cbcvebase.
CVE-2005-0059
published 2005-05-02

CVE-2005-0059: Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted…

PriorityP358critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.80%
99.5th percentile
Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.

Detection & IOCsextracted from sources · hover to see the quote

port2103
port2105
port2107
otherfdb3a030-065f-11d1-bb9b-00a024ea5525
path\PRIVATE$\
commandOS:<HNAME>\PRIVATE$\
processmqsvc.exe
bytes
\x05\x00\x00\x01\x10\x00\x00\x00\x18\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x09\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\xE4\x07\x00\x00\x00\x00\x00\x00\xE4\x07\x00\x00\x4F\x00\x53\x00\x3A\x00
bytes
\x5C\x00\x50\x00\x52\x00\x49\x00\x56\x00\x41\x00\x54\x00\x45\x00\x24\x00\x5C\x00
bytes
\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19\xf5\x04\x37\x83\xeb\xfc\xe2\xf4
  • Detect exploit traffic targeting MSMQ on TCP port 2103 containing the DCE/RPC bind packet with the MSMQ endpoint UUID fdb3a030-065f-11d1-bb9b-00a024ea5525
  • Look for oversized DCE/RPC requests (~4172 bytes) to TCP port 2103 containing the Unicode-encoded path pattern OS:<hostname>\PRIVATE$\ as an indicator of exploitation attempts
  • Alert on DCE/RPC traffic to MSMQ ports (2103, 2105, 2107) containing the Unicode \PRIVATE$\ path tag bytes: \x5C\x00\x50\x00\x52\x00\x49\x00\x56\x00\x41\x00\x54\x00\x45\x00\x24\x00\x5C\x00
  • The exploit payload bad characters are \x00\x0a\x0d\x5c\x5f\x2f\x2e\xff — use these to tune shellcode detection signatures for this vulnerability
  • Vulnerability scanners may report this on ports 445/139 due to detection methodology; actual exploitation traffic should be remapped and monitored on port 2103
  • The SEH overwrite offsets used in exploitation are relative to the NetBIOS hostname length (queue_hlen = hostname.length * 2); monitor for anomalously large MSMQ queue path strings in DCE/RPC requests
  • ·The Metasploit module only targets 'Windows 2000 ALL / Windows XP SP0-SP1 (English)' with hardcoded mqsvc.exe return addresses; exploitation against other language versions or service pack levels will require different offsets
  • ·The HOD exploit requires a higher packet count (argv[5] = 6-8) for Windows 2000 Server/AdvServer targets compared to workstation variants
  • ·The bind shellcode port is XOR-obfuscated with 0x0437 before being embedded in the payload; detection of the bind port in network traffic requires accounting for this encoding
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.