cbcvebase.
CVE-2005-1980
published 2005-10-12

CVE-2005-1980: Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction…

PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
47.34%
98.7th percentile
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

port3372
bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00
bytes
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00
  • The exploit targets the MSDTC service via a crafted TIP (Transaction Internet Protocol) message sent over TCP port 3372 (0xd016). Monitor for repeated outbound connection attempts from the MSDTC service (msdtc.exe) to arbitrary IPs/ports following an initial inbound connection, which is the DoS loop behaviour described.
  • The exploit sends a two-stage payload: first a DCE/RPC bind packet (peer0_0, 72 bytes, starting 05 00 0b 03) then a large request packet (peer0_1, 1024 bytes, starting 05 00 00 83) containing 0xCC NOP-sled padding. Detect DCE/RPC packets with these specific headers on port 3372 targeting MSDTC.
  • The malicious DCE/RPC request packet (peer0_1) contains a large run of 0xCC bytes (INT3 / NOP-sled equivalent) starting at offset ~0x80. Detect oversized MSDTC/TIP packets with repeated 0xCC byte sequences as a shellcode indicator.
  • The exploit uses the MSDTC interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da in the DCE/RPC bind and request. Detect DCE/RPC traffic binding to this specific interface UUID on port 3372.
  • ·The exploit author notes a low real-world success rate for code execution (~5/10+ boxes in testing), and describes it primarily as a DoS/POC. Detection focus should be on the DoS loop behaviour (MSDTC repeatedly connecting outbound) rather than assuming reliable RCE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.