CVE-2003-0822
published 2003-12-15CVE-2003-0822: Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.08%
99.6th percentile
Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | frontpage_server_extensions | — | — |
| microsoft | frontpage_server_extensions | — | — |
| microsoft | sharepoint_team_services | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9,0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA
- →Detect HTTP POST requests targeting the FrontPage ISAPI path /_vti_bin/_vti_aut/fp30reg.dll with a Transfer-Encoding: chunked header, which is the exploit delivery mechanism. ↗
- →An HTTP 501 response from the server to a request for /_vti_bin/_vti_aut/fp30reg.dll indicates the vulnerable ISAPI extension is present and loaded. ↗
- →Monitor for new inbound connections on TCP port 9999 from IIS/dllhost.exe processes, which indicates successful exploitation and bind shell activation. ↗
- →Look for oversized chunked HTTP POST bodies (e.g., chunk size 0xDEAD / ~57005 bytes) sent to fp30reg.dll, indicative of the Metasploit exploit module. ↗
- →Detect the shellcode byte sequence starting with EB 03 5D EB 05 E8 F8 FF FF FF in HTTP POST body payloads targeting fp30reg.dll. ↗
- →Alert on repeated POST requests (up to 15 iterations) to /_vti_bin/_vti_aut/fp30reg.dll from the same source IP in a short time window, consistent with the Metasploit module's retry loop. ↗
- ·The exploit only works against Windows 2000 SP0 through SP3; Windows 2000 SP4 and later are not vulnerable. Ensure detection scope is limited accordingly. ↗
- ·The return address used in the exploit varies by target OS patch level and fp30reg.dll version; multiple RET values are in use across exploit variants. ↗
- ·The Metasploit module periodically refreshes the remote dllhost.exe process during exploitation; detection rules should account for this multi-request pattern rather than expecting a single exploit attempt. ↗
- ·The payload bad characters include null bytes and common URL-encoding characters; encoded payloads will not contain these bytes, which may affect signature matching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0822 Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)
Microsoft IIS - ISAPI FrontPage 'fp30reg.dll' Chunked Overflow (MS03-051) (Metasploit)
---
##
# $Id: ms03_051_fp30reg_chunked.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow',
'Description' => %q{
This is an exploit for the chunked encoding buffer overflow
described in MS03-051 and originally reported by Brett
Moore. This particular modules works against versions of
Windows 2000 between SP0 and SP3. Service Pack 4 fixes the
issue.
},
'Author' =>
Exploit-DB
Microsoft FrontPage Server Extensions - 'fp30reg.dll' (MS03-051)
exploitdb·2003-11-13
CVE-2003-0822 Microsoft FrontPage Server Extensions - 'fp30reg.dll' (MS03-051)
Microsoft FrontPage Server Extensions - 'fp30reg.dll' (MS03-051)
---
/*******************************************************************************
Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore
Exploit by Adik netmaniac hotmail kg
Binds persistent command shell on port 9999
Tested on
Windows 2000 Professional SP3 English version
(fp30reg.dll ver 4.0.2.5526)
-[ 13/Nov/2003 ]-
********************************************************************************/
#include
#include
#include
#pragma comment(lib,"ws2_32")
#define VER "0.1"
/******** bind shellcode spawns persistent shell on port 9999 *****************************/
unsigned char kyrgyz_bind_code[] = {
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9,
Metasploit
MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
metasploit
MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow
This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106865318904055&w=2http://marc.info/?l=ntbugtraq&m=106862654906759&w=2http://secunia.com/advisories/10195http://www.kb.cert.org/vuls/id/279156https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-051https://exchange.xforce.ibmcloud.com/vulnerabilities/13674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A364https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A366https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A367https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A699https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A743http://marc.info/?l=bugtraq&m=106865318904055&w=2http://marc.info/?l=ntbugtraq&m=106862654906759&w=2http://secunia.com/advisories/10195http://www.kb.cert.org/vuls/id/279156https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-051https://exchange.xforce.ibmcloud.com/vulnerabilities/13674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A364https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A366https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A367https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A699https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A743
2003-12-15
Published