cbcvebase.
CVE-2018-0833
published 2018-02-15

CVE-2018-0833: The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service…

PriorityP343medium5.3CVSS 3.0
AVNACHPRLUINSUCNINAH
EXPLOIT
EPSS
40.64%
98.5th percentile
The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2012
microsoft_corporationserver_message_block
msrcwindows_8.1_for_32-bit_systems
msrcwindows_8.1_for_x64-based_systems
msrcwindows_rt_8.1
msrcwindows_server_2012_r2

Detection & IOCsextracted from sources · hover to see the quote

port445
bytes
FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
snort
alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:established,to_client; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, cve CVE_2018_0833, deployment Internal, confidence High, signature_severity Major, updated_at 2024_03_07;)
bytes
000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
  • Malicious payload is delivered FROM port 445 TO the SMB client (server-to-client direction); monitor inbound SMB responses, not just outbound requests.
  • The exploit payload begins with the byte sequence FD 53 4D 42 (\xfdSMB) at offset 4 of the TCP payload, distinguishing it from legitimate SMB2/3 traffic which uses FE 53 4D 42 (\xfeSMB).
  • Attacker stands up a rogue TCP server on port 445 and waits for SMB client connections; delivery vectors include redirectors and injected HTML header links that force the client to connect.
  • Successful exploitation results in the target system becoming completely unresponsive (BSoD / kernel null-pointer dereference); sudden system freeze after outbound SMB connection to an untrusted host is a strong indicator.
  • ·The Snort/ET rule (sid:2025983) is scoped to the Internal deployment zone; it will not fire on perimeter sensors watching external-facing interfaces — ensure it is applied on internal network monitoring points.
  • ·The byte-content match uses offset:4, meaning the detection anchors 4 bytes into the TCP payload; misconfigured sensors that strip NetBIOS session headers before inspection may miss the match.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.3MEDIUMAV:N/AC:M/Au:S/C:N/I:N/A:C
vendor_msrc4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.