cbcvebase.
CVE-2004-1080
published 2005-01-10

CVE-2004-1080: The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.70%
99.6th percentile
The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port42/tcp
processwins.exe
bytes
\x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC
bytes
\x00\x00\x00\x0F\x00\x00\x78\x00
  • Monitor for unexpected TCP connections to port 42 (WINS replication) from external or untrusted hosts, especially those sending oversized or malformed replication packets with modified memory pointers.
  • Detect exploit attempts by looking for WINS replication packets where the opcode byte at offset 6 is 0x78, which the Metasploit check module uses to fingerprint a vulnerable/unpatched WINS service.
  • Detect the exploit trigger packet by the distinctive 12-byte header signature \x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC followed by NOP sled bytes (0x90) on TCP port 42.
  • The Metasploit module uses a WINS replication probe packet \x00\x00\x00\x0F\x00\x00\x78\x00 to fingerprint unpatched targets; detect this pattern on TCP/42 as a pre-exploitation reconnaissance indicator.
  • ·The exploit and Metasploit module were tested and confirmed working only against Windows 2000 SP4 (Server and Advanced Server, English); behavior against Windows NT 4.0 and Windows Server 2003 may differ and the exploit may require modification.
  • ·The Metasploit module targets specific heap pointer return addresses for Windows 2000 English (Rets: 0x5391f40, 0x53df4c4, 0x53922e0); these offsets are not portable to other OS versions or languages.
  • ·The public exploit (101_WINS) notes that Windows Server 2003 has a different wins.exe structure and may require exploit updates, though the underlying bug remains exploitable without the patch.
  • ·The reverse-shell shellcode (scode2) has the connect-back IP and port hardcoded at specific offsets (scode2[167] and scode2[173]) and must be patched at runtime; the bind-shell (scode1) listens on TCP port 101 by default.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.