CVE-2003-0003

Microsoft Windows NT and Windows 2000 Terminal Services - Local Buffer Overflow via RPC Locator Service

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-0003. PoCs published by Marcin Wolak, David Litchfield.

AI-analyzed exploit summary This exploit targets CVE-2003-0003, a buffer overflow vulnerability in the RPC Locator service on Windows 2000 SP3 and Windows NT 4.0 SP6a. It crafts a malicious RPC request to execute arbitrary shellcode, providing a remote command shell on port 5151.

Description

Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Marcin Wolak · cremotewindows
https://www.exploit-db.com/exploits/5

This exploit targets CVE-2003-0003, a buffer overflow vulnerability in the RPC Locator service on Windows 2000 SP3 and Windows NT 4.0 SP6a. It crafts a malicious RPC request to execute arbitrary shellcode, providing a remote command shell on port 5151.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 SP3, Windows NT 4.0 SP6a (RPC Locator Service)
No auth needed
Prerequisites: Null session access to target (IPC$ share) · Registry modifications on attacker's machine · RPC Locator service running on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by David Litchfield · textremotewindows
https://www.exploit-db.com/exploits/22194

The provided text describes a buffer overflow vulnerability in the Microsoft Windows Locator service (CVE-2003-0003), which allows remote code execution without authentication. The exploit details are referenced but no actual exploit code is included in the snippet.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Windows Locator service (Windows 2000, Windows NT Domain Controllers)
No auth needed
Prerequisites: Network access to the target service · Locator service enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=104394414713415&w=2
Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A103
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/11132
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/6666
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/610986
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2003-03.html
Third Party Advisory mailing-list x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=104393588232166&w=2

Scores

EPSS 0.4339
EPSS Percentile 98.6%

Details

Status published
Products (4)
microsoft/windows_2000 (4 CPE variants)
microsoft/windows_2000_terminal_services (4 CPE variants)
microsoft/windows_nt 4.0 (32 CPE variants)
microsoft/windows_xp (5 CPE variants)
Published Feb 07, 2003
Tracked Since Feb 18, 2026