cbcvebase.
CVE-2006-3439
published 2006-08-09

CVE-2006-3439: Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
84.08%
99.7th percentile
Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

other4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
path\BROWSER
port445/tcp
port139
commandNetpwPathCanonicalize RPC call, function 0x1f
otherjmp esp @ ws2_32.dll: 0x71ab1d54
otherjmp esp @ ws2_32.dll: 0x71a37bfb
path\\%s\pipe\browser
path\\%s\ipc$
port4444
port54321
otherRPC interface UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188 (srvsvc), pipe \BROWSER or \SRVSVC
bytes
\x4e\xe6\x40\xbb
bytes
DCERPC bind: \x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88\x03\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00
bytes
DCERPC request header: \x05\x00\x00\x03\x10\x00\x00\x00\x30\x08\x00\x00\x00\x00\x00\x00\x18\x08\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00
  • Detect crafted DCERPC NetpwPathCanonicalize (opnum 0x1f) calls to the srvsvc/browser named pipe over SMB (ports 139/445). The RPC UUID 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 is the target interface.
  • For Windows 2003 SP0 exploitation, look for the constant stack cookie value 0x4e, 0xe6, 0x40, 0xbb embedded in the RPC path argument of a NetpwPathCanonicalize request.
  • Exploit targets anonymous/unauthenticated SMB sessions (empty username/password) to the IPC$ share and then opens the \pipe\browser named pipe. Anomalous unauthenticated IPC$ connections followed by BROWSER pipe access should be alerted.
  • Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e — IDS/IPS rules inspecting the RPC stub data for oversized path arguments should flag buffers of 600–1100 bytes containing these character exclusions.
  • Stack adjustment prepend bytes \x81\xc4\xff\xef\xff\xff\x44 (sub esp, 0xffffefff / inc esp) appear at the start of shellcode in exploit payloads and can be used as a shellcode signature.
  • Exploit sends the DCERPC request twice if the first attempt returns stub data (server rejection). Two rapid identical opnum 0x1f requests to the same pipe within milliseconds is a strong behavioral indicator.
  • On Windows XP SP2 detection, the exploit checks for error code 0xc0000022 (STATUS_ACCESS_DENIED) when opening \SRVSVC pipe — this probing behavior (opening \SRVSVC before exploitation) can be detected.
  • ·Exploitation causes a denial of service (not code execution) on Windows XP SP2 and Windows Server 2003 SP1 due to /GS stack protection; a failed attempt on Windows 2000 causes a full reboot.
  • ·The payload space is intentionally limited to 370 bytes to maintain a single request format across all Windows service packs; larger payloads may be technically possible but break cross-SP compatibility.
  • ·The exploit supports both direct SMB (port 445) and NetBIOS SMB (port 139) transports; detection rules must cover both ports.
  • ·Windows NT 4.0 requires adjusted SMB/DCERPC pipe write sizes (min 2048, max 4096) for successful exploitation; anomalous large pipe write sizes may indicate NT 4.0 targeting.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.