cbcvebase.
CVE-2003-0717
published 2003-11-17

CVE-2003-0717: The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.46%
99.1th percentile
The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port135/udp
port445/tcp
bytes
\x04\x00\x28\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0\x4f\xb6\xe6\xfc
bytes
0x14 (body fill byte triggering CR+LF expansion overflow)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0717, confidence High, signature_severity Informational, updated_at 2019_07_26;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0717, confidence High, signature_severity Major, updated_at 2024_03_08;)
  • Exploit sends a UDP packet to port 135 (DCERPC endpoint mapper). The packet begins with the 4-byte magic \x04\x00\x28\x00 followed by the DCERPC UUID \xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0\x4f\xb6\xe6\xfc. Detect this header pattern on UDP/135.
  • The overflow is triggered by filling the message body with 0x14 bytes. When 0x14 is encountered it is replaced by CR+LF, doubling the size and overflowing a fixed 0x11CA-byte buffer. Detect large UDP/135 DCERPC Messenger packets whose body is predominantly 0x14 bytes.
  • RCE exploit variant binds a command shell on TCP port 9191 post-exploitation. Monitor for unexpected listening services or outbound connections on port 9191 on Windows hosts.
  • The exploit also reaches the target over TCP/445 via SMB named pipe \PIPE\. The Snort rule detects the SMB-DS variant by matching the \x5C\x00P\x00I\x00P\x00E\x00\x5C\x00 (\PIPE\) string followed by the DCERPC \x04\x00 header and an oversized field (>1024 bytes).
  • The RCE exploit uses CRYPTSVC.DLL (Win2k SP3) and RPCRT4.DLL (WinXP SP1) as trampoline gadgets (call [esi+48h] / call [edi+6ch]). Unexpected executable code flow through these modules' gadget addresses is a strong indicator of exploitation.
  • ·The Snort UDP rule (sid:2102257) targets port 135 only and will not catch the SMB-DS variant delivered over TCP/445 (covered by sid:2102258). Both rules must be deployed for full coverage.
  • ·The DoS PoC was tested against Win2K SP4; the RCE exploit was tested on Windows XP SP1 and Windows 2000 SP3 English. Behaviour on other service-pack levels is not confirmed by the sources.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.