CVE-2005-0045
published 2005-05-02CVE-2005-0045: The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.09%
99.4th percentile
The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\x53\x4d\x42\x72 (SMB Negotiate Protocol command 0x72)
bytes↗
\xff\x53\x4d\x42\xa2 (SMB NT Create AndX command 0xa2)
bytes↗
\xff\x53\x4d\x42\x04 (SMB Close command 0x04)
bytes↗
SMB Trans2 FIND_FIRST2 response with large file name length field — Trans/Trans2 Transaction response payload
- →Detect malicious SMB Transaction responses on TCP port 445 containing Trans or Trans2 commands with anomalously large file name length fields (e.g., Trans2 FIND_FIRST2 responses), which is the exploitation vector for CVE-2005-0045 / MS05-011. ↗
- →Monitor for SMB sessions on port 445 where the server (attacker-controlled) sends a crafted Negotiate Protocol response (SMB command 0x72) followed by SessionSetupAndX (0x73), TreeConnectAndX (0x75), NT Create AndX (0xa2), and then malformed Trans2 responses — the full exploit handshake sequence observed in the PoC. ↗
- →Detect DCE/RPC bind requests over SMB named pipe (\PIPE\) with the NDR transfer syntax GUID 8a885d04-1ceb-11c9-9fe8-08002b104860 embedded in crafted Trans2 responses, as seen in the DceRpc exploit payload. ↗
- ·The exploit targets Windows NT 4.0, 2000, XP, and Server 2003 SMB clients — the attack is server-to-client (attacker acts as a malicious SMB server responding to a connecting victim client), not the typical client-to-server direction. Detection rules must account for this reversed traffic direction. ↗
- ·The PoC hardcodes a sample Server IP of 192.168.2.103 in the SrvSvc payload (Unicode-encoded), but this is a placeholder and will vary per deployment; do not rely on this IP as a static IOC. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110792638401852&w=2http://marc.info/?l=bugtraq&m=111040962600205&w=2http://marc.info/?l=ntbugtraq&m=110795643831169&w=2http://www.kb.cert.org/vuls/id/652537http://www.securityfocus.com/bid/12484http://www.us-cert.gov/cas/techalerts/TA05-039A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-011https://exchange.xforce.ibmcloud.com/vulnerabilities/19089https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1606https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1847https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1889https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4043http://marc.info/?l=bugtraq&m=110792638401852&w=2http://marc.info/?l=bugtraq&m=111040962600205&w=2http://marc.info/?l=ntbugtraq&m=110795643831169&w=2http://www.kb.cert.org/vuls/id/652537http://www.securityfocus.com/bid/12484http://www.us-cert.gov/cas/techalerts/TA05-039A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-011https://exchange.xforce.ibmcloud.com/vulnerabilities/19089https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1606https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1847https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1889https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4043
2005-05-02
Published