cbcvebase.
CVE-2011-1248
published 2011-05-13

CVE-2011-1248: WINS in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1 does not properly handle socket send exceptions, which allows remote…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
47.57%
98.7th percentile
WINS in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1 does not properly handle socket send exceptions, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets, related to unintended stack-frame values and buffer passing, aka "WINS Service Failed Response Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://aluigi.org/testz/udpsz.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip
commandudpsz -C 00140004 -b a -l 0 -T 0xffffffff SERVER 42 0x140008
filenameudpsz.zip
  • Monitor WINS service (TCP/UDP port 42) for connections sending extremely large volumes of data (approaching or exceeding 2 GB in a single or sustained session), which is the trigger condition for memory region allocation at 0x2c000000.
  • Detect crafted WINS packets where the first 32-bit field (max data block size) is set to values at or near 3,115,000 (0x2F8B38), keeping the connection open indefinitely without closure — indicative of exploit looping behavior.
  • Alert on RaiseException with ExceptionCode 0xE0000008 originating from wins.exe, which is the specific exception code raised during the vulnerable send-failure code path.
  • Look for WINS service crashes or access violations at or near address 0x2c000000 (EDI = 0x2c000000 or 0x61616161 in exploit PoC), indicating exploitation of the LeaveCriticalSection memory corruption primitive.
  • Inspect WINS traffic on port 42 for packets with the byte pattern 0x00140004 in the header (as used by the PoC tool's -C flag), which represents the crafted packet header triggering the vulnerability.
  • ·The exploit requires the attacker to be on the same network/intranet as the WINS server, as the service is intranet-facing. Remote exploitation from the internet is not the intended attack surface.
  • ·Exploitation time is highly dependent on the target machine's RAM: approximately 1 minute with 1 GB RAM, up to 10 minutes with 2 GB RAM, due to the need to allocate ~700 MB of memory to reach address 0x2c000000.
  • ·Affected versions are specifically Microsoft WINS Service 5.2.3790.4520 on Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.