cbcvebase.
CVE-2007-3039
published 2007-12-12

CVE-2007-3039: Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP…

PriorityP267critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
69.06%
99.3th percentile
Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.

Detection & IOCsextracted from sources · hover to see the quote

port2103
port2105
port2107
port1154
port4444
otherRPC UUID: fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
commandopnum 0x06 RPC call to port 2103
otherRet: 0x75022ac4 (ws2help.dll pop/pop/ret, Windows 2000 Server English)
bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes
05 00 00 81 10 00 00 00 d0 16 00 00 01 00 00 00 98 17 00 00 00 00 06 00 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 01 00 00 00 ba 0b 00 00 00 00 00 00 ba 0b 00 00
bytes
eb 06 42 42 (jmpcode / SEH overwrite)
  • Detect RPC bind requests to MSMQ interface UUID fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0 on TCP port 2103 (also 2105, 2107) followed by an opnum 0x06 call containing an oversized DNS name string (>310 bytes after unicode expansion).
  • Look for the RPC bind packet byte signature starting with 05 00 0b 03 containing UUID bytes 30 a0 b3 fd 5f 06 d1 11 bb 9b 00 a0 24 ea 55 25 on MSMQ ports (2103/2105/2107).
  • Flag outbound connections from MSMQ service host to port 1154 or 4444 post-exploitation, as these are the bind-shell ports used by the public exploit shellcodes.
  • Detect the SEH overwrite pattern \xeb\x06\x42\x42 within RPC request payloads to MSMQ ports as an exploit-specific byte signature.
  • The exploit requires a valid FQDN (DNS name) configured on the target; the RPC opnum 0x06 payload embeds this name in Unicode followed by a backslash (\x5c \x00) and then overflow padding. Monitor for anomalously large unicode strings in MSMQ RPC calls.
  • The Metasploit module remaps scanning hits on ports 445/139 to 2103 for automated exploitation; correlate MSMQ vulnerability scanner traffic on 445/139 with follow-up exploit traffic on 2103.
  • ·Exploitation requires the target to have MSMQ installed and configured with a DNS (FQDN) name; the DNS name does not need to be resolvable by a real DNS server, only configured on the target machine.
  • ·The vulnerability is remotely exploitable only on Windows 2000 Server; Windows 2000 Professional and Windows XP SP2 are also affected but require local access.
  • ·The SEH overwrite return address 0x75022ac4 (ws2help.dll pop/pop/ret) is specific to Windows 2000 Server English; offsets and return addresses must be adjusted for other language versions.
  • ·Payload bad characters that must be avoided are \x00\x0a\x0d\x5c\x5f\x2f\x2e\xff; the backslash (\x5c) and underscore (\x5f) are bad chars, which constrains shellcode encoding.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.