cbcvebase.
CVE-2010-0477
published 2010-04-14

CVE-2010-0477: The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
50.19%
98.8th percentile
The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK), aka "SMB Client Message Size Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
commandRogue SMB server responding to Trans2 (0x32) with oversized/malformed response to trigger stack overflow
bytes
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes
FF 53 4D 42 32 (SMB Trans2 command 0x32 malicious response packet)
bytes
EBP=0x42424242 EIP=0x41414141 stack overflow pattern in Trans2 response
  • Detect SMB clients connecting to untrusted/external SMB servers on port 445 — the exploit requires the victim to connect to a rogue SMB server that sends a malformed Trans2 (SMB command 0x32) response.
  • Inspect inbound SMB Trans2 (command byte 0x32) response packets for anomalous sizes or stack-smashing patterns (e.g., repeated 0x41/0x42 bytes in data fields) on port 445.
  • Flag SMB sessions where the server-side Session Setup AndX response returns STATUS_MORE_PROCESSING_REQUIRED followed by a crafted NTLMSSP_CHALLENGE, as this is the handshake sequence used by the rogue server PoC.
  • Monitor for outbound SMB connections from Windows 7 / Server 2008 R2 hosts to non-corporate SMB servers (man-in-the-middle vector); block outbound TCP 445 at the perimeter.
  • ·The exploit affects only Windows 7 and Windows Server 2008 R2 SMB clients; detection rules should be scoped to those OS versions to reduce false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.