CVE-2005-1983
published 2005-08-10CVE-2005-1983: Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.41%
99.8th percentile
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SMB Negotiate packet: \x00\x00\x00\x85\xFF\x53\x4D\x42\x72
bytes↗
PNP RPC bind packet header: \x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69\x08\x00\x3E\x30\x05\x1B
- →Detect exploit traffic by monitoring for DCE/RPC bind requests to the PnP service interface UUID 8d9f4e40-a03d-11ce-8f69-08003e30051b over SMB named pipes (\PIPE\browser, \PIPE\ntsvcs, \PIPE\wkssvc, \PIPE\srvsvc) on TCP port 445. ↗
- →Alert on DCE/RPC calls to opnum 54 (0x36) on the PnP interface (8d9f4e40-a03d-11ce-8f69-08003e30051b), which corresponds to PNP_QueryResConfList — the vulnerable function. ↗
- →A failed exploit attempt causes services.exe (which hosts the PnP service) to crash and the system to automatically reboot — unexpected reboots of Windows 2000/XP systems should be investigated as potential exploitation attempts. ↗
- →On Windows 2000, exploitation requires no valid credentials (anonymous/null session); detect unauthenticated SMB null sessions followed by DCE/RPC activity on the PnP pipe as a high-fidelity indicator. ↗
- →Look for oversized CSD_LegacyData buffers (>= 0x7C0 bytes) in PNP_QueryResConfList RPC requests, which is the overflow vector; the exploit sets SDL=0x07C0 and fills a 0x7D0-byte SDA array. ↗
- →Detect the Zotob/Mytob worm exploitation pattern: SMB connections to port 445 from external IPs followed by a bind shell callback on a high port (exploit opens a bind shell, e.g. port 8721 or user-specified port). ↗
- ·The exploit can use multiple named pipes (browser, srvsvc, wkssvc, ntsvcs) as the transport; detection rules must cover all four pipe names to avoid evasion by pipe substitution. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9794-w9r7-gpfh: Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to exe
ghsa_unreviewed·2022-05-01
CVE-2005-1983 [HIGH] GHSA-9794-w9r7-gpfh: Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to exe
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.
VulnCheck
Microsoft Windows Out-of-bounds Write
vulncheck·2005·CVSS 10.0
CVE-2005-1983 [CRITICAL] Microsoft Windows Out-of-bounds Write
Microsoft Windows Out-of-bounds Write
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.kb.cert.org/vuls/id/998653
No detection rules found.
Exploit-DB
Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
exploitdb·2010-08-30
CVE-2005-1983 Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
---
##
# $Id: ms05_039_pnp.rb 10190 2010-08-30 20:40:05Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Plug and Play Service Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Windows Plug
and Play service. This vulnerability can be exploited on
Windows 2000 without a valid user account.
NOTE: Since the PnP service runs inside the service.exe process, a failed
exploit attempt will cause the system to automatically reboot.
Exploit-DB
Microsoft Windows Plug-and-Play Service - Remote Universal (Spanish) (MS05-039)
exploitdb·2005-08-25
CVE-2005-1983 Microsoft Windows Plug-and-Play Service - Remote Universal (Spanish) (MS05-039)
Microsoft Windows Plug-and-Play Service - Remote Universal (Spanish) (MS05-039)
---
/*
* HOD-ms05039-pnp-expl-spanish.c [25.Aug.2005]
* Very slightly modified version by Roman Medina
* Tested on Win2k SP4 Spanish.
* Original credits & comments follow.
*/
/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit + no crash shellcode
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affe
Exploit-DB
Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
exploitdb·2005-08-12
CVE-2005-1983 Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
---
/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit + no crash shellcode
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerabili
Exploit-DB
Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
exploitdb·2005-08-11
CVE-2005-1983 Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
---
/*
Windows 2000 universal exploit for MS05-039
-\x6d\x35\x6c\x30\x6e\x6e\x79-
*/
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
#include
#include
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
BYTE Data1[0x68] =
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2
Metasploit
MS05-039 Microsoft Plug and Play Service Overflow
metasploit
MS05-039 Microsoft Plug and Play Service Overflow
MS05-039 Microsoft Plug and Play Service Overflow
This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0384.htmlhttp://secunia.com/advisories/16372http://securitytracker.com/id?1014640http://www.ciac.org/ciac/bulletins/p-266.shtmlhttp://www.frsirt.com/english/alerts/20050814.ZotobA.phphttp://www.hsc.fr/ressources/presentations/null_sessions/http://www.kb.cert.org/vuls/id/998653http://www.osvdb.org/18605http://www.securiteam.com/windowsntfocus/5YP0E00GKW.htmlhttp://www.securityfocus.com/bid/14513http://www.us-cert.gov/cas/techalerts/TA05-221A.htmlhttp://www.vupen.com/english/advisories/2005/1354http://xforce.iss.net/xforce/alerts/id/202https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-039https://exchange.xforce.ibmcloud.com/vulnerabilities/21602https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100073https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A160https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A267https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A474https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A497https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A783http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0384.htmlhttp://secunia.com/advisories/16372http://securitytracker.com/id?1014640http://www.ciac.org/ciac/bulletins/p-266.shtmlhttp://www.frsirt.com/english/alerts/20050814.ZotobA.phphttp://www.hsc.fr/ressources/presentations/null_sessions/http://www.kb.cert.org/vuls/id/998653http://www.osvdb.org/18605http://www.securiteam.com/windowsntfocus/5YP0E00GKW.htmlhttp://www.securityfocus.com/bid/14513http://www.us-cert.gov/cas/techalerts/TA05-221A.htmlhttp://www.vupen.com/english/advisories/2005/1354http://xforce.iss.net/xforce/alerts/id/202https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-039https://exchange.xforce.ibmcloud.com/vulnerabilities/21602https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100073https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A160https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A267https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A474https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A497https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A783
2005-08-10
Published
Exploited in the wild