cbcvebase.
CVE-2010-2743
published 2011-01-20

CVE-2010-2743: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from…

PriorityP270high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.85%
96.3th percentile
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.

Detection & IOCsextracted from sources · hover to see the quote

commandNtUserLoadKeyboardLayoutEx( hFile, 0x01AE0160, NULL, hKbd, &uStr, 0x666, 0x101 )
path%TEMP%\p0wns.boom
filenamep0wns.boom
filenamepwn3d.dll
otherVirtualAlloc address: 0x60630000
otherMAGIC_OFFSET: 0x6261
bytes
mov eax, 000011c6h; mov edx, 7ffe0300h; call dword ptr [edx]; retn 1Ch
bytes
\x90\x90\x90\x90\xC2\x0C\x00\x90\x90
  • Monitor calls to NtUserLoadKeyboardLayoutEx from user-mode processes with a crafted/malformed DLL handle and suspicious KLID values (e.g., 0x666), which is the exploitation vector for this CVE.
  • Detect creation of files with the extension .boom in the TEMP directory, particularly named p0wns.boom, as this is the malformed keyboard layout file dropped by the exploit.
  • Detect VirtualAlloc calls targeting the fixed base address 0x60630000 with PAGE_EXECUTE_READWRITE permissions, used to stage the Ring 0 shellcode payload.
  • The exploit uses SendInput with a null virtual key (wVk=0x0) after loading the malformed keyboard layout to trigger shellcode execution; monitor for this pattern following suspicious keyboard layout loads.
  • ·The exploit targets Windows XP SP3 specifically; the NtUserLoadKeyboardLayoutEx syscall number (0x11c6) is hardcoded and version-specific, so the same binary will not work on other Windows versions without modification.
  • ·CVE-2010-2743 may be a duplicate of CVE-2010-3888 or CVE-2010-3889; detection rules should consider covering all three CVEs to avoid gaps.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.