cbcvebase.
CVE-2005-1218
published 2005-08-10

CVE-2005-1218: The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash)…

PriorityP339medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
61.18%
99.0th percentile
The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

port3389
cookieCookie: mstshash=Administr
filenamerdpwd.sys
bytes
03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 6E 69 73 74 72 0D 0A
bytes
03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A
bytes
000002020000
  • Exploit targets TCP port 3389 (RDP) with crafted connection requests containing a malformed or oversized 'Cookie: mstshash=' field followed by padding bytes (0x41), triggering a kernel crash in rdpwd.sys.
  • The exploit sends an RDP X.224 Connection Request PDU (TPKT header 03 00, followed by E0 class byte) with a 'Cookie: mstshash=' value that is fuzzed/overflowed; monitor for anomalously large or malformed mstshash cookie values in RDP negotiation packets.
  • Presence of the SPIKE fuzzer script file 'remoteass.spk' on a host or in network traffic is a strong indicator of exploitation attempts against CVE-2005-1218.
  • The crafted RDP packet sequence includes a second packet with integer value 0x0500 and a third packet starting with bytes 000002020000; detecting this multi-packet sequence on port 3389 is indicative of the exploit.
  • ·The exploit was specifically tested against Windows XP SP2; the vulnerability also affects Windows 2000 Server and Windows Server 2003 per the NVD advisory, so detection rules should not be scoped to XP alone.
  • ·The SPIKE fuzzer is used to generate the malicious packets; the exploit file is a SPIKE script (.spk), meaning the actual byte patterns sent may vary depending on fuzzer iteration (s_string_variable fields are mutated), so static byte signatures may not catch all variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.