cbcvebase.
CVE-2010-0020
published 2010-02-10

CVE-2010-0020: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2…

PriorityP264critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
32.03%
98.1th percentile
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
bytes
FF 53 4D 42 72 (SMB Negotiate Protocol Request magic + command 0x72)
bytes
FF 53 4D 42 32 (SMB Trans2 command 0x32 with overflow payload)
bytes
Trans2 overflow pattern: 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 02 61 42 42 42 42 41 41 41 41
  • Detect malformed SMB Trans2 (command 0x32) responses from a rogue server on TCP/445 containing a stack overflow pattern — the exploit operates as a malicious SMB server that sends crafted Trans2 responses to trigger a client-side stack overflow.
  • Monitor for SMB client connections to untrusted servers on TCP 445 where the server returns an oversized or malformed Trans2 QUERY_FS_INFO response; the overflow payload overwrites EBP and EIP on the client stack.
  • The exploit requires an authenticated SMB session (remote authenticated users); look for NTLMSSP_CHALLENGE exchanges followed immediately by a Trans2 QUERY_FS_INFO response that is anomalously short yet triggers a stack overwrite.
  • Flag rogue SMB servers (listening on TCP/445) that send an NT Create AndX response followed by a Trans2 response containing the byte sequence 0x02 0x61 and repeated 0x41/0x42 padding bytes, indicative of EIP/EBP overwrite.
  • ·The PoC exploit code targets the SMB *client* (CVE-2010-0270 / MS10-020 Trans2 client stack overflow) and acts as a malicious server; the NVD entry for CVE-2010-0020 describes a server-side 'SMB Pathname Overflow Vulnerability'. The exploit-db entry notes both CVEs may apply, but the attack vector and affected component differ — validate which CVE applies before deploying detections.
  • ·The EBP and EIP values in the PoC are placeholder crash values (0x42424242 / 0x41414141) and not functional shellcode addresses; real exploitation would use different values depending on the target OS and patch level.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.