CVE-2005-2120

Microsoft Windows 2000 SP4 and XP SP1-SP2 - Stack-Based Buffer Overflow in Plug and Play Service via Registry Key Name

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-2120. PoCs published by Winny Thomas, anonymous, hdm, including Metasploit module auxiliary/dos/windows/smb/ms05_047_pnp.

AI-analyzed exploit summary This exploit triggers a denial-of-service (DoS) in Microsoft's UMPNPMGR.dll by sending a malformed PNP_GetDeviceList request with an excessively long path, causing services.exe to crash. It follows a multi-step SMB/DCE-RPC negotiation process to reach the vulnerable function.

Description

Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Winny Thomas · cdoswindows
https://www.exploit-db.com/exploits/1271

This exploit triggers a denial-of-service (DoS) in Microsoft's UMPNPMGR.dll by sending a malformed PNP_GetDeviceList request with an excessively long path, causing services.exe to crash. It follows a multi-step SMB/DCE-RPC negotiation process to reach the vulnerable function.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (UMPNPMGR.dll in services.exe)
No auth needed
Prerequisites: Network access to target's SMB port (445/TCP)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · cdoswindows
https://www.exploit-db.com/exploits/1269

This exploit targets CVE-2005-2120, a buffer overflow vulnerability in the Windows Plug and Play service. It uses a malformed RPC request to trigger the overflow, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Plug and Play Service (Windows 2000, XP, Server 2003)
No auth needed
Prerequisites: Network access to the target system · Target system running vulnerable Windows version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb

This Metasploit module exploits a stack buffer overflow in the Windows Plug and Play service (MS05-047) via a maliciously crafted DCERPC request, leading to a denial-of-service (reboot) on Windows 2000. Code execution is possible under specific memory conditions.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 Plug and Play Service
No auth needed
Prerequisites: Network access to SMB service · Target running Windows 2000
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/71
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15065
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17166
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17223
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1244
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015042
Patch, Vendor Advisory third-party-advisory x_refsource_eeye
http://www.eeye.com/html/research/advisories/AD20051011c.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/18830
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17172
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/214572
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1328
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1519
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-284A.html

Scores

EPSS 0.7572
EPSS Percentile 98.9%

Details

Status published
Products (2)
microsoft/windows_2000
microsoft/windows_xp (2 CPE variants)
Published Oct 13, 2005
Tracked Since Feb 18, 2026