CVE-2005-0059
published 2005-05-02CVE-2005-0059: Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted…
PriorityP358critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.80%
99.5th percentile
Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x05\x00\x00\x01\x10\x00\x00\x00\x18\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x09\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\xE4\x07\x00\x00\x00\x00\x00\x00\xE4\x07\x00\x00\x4F\x00\x53\x00\x3A\x00
bytes↗
\x5C\x00\x50\x00\x52\x00\x49\x00\x56\x00\x41\x00\x54\x00\x45\x00\x24\x00\x5C\x00
bytes↗
\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19\xf5\x04\x37\x83\xeb\xfc\xe2\xf4
- →Detect exploit traffic targeting MSMQ on TCP port 2103 containing the DCE/RPC bind packet with the MSMQ endpoint UUID fdb3a030-065f-11d1-bb9b-00a024ea5525 ↗
- →Look for oversized DCE/RPC requests (~4172 bytes) to TCP port 2103 containing the Unicode-encoded path pattern OS:<hostname>\PRIVATE$\ as an indicator of exploitation attempts ↗
- →Alert on DCE/RPC traffic to MSMQ ports (2103, 2105, 2107) containing the Unicode \PRIVATE$\ path tag bytes: \x5C\x00\x50\x00\x52\x00\x49\x00\x56\x00\x41\x00\x54\x00\x45\x00\x24\x00\x5C\x00 ↗
- →The exploit payload bad characters are \x00\x0a\x0d\x5c\x5f\x2f\x2e\xff — use these to tune shellcode detection signatures for this vulnerability ↗
- →Vulnerability scanners may report this on ports 445/139 due to detection methodology; actual exploitation traffic should be remapped and monitored on port 2103 ↗
- →The SEH overwrite offsets used in exploitation are relative to the NetBIOS hostname length (queue_hlen = hostname.length * 2); monitor for anomalously large MSMQ queue path strings in DCE/RPC requests ↗
- ·The Metasploit module only targets 'Windows 2000 ALL / Windows XP SP0-SP1 (English)' with hardcoded mqsvc.exe return addresses; exploitation against other language versions or service pack levels will require different offsets ↗
- ·The HOD exploit requires a higher packet count (argv[5] = 6-8) for Windows 2000 Server/AdvServer targets compared to workstation variants ↗
- ·The bind shellcode port is XOR-obfuscated with 0x0437 before being embedded in the payload; detection of the bind port in network traffic requires accounting for this encoding ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)
exploitdb·2010-05-09
CVE-2005-0059 Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)
Microsoft Message Queueing Service - Path Overflow (MS05-017) (Metasploit)
---
##
# $Id: ms05_017_msmq.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Message Queueing Service Path Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
to the Microsoft Message Queueing service. The offset to the
return address changes based on the length of the system
hostname, so this must be provided via the 'HNAME' option.
Much thanks to snort.org and Jean-Baptist
Exploit-DB
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
exploitdb·2005-06-29
CVE-2005-0059 Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
---
/* HOD-ms05017-msmq-expl.c: 2005-06-28: PUBLIC v.0.3
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-017) Message Queuing Buffer Overflow Vulnerability
* Universal Exploit
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows XP SP1
* - Windows 2000 SP4
* - Windows 2000 SP3
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in Message Queuing
* that could allow an attacker who successfully exploited this
* vulnerability to take complete control of the affected system.
*
* ---
Metasploit
MS05-017 Microsoft Message Queueing Service Path Overflow
metasploit
MS05-017 Microsoft Message Queueing Service Path Overflow
MS05-017 Microsoft Message Queueing Service Path Overflow
This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.
No writeups or analysis indexed.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-017https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4384https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4988https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-017https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4384https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4988
2005-05-02
Published