CVE-2010-0478
published 2010-04-14CVE-2010-0478: Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
66.96%
99.2th percentile
Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to execute arbitrary code via crafted packets associated with transport information, aka "Media Services Stack-based Buffer Overflow Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
MMS seal: 0x20534d4d ("MMS ")bytes↗
Session ID magic: 0xb00bface
bytes↗
MMS command data prefix: 0xf0f0f0f0 (msg_id 0x30001) / 0xf0f0f0f1 (msg_id 0x30002)
- →Monitor for the NSPlayer/4.1.0.3928 subscriber string with GUID {68c0a090-8797-11d2-a2b3-00a0c9b60551} in MMS traffic on port 1755, used by the exploit's LinkViewerToMacConnect step. ↗
- →Detect unexpected termination or crash of NUMS.exe / nsum.exe on Windows 2000 Server SP4; the service does not restart automatically after exploitation or failed attempts. ↗
- →Watch for code executing under the 'NetShowServices' user account following MMS traffic to port 1755, which indicates successful exploitation. ↗
- →Flag MMS packets on port 1755 containing the SEH overwrite offsets (832 or 840 bytes into payload) combined with the p/p/r ROP gadget return address 0x75022ac4 from ws2help.dll. ↗
- ·Windows Media Services 4.1 is NOT installed by default on Windows 2000 Server; the attack surface only exists on systems where it has been explicitly installed. ↗
- ·The exploit targets a specific version (4.1.0.3930) of the Windows Media Unicast Service; detections tied to version strings should account for this exact version. ↗
- ·The service does not restart after exploitation or failed attempts, so absence of the service post-attack does not confirm successful code execution — it may simply reflect a crashed/killed service from an unsuccessful attempt. ↗
- ·The Metasploit payload excludes bad characters 0x00 and 0x5c; detection signatures based on shellcode byte patterns should account for these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TrackerCam - PHP Argument Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0478 TrackerCam - PHP Argument Buffer Overflow (Metasploit)
TrackerCam - PHP Argument Buffer Overflow (Metasploit)
---
##
# $Id: trackercam_phparg_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TrackerCam PHP Argument Buffer Overflow',
'Description' => %q{
This module exploits a simple stack buffer overflow in the
TrackerCam web server. All current versions of this software
are vulnerable to a large number of security issues. This
module abuses the directory traversal flaw to gain
information about the system and then uses the PHP overflow
to execute ar
Exploit-DB
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)
exploitdb·2010-04-28
CVE-2010-0478 Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)
Microsoft Windows Media Services - ConnectFunnel Stack Buffer Overflow (MS10-025) (Metasploit)
---
##
# $Id: ms10_025_wmss_connect_funnel.rb 9166 2010-04-28 00:48:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Windows Media Services ConnectFunnel Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Windows Media
Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially
crafted FunnelConnect request, an attacker can execute arbitrary code
under the "NetShowServices" user account. Windows Media
Metasploit
Windows Media Services ConnectFunnel Stack Buffer Overflow
metasploit
Windows Media Services ConnectFunnel Stack Buffer Overflow
Windows Media Services ConnectFunnel Stack Buffer Overflow
This module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts.
http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7001http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7001
2010-04-14
Published