CVE-1999-0716

Windows NT 4.0 - Buffer Overflow via Malformed Help File

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0716. PoCs published by David Litchfield.

AI-analyzed exploit summary This exploit leverages a buffer overflow in the Windows NT Help utility (winhlp32.exe) by creating a malicious .cnt file with an overly long heading string. The exploit code includes shellcode to add a new administrator account and is designed to run on Windows NT 4.0 SP4.

Description

Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.

Exploits (1)

exploitdb WORKING POC VERIFIED

by David Litchfield · clocalwindows

https://www.exploit-db.com/exploits/19209

View Code ZIP pw:eip

This exploit leverages a buffer overflow in the Windows NT Help utility (winhlp32.exe) by creating a malicious .cnt file with an overly long heading string. The exploit code includes shellcode to add a new administrator account and is designed to run on Windows NT 4.0 SP4.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows NT 4.0 SP4 (winhlp32.exe)

No auth needed

Prerequisites: Access to the %SystemRoot%\help directory or the ability to place the malicious .cnt file in the execution directory of the Help utility

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-015

Vendor Advisory vendor-advisory x_refsource_mskb

http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ231605

Scores

EPSS 0.0312

EPSS Percentile 86.1%

Details

Status published

Products (3)

microsoft/windows_2000

microsoft/windows_nt

microsoft/windows_nt 4.0

Published May 17, 1999

Tracked Since Feb 18, 2026