CVE-2004-1080
published 2005-01-10CVE-2004-1080: The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.70%
99.6th percentile
The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC
bytes↗
\x00\x00\x00\x0F\x00\x00\x78\x00
- →Monitor for unexpected TCP connections to port 42 (WINS replication) from external or untrusted hosts, especially those sending oversized or malformed replication packets with modified memory pointers. ↗
- →Detect exploit attempts by looking for WINS replication packets where the opcode byte at offset 6 is 0x78, which the Metasploit check module uses to fingerprint a vulnerable/unpatched WINS service. ↗
- →Detect the exploit trigger packet by the distinctive 12-byte header signature \x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC followed by NOP sled bytes (0x90) on TCP port 42. ↗
- →The Metasploit module uses a WINS replication probe packet \x00\x00\x00\x0F\x00\x00\x78\x00 to fingerprint unpatched targets; detect this pattern on TCP/42 as a pre-exploitation reconnaissance indicator. ↗
- ·The exploit and Metasploit module were tested and confirmed working only against Windows 2000 SP4 (Server and Advanced Server, English); behavior against Windows NT 4.0 and Windows Server 2003 may differ and the exploit may require modification. ↗
- ·The Metasploit module targets specific heap pointer return addresses for Windows 2000 English (Rets: 0x5391f40, 0x53df4c4, 0x53922e0); these offsets are not portable to other OS versions or languages. ↗
- ·The public exploit (101_WINS) notes that Windows Server 2003 has a different wins.exe structure and may require exploit updates, though the underlying bug remains exploitable without the patch. ↗
- ·The reverse-shell shellcode (scode2) has the connect-back IP and port hardcoded at specific offsets (scode2[167] and scode2[173]) and must be patched at runtime; the bind-shell (scode1) listens on TCP port 101 by default. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
exploitdb·2010-09-20
CVE-2004-1080 Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
---
##
# $Id: ms04_045_wins.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft WINS Service Memory Overwrite',
'Description' => %q{
This module exploits an arbitrary memory write flaw in the
WINS service. This exploit has been tested against Windows
2000 only.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2004-1080'],
[ 'OSVDB', '12378'],
[ 'BID', '11763'],
[ '
Exploit-DB
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
exploitdb·2005-04-12
CVE-2004-1080 Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
---
/*
Windows Internet Name Service (WINS)
Remote Heap Buffer Overflow
Advisory credits:
Nicolas Waisman of Immunity Inc. (www.immunitysec.com)
Advisory link:
immunitysec.com/downloads/instantanea.pdf
Fix:
support.microsoft.com/kb/870763 (MS04-045)
Exploit method:
PEB (RtlEnterCriticalSection)
Tested Working:
Win2k SP4 Server ENGLISH (should be all langages, not sure)
Win2k SP4 Advanced Server ENGLISH (should be all langages, not sure)
(KB870763 removed!)
Note:
A HAT-SQUAD view on this hole; exploitable and remaining critic for Windows 2000.
May need update for Windows 2003 due to the different
structure of wins.exe in it but the bug remain exploitable
with no KB870763 of course....
If you look closely at my co
Metasploit
MS04-045 Microsoft WINS Service Memory Overwrite
metasploit
MS04-045 Microsoft WINS Service Memory Overwrite
MS04-045 Microsoft WINS Service Memory Overwrite
This module exploits an arbitrary memory write flaw in the WINS service. This exploit has been tested against Windows 2000 only.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110150370506704&w=2http://secunia.com/advisories/13328/http://securitytracker.com/id?1012516http://support.microsoft.com/kb/890710http://www.ciac.org/ciac/bulletins/p-054.shtmlhttp://www.immunitysec.com/downloads/instantanea.pdfhttp://www.kb.cert.org/vuls/id/145134http://www.osvdb.org/12378http://www.securityfocus.com/bid/11763http://xforce.iss.net/xforce/alerts/id/184https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045https://exchange.xforce.ibmcloud.com/vulnerabilities/18259https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1549https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2541https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2734https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3677https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4372https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4831http://marc.info/?l=bugtraq&m=110150370506704&w=2http://secunia.com/advisories/13328/http://securitytracker.com/id?1012516http://support.microsoft.com/kb/890710http://www.ciac.org/ciac/bulletins/p-054.shtmlhttp://www.immunitysec.com/downloads/instantanea.pdfhttp://www.kb.cert.org/vuls/id/145134http://www.osvdb.org/12378http://www.securityfocus.com/bid/11763http://xforce.iss.net/xforce/alerts/id/184https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045https://exchange.xforce.ibmcloud.com/vulnerabilities/18259https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1549https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2541https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2734https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3677https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4372https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4831
2005-01-10
Published