cbcvebase.
CVE-2003-0822
published 2003-12-15

CVE-2003-0822: Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.08%
99.6th percentile
Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftfrontpage_server_extensions
microsoftfrontpage_server_extensions
microsoftsharepoint_team_services

Detection & IOCsextracted from sources · hover to see the quote

url/_vti_bin/_vti_aut/fp30reg.dll
path/_vti_bin/_vti_aut/fp30reg.dll
filenamefp30reg.dll
port9999
commandPOST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 Transfer-Encoding: chunked
otherTransfer-Encoding: Chunked (exploit trigger header)
otherRet: 0x6c38a4d0 (mfc42.dll, Windows 2000 SP0-SP3)
otherRet: 0x67d44eb1 (fp30reg.dll 07/22/2002, Windows 2000)
otherRet: 0x67d4665d (fp30reg.dll 10/06/1999, Windows 2000)
bytes
0xEB,0x03,0x5D,0xEB,0x05,0xE8,0xF8,0xFF,0xFF,0xFF,0x8B,0xC5,0x83,0xC0,0x11,0x33,0xC9,0x66,0xB9,0xC9,0x01,0x80,0x30,0x88,0x40,0xE2,0xFA
  • Detect HTTP POST requests targeting the FrontPage ISAPI path /_vti_bin/_vti_aut/fp30reg.dll with a Transfer-Encoding: chunked header, which is the exploit delivery mechanism.
  • An HTTP 501 response from the server to a request for /_vti_bin/_vti_aut/fp30reg.dll indicates the vulnerable ISAPI extension is present and loaded.
  • Monitor for new inbound connections on TCP port 9999 from IIS/dllhost.exe processes, which indicates successful exploitation and bind shell activation.
  • Look for oversized chunked HTTP POST bodies (e.g., chunk size 0xDEAD / ~57005 bytes) sent to fp30reg.dll, indicative of the Metasploit exploit module.
  • Detect the shellcode byte sequence starting with EB 03 5D EB 05 E8 F8 FF FF FF in HTTP POST body payloads targeting fp30reg.dll.
  • Alert on repeated POST requests (up to 15 iterations) to /_vti_bin/_vti_aut/fp30reg.dll from the same source IP in a short time window, consistent with the Metasploit module's retry loop.
  • ·The exploit only works against Windows 2000 SP0 through SP3; Windows 2000 SP4 and later are not vulnerable. Ensure detection scope is limited accordingly.
  • ·The return address used in the exploit varies by target OS patch level and fp30reg.dll version; multiple RET values are in use across exploit variants.
  • ·The Metasploit module periodically refreshes the remote dllhost.exe process during exploitation; detection rules should account for this multi-request pattern rather than expecting a single exploit attempt.
  • ·The payload bad characters include null bytes and common URL-encoding characters; encoded payloads will not contain these bytes, which may affect signature matching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.