CVE-2003-0719
published 2004-06-01CVE-2003-0719: Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a…
PriorityP359high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.41%
99.6th percentile
Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00
bytes↗
\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00\xeb\x0f
- →Detect PCT 1.0 handshake packets with the malformed header byte sequence starting with \x80\x62\x01\x02 or \x80\x66\x01\x02 on TCP/443, which is the exploit trigger for CVE-2003-0719. ↗
- →Alert on the JMP short stub \xeb\x0f immediately following the PCT header in the SSL handshake payload, indicating a NOP sled/shellcode redirect. ↗
- →A server response of exactly three bytes \x00\x00\x01 to the malformed PCT packet indicates PCT is disabled; absence of this response with no crash may indicate successful exploitation. ↗
- →Monitor for SMTP STARTTLS followed immediately by a malformed PCT handshake packet (non-standard SSL record), which is the SMTP-wrapped exploitation vector. ↗
- →Detect outbound connect-back shell connections from IIS/SSL service processes (e.g., lsass.exe, inetinfo.exe) to attacker-controlled IPs on arbitrary high ports, characteristic of the THCIISSLame connect-back payload. ↗
- →The exploit sends exactly 351 bytes in the malformed PCT buffer; alert on SSL/TLS ClientHello records of exactly this size containing the known header magic. ↗
- ·The exploit supports two delivery protocols ('raw' SSL on any port, or SMTP with STARTTLS); detection rules must cover both vectors. ↗
- ·The THCIISSLame exploit XORs the return address and callback IP/port with fixed keys (0xffffffff and 0x93939393/0x9393) before embedding them in the buffer, so the raw bytes in the packet will differ from the logical values. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)
exploitdb·2010-09-20
CVE-2003-0719 Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)
Microsoft Private Communications Transport - Remote Overflow (MS04-011) (Metasploit)
---
##
# $Id: ms04_011_pct.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Private Communications Transport Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Microsoft
Windows SSL PCT protocol stack. This code is based on Johnny
Cyberpunk's THC release and has been tested against Windows
2000 and Windows XP. To use this module, specify the remote
port of any SSL service, or the port
Exploit-DB
Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011)
exploitdb·2004-04-21
CVE-2003-0719 Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011)
Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011)
---
/*****************************************************************************/
/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk ([email protected]) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports */
/* v0.2 - This little update uses a connectback shell ! */
/* v0.1 - First release with portbinding shell on 31337 */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/************************
Metasploit
MS04-011 Microsoft Private Communications Transport Overflow
metasploit
MS04-011 Microsoft Private Communications Transport Overflow
MS04-011 Microsoft Private Communications Transport Overflow
This module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote port of any SSL service, or the port and protocol of an application that uses SSL. The only application protocol supported at this time is SMTP. You only have one chance to select the correct target, if you are attacking IIS, you may want to try one of the other exploits first (WebDAV). If WebDAV does not work, this more than likely means that this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system.
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/586540http://www.securityfocus.com/archive/1/361836http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttp://xforce.iss.net/xforce/alerts/id/168https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1093https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A889https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A903https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A951http://www.kb.cert.org/vuls/id/586540http://www.securityfocus.com/archive/1/361836http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttp://xforce.iss.net/xforce/alerts/id/168https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1093https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A889https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A903https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A951
2004-06-01
Published