cbcvebase.
CVE-2010-0476
published 2010-04-14

CVE-2010-0476: The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
34.33%
98.2th percentile
The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses (1) SMBv1 or (2) SMBv2, aka "SMB Client Response Parsing Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
commandSMB Trans2 QUERY_FS_INFO response with oversized/malformed parameter block triggering stack overflow
bytes
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes
FF 53 4D 42 32 (SMBv1 Trans2 command 0x32 malicious response packet)
  • A rogue SMB server (or MitM) responds to SMB client Negotiate (0x72), SessionSetup (0x73), TreeConnect (0x75), NTCreate (0xa2), and Trans2 (0x32) in sequence; the malicious Trans2 QUERY_FS_INFO response triggers the overflow — detect an inbound SMB server response on port 445 containing SMB command byte 0x32 with anomalous parameter/data lengths.
  • The exploit operates as a rogue SMB server listening on TCP/445; monitor for unexpected hosts acting as SMB servers (i.e., sending SMB responses rather than requests) on port 445, especially in client-to-server traffic flows.
  • The crafted Trans2 response packet (packetrans) contains the byte sequence 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 followed by 02 61 and repeated 0x42/0x41 bytes (EBP/EIP overwrite pattern); this padding pattern in an SMB Trans2 response body is a strong indicator of exploitation.
  • The vulnerability affects SMBv1 and SMBv2 client response parsing; block or alert on outbound SMB client connections (TCP/445) to untrusted external hosts, as exploitation requires the Windows SMB client to connect to an attacker-controlled server.
  • ·The PoC was tested only on Windows 7 and Windows Server 2008 R2, while CVE-2010-0476 per NVD also affects Windows Server 2003 SP2, Vista Gold/SP1/SP2, and Server 2008 Gold/SP2; EBP/EIP offsets and shellcode would need adjustment per target OS/SP.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.