CVE-2001-0241

Windows 2000 - Buffer Overflow in Internet Printing ISAPI Extension

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2001-0241. PoCs published by Metasploit, styx, dark spyrit, including Metasploit module exploits/windows/iis/ms01_023_printer.

AI-analyzed exploit summary This exploit targets a buffer overflow in the Internet Printing Protocol ISAPI module in Microsoft IIS 5.0 on Windows 2000 SP0-SP1. It leverages a malformed Host header to execute arbitrary code via a crafted HTTP request.

Description

Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16469

This exploit targets a buffer overflow in the Internet Printing Protocol ISAPI module in Microsoft IIS 5.0 on Windows 2000 SP0-SP1. It leverages a malformed Host header to execute arbitrary code via a crafted HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 5.0 on Windows 2000 SP0-SP1
No auth needed
Prerequisites: Network access to target IIS server · IIS 5.0 with Internet Printing Protocol enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb SCANNER VERIFIED
by styx · cremotewindows
https://www.exploit-db.com/exploits/20817

This code is a scanner for CVE-2001-0241, which exploits a buffer overflow in the Windows 2000 Internet Printing ISAPI extension (msw3prt.dll). It sends a crafted HTTP request with an oversized 'Host:' field to check for vulnerability.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows 2000 Internet Printing ISAPI extension (msw3prt.dll)
No auth needed
Prerequisites: Network access to the target server · Target server running Windows 2000 with Internet Printing enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by dark spyrit · cremotewindows
https://www.exploit-db.com/exploits/268

This exploit targets a buffer overflow vulnerability in IIS 5 via a malformed .printer request. It overwrites an exception frame to control EIP and execute shellcode, which spawns a reverse shell to the attacker's specified host and port.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 5.0
No auth needed
Prerequisites: Network access to the target IIS server · Listener set up on the attacker's machine to receive the reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ryan Permeh · cremotewindows
https://www.exploit-db.com/exploits/266

This exploit targets a buffer overflow in the .printer ISAPI filter of unpatched Windows 2000 systems. It uses a crafted Host header to trigger the overflow and execute shellcode, creating a file on the target's C: drive as proof of exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 5.0 (Windows 2000 SP0 and SP1)
No auth needed
Prerequisites: Unpatched Windows 2000 with .printer ISAPI filter loaded · Network access to the target's IIS service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Cyrus The Great · textremotewindows
https://www.exploit-db.com/exploits/20818

The exploit describes a buffer overflow vulnerability in Windows 2000's Internet printing ISAPI extension (msw3prt.dll). A maliciously crafted HTTP .printer request with an oversized 'Host:' field (~420 bytes) can trigger arbitrary code execution. The server may restart automatically, obscuring the attack.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Windows 2000 Internet Printing ISAPI Extension (msw3prt.dll)
No auth needed
Prerequisites: Windows 2000 with Internet Printing enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by dark spyrit · cremotewindows
https://www.exploit-db.com/exploits/20816

This exploit targets a buffer overflow vulnerability in the Windows 2000 Internet Printing ISAPI extension (msw3prt.dll) via a maliciously crafted HTTP .printer request with an oversized 'Host:' field (~420 bytes). It includes shellcode for arbitrary code execution, leveraging a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows 2000 Internet Printing ISAPI extension (msw3prt.dll)
No auth needed
Prerequisites: Network access to vulnerable Windows 2000 server with Internet Printing enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by storm · perlremotewindows
https://www.exploit-db.com/exploits/20815

This exploit targets a buffer overflow vulnerability in the Windows 2000 Internet Printing ISAPI extension (msw3prt.dll) via a maliciously crafted HTTP request with an oversized 'Host:' field. It sends a long string of 'A's to trigger the overflow, potentially allowing arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows 2000 IIS 5.0 with Internet Printing Protocol
No auth needed
Prerequisites: Network access to the target IIS server · Internet Printing Protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/iis/ms01_023_printer.rb

This Metasploit module exploits a buffer overflow in the Internet Printing Protocol ISAPI module in IIS 5.0 on Windows 2000 SP0-SP1. It leverages a malformed Host header to trigger a stack-based overflow, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 5.0 on Windows 2000 SP0-SP1
No auth needed
Prerequisites: Network access to the target IIS server · IIS 5.0 with Internet Printing Protocol enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/2674
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1068
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3323
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6485
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2001-10.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98874912915948&w=2

Scores

EPSS 0.8570
EPSS Percentile 99.7%

Details

Status published
Products (1)
microsoft/windows_2000
Published Jun 27, 2001
Tracked Since Feb 18, 2026