cbcvebase.
CVE-2010-0478
published 2010-04-14

CVE-2010-0478: Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
66.96%
99.2th percentile
Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to execute arbitrary code via crafted packets associated with transport information, aka "Media Services Stack-based Buffer Overflow Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

processnsum.exe
processNUMS.exe
port1755
otherFunnelConnect request (MMS protocol, msg_id 0x30001 / 0x30002)
registry0x75022ac4
uaNSPlayer/4.1.0.3928; {68c0a090-8797-11d2-a2b3-00a0c9b60551}
bytes
MMS seal: 0x20534d4d ("MMS ")
bytes
Session ID magic: 0xb00bface
bytes
MMS command data prefix: 0xf0f0f0f0 (msg_id 0x30001) / 0xf0f0f0f1 (msg_id 0x30002)
  • Monitor for the NSPlayer/4.1.0.3928 subscriber string with GUID {68c0a090-8797-11d2-a2b3-00a0c9b60551} in MMS traffic on port 1755, used by the exploit's LinkViewerToMacConnect step.
  • Detect unexpected termination or crash of NUMS.exe / nsum.exe on Windows 2000 Server SP4; the service does not restart automatically after exploitation or failed attempts.
  • Watch for code executing under the 'NetShowServices' user account following MMS traffic to port 1755, which indicates successful exploitation.
  • Flag MMS packets on port 1755 containing the SEH overwrite offsets (832 or 840 bytes into payload) combined with the p/p/r ROP gadget return address 0x75022ac4 from ws2help.dll.
  • ·Windows Media Services 4.1 is NOT installed by default on Windows 2000 Server; the attack surface only exists on systems where it has been explicitly installed.
  • ·The exploit targets a specific version (4.1.0.3930) of the Windows Media Unicast Service; detections tied to version strings should account for this exact version.
  • ·The service does not restart after exploitation or failed attempts, so absence of the service post-attack does not confirm successful code execution — it may simply reflect a crashed/killed service from an unsuccessful attempt.
  • ·The Metasploit payload excludes bad characters 0x00 and 0x5c; detection signatures based on shellcode byte patterns should account for these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.