cbcvebase.
CVE-2009-2532
published 2009-10-14

CVE-2009-2532: Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB…

PriorityP279critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.17%
99.1th percentile
Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
port28876
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14674.zip
filenamesmb2_exploit.exe
filenamesmb2_exploit_release.zip
processsrv2.sys
commandecho '1223456' | rpcclient -U Administrator %s
bytes
\x00\x00\x03\x9e\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8
bytes
\x00\x02\x53\x4d\x42\x20\x32\x2e\x30\x30\x32\x00
bytes
\x04\x0d\xdf\xff
bytes
\xb4\xff\xff\x3f
bytes
\x09\x0d\xd0\xff
  • Detect SMBv2 Negotiate Request packets with a crafted/malformed command value field targeting port 445 on Windows Vista/Server 2008/Windows 7 RC systems; the exploit packet begins with the byte sequence \x00\x00\x03\x9e\xff\x53\x4d\x42\x72 (NetBIOS session + SMB header with command 0x72).
  • The exploit packet contains the SMBv2 dialect string '\x00\x02SMB 2.002\x00' embedded in the negotiate request; inspect SMB negotiate packets for this dialect string combined with oversized or malformed payloads.
  • The exploit repeats the 4-byte pattern \x04\x0d\xdf\xff 25 times within the SMB negotiate packet as a heap spray/padding technique; this repetition is a strong network-level signature.
  • After sending the malicious SMBv2 packet, the exploit triggers code execution via an SMB authentication event (rpcclient login); monitor for unauthenticated or failed SMB authentication immediately following anomalous SMBv2 negotiate traffic.
  • Successful exploitation spawns a bind shell on TCP port 28876 on the target; monitor for unexpected listening services on this port on Windows Vista/Server 2008 hosts.
  • The vulnerability resides in srv2.sys (SMBv2 kernel driver); monitor for unexpected crashes, restarts, or anomalous activity in this driver on affected Windows systems.
  • The exploit uses a sysenter hook stager (stager_sysenter_hook from Metasploit) prepended before the shellcode; the stager begins with \xfc\xfa\xeb\x1e\x5e and can be used as a payload-level byte signature.
  • ·The Python exploit (EDB-40280) hardcodes a Meterpreter reverse_tcp shellcode connecting back to 192.168.30.77:443; this LHOST/LPORT is specific to the exploit author's lab environment and must be replaced in real-world attacks — do not treat these as universal IOCs.
  • ·The binary exploit (EDB-14674) was tested only against Vista SP1 and SP2; reliability against other affected targets (Server 2008, Windows 7 RC) is not confirmed by the exploit author.
  • ·The Python exploit depends on the Linux 'smbclient'/'rpcclient' command-line tools to trigger the authentication event; the exploit author notes no Python SMB login library was available, so the trigger mechanism is OS-dependent.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.