CVE-2003-0533

EXPLOITED

Microsoft Windows - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2003-0533 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, houseofdabus, sbaa, including a Metasploit module exploits/windows/smb/ms04_011_lsass.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the Microsoft LSASS service (CVE-2003-0533). It targets Windows 2000 and XP by sending a maliciously crafted DCERPC request to achieve remote code execution.

Description

Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16368

This is a Metasploit module exploiting a stack buffer overflow in the Microsoft LSASS service (CVE-2003-0533). It targets Windows 2000 and XP by sending a maliciously crafted DCERPC request to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows LSASS service (Windows 2000, Windows XP)
No auth needed
Prerequisites: Network access to target · LSASS service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by houseofdabus · cremotewindows
https://www.exploit-db.com/exploits/295

This is a remote exploit for CVE-2003-0533, targeting a buffer overflow in Lsasrv.dll via RPC. It includes shellcode for both reverse and bind shells, and supports multiple Windows versions (XP, 2000).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (XP, 2000) with vulnerable Lsasrv.dll
No auth needed
Prerequisites: Network access to target · RPC service exposed on port 445
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sbaa · cremotewindows
https://www.exploit-db.com/exploits/293

This exploit targets a buffer overflow vulnerability in Lsasrv.dll (CVE-2003-0533) via RPC, allowing remote code execution on Windows 2000 and XP systems. It uses shellcode to establish a reverse shell connection to a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 (SP3/SP4), Windows XP (SP1)
No auth needed
Prerequisites: Network access to target · RPC service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms04_011_lsass.rb

This Metasploit module exploits a stack buffer overflow in the Microsoft LSASS service (CVE-2003-0533) via a crafted DCERPC request. It includes target-specific payload handling for Windows 2000 and XP, leveraging return addresses and NOP sleds to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000, Windows XP (LSASS service)
No auth needed
Prerequisites: Network access to target · LSASS service exposed via SMB/DCERPC
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/o-114.shtml
Various Sources third-party-advisory x_refsource_eeye
http://www.eeye.com/html/Research/Advisories/AD20040413C.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15699
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-104A.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108325860431471&w=2
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020069.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A919
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A898
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A883
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10108
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/753212

Scores

EPSS 0.8900
EPSS Percentile 99.5%

Details

VulnCheck KEV 2004-05-13
Status published
Products (7)
microsoft/netmeeting
microsoft/windows_2000 (2 CPE variants)
microsoft/windows_2003_server r2
microsoft/windows_98
microsoft/windows_me
microsoft/windows_nt 4.0 sp6a
microsoft/windows_xp
Published Jun 01, 2004
Tracked Since Feb 18, 2026