cbcvebase.
CVE-2011-2013
published 2011-11-08

CVE-2011-2013: Integer overflow in the TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.75%
98.2th percentile
Integer overflow in the TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code by sending a sequence of crafted UDP packets to a closed port, aka "Reference Counter Overflow Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
apachehttpd
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

command./winnuke2011 <target> <port>
filenamewinnuke2011.c
filenamewinnuke2011
  • Detect continuous high-rate UDP packet floods directed at a closed/non-listening port on Windows Vista/Server 2008/Windows 7 systems, which is the trigger condition for the reference counter integer overflow in the TCP/IP stack.
  • Monitor for exploitation of MS11-083 via sustained UDP traffic to closed ports; the PoC uses multiple threads each continuously sending UDP datagrams (SOCK_DGRAM/AF_INET) to the same destination port, which is anomalous and detectable via flow analysis.
  • The PoC spawns a concurrent ICMP ping loop alongside UDP flooding; correlate simultaneous ICMP echo and high-rate UDP traffic to the same target as a combined indicator of this exploit tool.
  • ·Affected platforms are specifically Windows Vista SP2, Windows Server 2008 SP2/R2/R2 SP1, and Windows 7 Gold/SP1 only; the TCP/IP integer overflow is in the kernel-level stack, so exploitation results in kernel-level code execution or BSOD on failed attempts.
  • ·Failed exploitation manifests as a denial-of-service condition rather than code execution; defenders should treat unexpected Windows kernel crashes (BSOD) on network-exposed systems as a potential exploitation indicator.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_apache7.8HIGH
vendor_redhat1.9LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.