cbcvebase.
CVE-2009-2526
published 2009-10-14

CVE-2009-2526: Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to…

PriorityP272high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.89%
99.6th percentile
Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
port28876
processsrv2.sys
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14674.zip
commandsmb2_exploit.exe 192.167.0.5 45 0
bytes
\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8
bytes
\x00\x02\x53\x4d\x42\x20\x32\x2e\x30\x30\x32\x00
bytes
\x04\x0d\xdf\xff (repeated 25 times)
bytes
\xb4\xff\xff\x3f
bytes
\x09\x0d\xd0\xff
  • Detect oversized or malformed SMBv2 Negotiate packets targeting srv2.sys — the exploit sends a crafted ~926-byte (0x039e) NetBIOS-framed SMB packet to TCP/445 containing the SMB2 dialect string '\x53\x4d\x42\x20\x32\x2e\x30\x30\x32' and a repeated 4-byte pattern '\x04\x0d\xdf\xff' 25 times.
  • Monitor for unexpected listening ports opened on victim Windows Vista/Server 2008 hosts, specifically TCP/28876, which the exploit spawns as a backdoor shell.
  • The exploit requires a follow-up SMB authentication event to trigger injected shellcode; monitor for rpcclient or anonymous/low-credential SMB authentication attempts immediately after a large malformed SMBv2 Negotiate packet from the same source IP.
  • Look for SMBv2 Negotiate packets with ProcessID field anomalies (high process ID bytes '\x17\x02') combined with oversized payloads — indicative of the ProcessID Function Table Dereference exploitation technique.
  • The stager shellcode contains the sysenter hook trampoline signature starting with '\xfc\xfa\xeb\x1e\x5e'; detect this byte sequence in SMB packet payloads.
  • ·The Python exploit (EDB-40280) hardcodes a Meterpreter reverse_tcp shellcode connecting back to LHOST=192.168.30.77 on LPORT=443; defenders should treat these as example values only — real-world use will substitute attacker-controlled IPs/ports.
  • ·The binary exploit (EDB-14674) targets Vista SP1 and SP2 only and is described as reliable only for those versions; it was not updated after initial creation and may not work against other affected versions listed in the CVE (Server 2008 Gold/SP2).

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.