?l=bugtraq&m=106682909006586&w=2http://www.cert.org/advisories/CA-2003-27.htmlhttp://www.kb.cert.org/vuls/id/422156http://www.securityfocus.com/bid/8838https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-046
2003-11-17
Published