CVE-2003-0818

Microsoft Windows NT 4.0, 2000, 2003 Server - Remote Code Execution via ASN.1 BER Length Field Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2003-0818. PoCs published by Metasploit, Solar Eclipse, Christophe Devine, including Metasploit module exploits/windows/smb/ms04_007_killbill.

AI-analyzed exploit summary This is a Metasploit module exploiting CVE-2003-0818, a heap overflow in the Microsoft ASN.1 library's bitstring decoding. It targets Windows 2000 and XP systems, delivering a payload via SMB or HTTP that crashes LSASS and may require a reboot.

Description

Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16377

This is a Metasploit module exploiting CVE-2003-0818, a heap overflow in the Microsoft ASN.1 library's bitstring decoding. It targets Windows 2000 and XP systems, delivering a payload via SMB or HTTP that crashes LSASS and may require a reboot.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft ASN.1 Library (MS04-007)
No auth needed
Prerequisites: Network access to target · Vulnerable ASN.1 library on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Solar Eclipse · textremotewindows
https://www.exploit-db.com/exploits/3022

This exploit targets CVE-2005-1935 (MS04-007), a vulnerability in Microsoft ASN.1 library allowing remote code execution. The provided code is a reference to a tar.gz file containing the exploit, likely a binary or script.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft ASN.1 Library (affecting Windows 2000, XP, Server 2003)
No auth needed
Prerequisites: Network access to vulnerable system · Vulnerable ASN.1 library version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Christophe Devine · cdoswindows
https://www.exploit-db.com/exploits/153

This exploit targets CVE-2003-0818 (MS04-007) by sending a malformed Session Setup AndX Request to trigger a buffer overflow in LSASS.EXE on Windows 2000, causing a denial-of-service (DoS) condition and system reboot.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 (LSASS.EXE)
No auth needed
Prerequisites: Network access to target's SMB port (139 or 445) · Target must be running Windows 2000
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC LOW
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb

This is a functional exploit for CVE-2003-0818, targeting a heap overflow in the Microsoft ASN.1 library. It leverages a crafted SPNEGO token to trigger the vulnerability, leading to remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Microsoft ASN.1 Library (Windows 2000 SP2-SP4, Windows XP SP0-SP1)
No auth needed
Prerequisites: Network access to the target system · SMB or HTTP service exposed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (12)

Core 12
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/583108
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-041A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A653
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=107643836125615&w=2
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=107643892224825&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A799
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A796
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/216324
Mailing List mailing-list x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=107650972723080&w=2
Mailing List mailing-list x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=107650972617367&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A797

Scores

EPSS 0.8224
EPSS Percentile 99.6%

Details

Status published
Products (8)
microsoft/windows_2000 (4 CPE variants)
microsoft/windows_2003_server enterprise
microsoft/windows_2003_server enterprise_64-bit
microsoft/windows_2003_server r2 (2 CPE variants)
microsoft/windows_2003_server standard
microsoft/windows_2003_server web
microsoft/windows_nt 4.0 (23 CPE variants)
microsoft/windows_xp (5 CPE variants)
Published Mar 03, 2004
Tracked Since Feb 18, 2026