CVE-2004-0206

Microsoft Windows NetDDE - Remote Code Execution via Malicious Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-0206. PoCs published by Metasploit, houseofdabus, pusscat, including Metasploit module exploits/windows/smb/ms04_031_netdde.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the Microsoft NetDDE service (CVE-2004-0206) on Windows 2000 SP4 and XP SP0. It leverages DCERPC to trigger the vulnerability and execute arbitrary payloads via a crafted overflow chunk.

Description

Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16371

This exploit targets a stack buffer overflow in the Microsoft NetDDE service (CVE-2004-0206) on Windows 2000 SP4 and XP SP0. It leverages DCERPC to trigger the vulnerability and execute arbitrary payloads via a crafted overflow chunk.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft NetDDE Service (Windows 2000 SP4, XP SP0)
Auth required
Prerequisites: Network access to target · Valid SMB credentials · NetDDE service running on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by houseofdabus · cremotewindows
https://www.exploit-db.com/exploits/734

This is a proof-of-concept exploit for CVE-2004-0206, targeting a buffer overflow in NetDDE services. It includes shellcode for both port binding and connect-back payloads, demonstrating remote code execution capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows NetDDE services (Windows XP, Windows 2000)
No auth needed
Prerequisites: NetDDE services must be manually started on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by pusscat · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms04_031_netdde.rb

This Metasploit module exploits a stack buffer overflow in the NetDDE service (CVE-2004-0206) by sending a maliciously crafted DCERPC request to the 'nddeapi' pipe, leading to remote code execution on vulnerable Windows systems (pre-XP SP1). The exploit leverages a known return address (0x77e56f43) and includes a payload with specific bad character restrictions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows NetDDE Service (pre-Windows XP SP1, including Windows 2000 SP4)
Auth required
Prerequisites: Network access to the target · Valid SMB credentials for authentication · NetDDE service running on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (14)

Core 14
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109786703930674&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/17657
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2394
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4592
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11372
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/640488
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3120
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1852
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/12803/
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16556
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5074
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6788
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3242

Scores

EPSS 0.7466
EPSS Percentile 99.4%

Details

Status published
Products (5)
microsoft/windows_2000
microsoft/windows_2003_server r2
microsoft/windows_98
microsoft/windows_nt 4.0
microsoft/windows_xp
Published Nov 03, 2004
Tracked Since Feb 18, 2026