cbcvebase.
CVE-2008-4037
published 2008-11-12

CVE-2008-4037: Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote SMB servers to execute…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
59.14%
99.0th percentile
Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote SMB servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, as demonstrated by backrush, aka "SMB Credential Reflection Vulnerability." NOTE: some reliable sources report that this vulnerability exists because of an insufficient fix for CVE-2000-0834.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch
urlhttp://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7125.zip
pathADMIN$
path%SYSTEMROOT%\<random8>.exe
port445
port139
commandsmbmount //<ip>/<share> backrush/mnt/<ip>-<port> -o username=root,password=let_me_go_in
  • Detect SMB relay/reflection attacks by monitoring for a host authenticating to itself over SMB (same source and destination IP on ports 445/139 with NTLM challenge-response). MS08-068 patch blocks challenge key reflection back to the issuing host.
  • Alert on new Windows services created with randomly generated 8-character alphanumeric names and display names, especially when the binary path points to %SYSTEMROOT%\<random>.exe — a hallmark of the SMB relay Metasploit module's post-exploitation service installation.
  • Detect NTLM relay by watching for SMB sessions where the connecting client is authenticated as a non-Guest user but the session is being proxied to a third-party SMB host (SMBHOST parameter differs from originating IP).
  • Flag Windows XP systems not joined to a domain where 'Network Access: Sharing and security model for local accounts' is NOT set to Guest-only, as these are exploitable targets for SMB relay gaining administrative access.
  • ·The SMB reflection variant of this attack (relaying credentials back to the originating host) is blocked by the MS08-068 patch. However, relaying to a *third-party* SMB host the victim is authorized to access remains possible and is not mitigated by the patch alone.
  • ·The Metasploit smb_relay module does not support SMB 2/3; as of Feb 2022 it only works against SMB 1 targets, limiting its applicability to legacy unpatched systems.
  • ·The relay module cannot clean up after itself; the uploaded payload EXE and created service must be manually removed from the victim after exploitation, which may leave forensic artifacts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.