cbcvebase.
CVE-2005-1978
published 2005-10-12

CVE-2005-1978: COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
56.86%
98.9th percentile
COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da
  • The exploit targets the MS-DTC (Distributed Transaction Coordinator) RPC interface. The DCERPC bind packet in peer0_0 contains the interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da — monitor for DCERPC BIND requests to this UUID over TCP.
  • The exploit payload (peer0_1) uses a large NOP-sled equivalent of 0xCC bytes (INT3 breakpoint opcodes) interleaved with 0x00 bytes as a heap spray / sled. Detect large blocks of alternating CC 00 patterns in DCERPC request payloads as a strong indicator of this exploit.
  • The exploit author notes the target return/jump address used is 0x684191c4 when the preferred pointer write to 0x7ffdf020 is not feasible. Detect memory access or EIP/RIP values near 0x684191c4 in crash dumps or debugger output on MSDTC/COM+ processes.
  • The DCERPC request packet (peer0_1) has a PDU type byte of 0x83 at offset 3 (opnum field area) and a total fragment length of 0x052c (1324 bytes). Monitor for oversized DCERPC request PDUs to the MS-DTC interface with these characteristics.
  • ·The exploit is described as unreliable — only 5 of 10+ tested boxes were successfully exploited ('owned'), and the author expects the real-world success rate to be even lower. Detection based on the payload pattern is more reliable than expecting consistent exploitation outcomes.
  • ·The exploit is marked as a POC by its author and may not represent the most effective exploitation technique for CVE-2005-1978/MS05-051. More reliable variants may exist with different payload structures.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.