cbcvebase.
CVE-2003-0719
published 2004-06-01

CVE-2003-0719: Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a…

PriorityP359high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.41%
99.6th percentile
Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port443
other0x67419ce8
other0x67419e1d
other0x6741a426
other0x77e4f44d
other0x7658a6cb
other0x0ffb7de9
other0x0ffb832f
other0x6741a1cd
bytes
\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00
bytes
\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00\xeb\x0f
  • Detect PCT 1.0 handshake packets with the malformed header byte sequence starting with \x80\x62\x01\x02 or \x80\x66\x01\x02 on TCP/443, which is the exploit trigger for CVE-2003-0719.
  • Alert on the JMP short stub \xeb\x0f immediately following the PCT header in the SSL handshake payload, indicating a NOP sled/shellcode redirect.
  • A server response of exactly three bytes \x00\x00\x01 to the malformed PCT packet indicates PCT is disabled; absence of this response with no crash may indicate successful exploitation.
  • Monitor for SMTP STARTTLS followed immediately by a malformed PCT handshake packet (non-standard SSL record), which is the SMTP-wrapped exploitation vector.
  • Detect outbound connect-back shell connections from IIS/SSL service processes (e.g., lsass.exe, inetinfo.exe) to attacker-controlled IPs on arbitrary high ports, characteristic of the THCIISSLame connect-back payload.
  • The exploit sends exactly 351 bytes in the malformed PCT buffer; alert on SSL/TLS ClientHello records of exactly this size containing the known header magic.
  • ·The exploit supports two delivery protocols ('raw' SSL on any port, or SMTP with STARTTLS); detection rules must cover both vectors.
  • ·The THCIISSLame exploit XORs the return address and callback IP/port with fixed keys (0xffffffff and 0x93939393/0x9393) before embedding them in the buffer, so the raw bytes in the packet will differ from the logical values.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.