CVE-2004-1134

Microsoft w3who.dll - Buffer Overflow via Long Query String

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-1134. PoCs published by Metasploit, hdm, including Metasploit module exploits/windows/isapi/w3who_query.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the w3who.dll ISAPI application (CVE-2004-1134). It targets Windows 2000 and XP by sending a maliciously crafted query string to trigger remote code execution.

Description

Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16354

View Code ZIP pw:eip

This is a Metasploit module exploiting a stack buffer overflow in the w3who.dll ISAPI application (CVE-2004-1134). It targets Windows 2000 and XP by sending a maliciously crafted query string to trigger remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft IIS with w3who.dll ISAPI extension

No auth needed

Prerequisites: Vulnerable IIS server with w3who.dll exposed · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by hdm · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/isapi/w3who_query.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in Microsoft IIS's w3who.dll ISAPI application (CVE-2004-1134). It targets Windows 2000 and XP by sending a maliciously crafted query string to trigger remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft IIS with w3who.dll (Windows 2000/XP)

No auth needed

Prerequisites: Vulnerable IIS server with w3who.dll exposed · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List mailing-list x_refsource_fulldisc

http://marc.info/?l=full-disclosure&m=110234486823233&w=2

Various Sources x_refsource_misc

http://www.exaprobe.com/labs/advisories/esa-2004-1206.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/18377

Scores

EPSS 0.7233

EPSS Percentile 99.4%

Details

Status published

Products (1)

microsoft/w3who.dll

Published Jan 10, 2005

Tracked Since Feb 18, 2026