CVE-2005-0047

Windows 2000, XP, and Server 2003 - Remote Code Execution via COM Structured Storage

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-0047. PoCs published by Cesar Cerrudo.

AI-analyzed exploit summary This exploit targets CVE-2005-0047, a COM Structured Storage vulnerability in Microsoft Windows. It manipulates the Windows Installer service to overwrite a shared section in memory, injecting shellcode to execute arbitrary commands with elevated privileges.

Description

Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Cesar Cerrudo · clocalwindows

https://www.exploit-db.com/exploits/1019

View Code ZIP pw:eip

This exploit targets CVE-2005-0047, a COM Structured Storage vulnerability in Microsoft Windows. It manipulates the Windows Installer service to overwrite a shared section in memory, injecting shellcode to execute arbitrary commands with elevated privileges.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Windows (Win2k SP4, WinXP SP2, Win2k3 SP0)

No auth needed

Prerequisites: Windows Installer service running · Specific MSI package to trigger the vulnerability

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10

Core References

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A901

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1159

Patch, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA05-039A.html

Various Sources x_refsource_misc

http://www.argeniss.com/research/SSExploit.c

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-012

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=111755870828817&w=2

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2351

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/19105

Patch, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/597889

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2892

Scores

EPSS 0.0444

EPSS Percentile 90.2%

Details

Status published

Products (7)

microsoft/windows_2000 (5 CPE variants)

microsoft/windows_2003_server enterprise

microsoft/windows_2003_server enterprise_64-bit

microsoft/windows_2003_server r2 (2 CPE variants)

microsoft/windows_2003_server standard

microsoft/windows_2003_server web

microsoft/windows_xp (10 CPE variants)

Published May 02, 2005

Tracked Since Feb 18, 2026