cbcvebase.
CVE-2003-0715
published 2003-09-17

CVE-2003-0715: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code…

PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
37.14%
98.3th percentile
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445
port135
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:16;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17;)
bytes
|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00|
bytes
|FF|SMB%
  • Exploit targets DCOM object activation over DCERPC; detect DCERPC bind requests (packet type 0x0B) on TCP 135 (MSRPC endpoint mapper) containing the DCOM Remote Activation interface UUID B84A9F4D-1C7D-CF11-861E-0020AF6E7C57
  • On TCP 445 (SMB-DS), look for SMB pipe traffic (\PIPE\) carrying the same DCERPC Remote Activation bind with the DCOM UUID — indicates exploitation tunnelled over SMB named pipes
  • The vulnerability is a heap-based buffer overflow triggered by a malformed DCERPC DCOM object activation request with modified length fields; inspect DCERPC PDU length fields for anomalies in packets matching the Remote Activation bind pattern
  • Tag the full session (5 packets) upon matching the bind attempt to capture the subsequent exploit payload and any shellcode delivery
  • ·The Snort rules (sid:2102252, sid:2102251) also reference CVE-2003-0528 and CVE-2003-0605 — they are shared detection rules covering multiple DCOM/RPCSS vulnerabilities, not exclusively CVE-2003-0715. Tune or layer additional checks to distinguish between these related CVEs.
  • ·CVE-2003-0715 is explicitly a different vulnerability from CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528; ensure detection logic is not solely relying on Blaster-era signatures which may miss this distinct heap overflow variant.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.