cbcvebase.
CVE-2010-0270
published 2010-04-14

CVE-2010-0270: The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB…

PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
48.19%
98.7th percentile
The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Transaction Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
commandSMB Trans2 QUERY_FS_INFO response with oversized/malformed parameter fields causing stack overflow
bytes
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes
FF 53 4D 42 32 (SMBv1 Trans2 command 0x32 malicious response trigger)
  • Detect rogue SMB servers sending crafted Trans2 (command byte 0x32) responses to Windows SMB clients — the exploit server listens on TCP/445 and responds to client-initiated SMB negotiation sequences with a malformed Trans2 QUERY_FS_INFO response to trigger the stack overflow.
  • Monitor for SMB client connections (outbound TCP/445) from Windows 7 / Server 2008 R2 hosts to untrusted external SMB servers, especially where the server returns SMBv1 Trans2 responses with anomalous TotalDataCount/DataCount field values inconsistent with the declared buffer sizes.
  • The PoC exploit uses a fixed EIP overwrite pattern (0x41414141) and EBP pattern (0x42424242) in the Trans2 response payload; look for these byte sequences (41 41 41 41 / 42 42 42 42) within SMB Trans2 response data fields as a sign of exploitation attempts.
  • The malicious Trans2 response packet contains the ASCII padding sequence 'ABCDEFGHIJKLMNOPQRSTUV' (0x41–0x56) immediately before the EBP/EIP overwrite bytes; this distinctive byte run in an SMB Trans2 response body is a strong indicator of this exploit.
  • Man-in-the-middle attack vector: alert on ARP spoofing or DNS poisoning activity that could redirect Windows SMB client traffic to a rogue server, as the vulnerability is exploitable by MITM attackers intercepting SMBv1 or SMBv2 transaction responses.
  • ·The PoC uses hardcoded dummy EIP/EBP values (0x41414141 / 0x42424242) suitable only for crash demonstration; a weaponized exploit would substitute valid ROP gadget or shellcode addresses, so byte-pattern detection should focus on the structural malformation of Trans2 fields rather than solely on these specific overwrite values.
  • ·The exploit note indicates CVE-2010-0020 may also apply to the same PoC code, so detections built for this traffic pattern may simultaneously cover that related vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.