CVE-2006-3942

Microsoft Windows NT 4.0, 2000, XP, Server 2003 - Denial of Service via Malformed SMB Transaction String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-3942. PoCs published by cocoruder, hdm, including Metasploit module auxiliary/dos/windows/smb/ms06_063_trans.

AI-analyzed exploit summary This exploit targets CVE-2006-1315, a memory corruption vulnerability in Microsoft SRV.SYS via malformed SMB requests. It sends a sequence of crafted SMB packets (Negotiate, Session Setup, Tree Connect, and Trans Request) to trigger the vulnerability, potentially leading to remote code execution.

Description

The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service (system crash) via an SMB_COM_TRANSACTION SMB message that contains a string without null character termination, which leads to a NULL dereference in the ExecuteTransaction function, possibly related to an "SMB PIPE," aka the "Mailslot DOS" vulnerability. NOTE: the name "Mailslot DOS" was derived from incomplete initial research; the vulnerability is not associated with a mailslot.

Exploits (3)

exploitdb WORKING POC VERIFIED
by cocoruder · cdoswindows
https://www.exploit-db.com/exploits/2057

This exploit targets CVE-2006-1315, a memory corruption vulnerability in Microsoft SRV.SYS via malformed SMB requests. It sends a sequence of crafted SMB packets (Negotiate, Session Setup, Tree Connect, and Trans Request) to trigger the vulnerability, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (SRV.SYS in MS06-035)
No auth needed
Prerequisites: Network access to target SMB port (typically 445) · Vulnerable Windows system (pre-MS06-035 patch)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb

This Metasploit module exploits a NULL pointer dereference flaw in the SRV.SYS driver of Windows, causing a denial-of-service (DoS) condition by sending malformed SMB transaction requests. It targets the vulnerability described in MS06-063 and CVE-2006-3942.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows SRV.SYS driver (affected versions include Windows 2000, XP, and Server 2003)
No auth needed
Prerequisites: Network access to the target's SMB service (port 445)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb

This exploit triggers a kernel pool corruption in Microsoft SRV.SYS via a mailslot write function, causing a slow corruption of kernel memory by writing two bytes (\xff\xff) into the response packet. It is a denial-of-service (DoS) exploit that crashes the service by repeatedly sending increasingly large payloads to the mailslot.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows (SRV.SYS, affected by MS06-035)
No auth needed
Prerequisites: Network access to the target's SMB service · SMB service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Various Sources third-party-advisory x_refsource_iss
http://xforce.iss.net/xforce/alerts/id/231
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3037
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/449179/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/443287/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19215
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016606
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21276
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017035
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27644
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27999
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A428

Scores

EPSS 0.8620
EPSS Percentile 99.4%

Details

CWE
CWE-20
Status published
Products (6)
microsoft/windows_2000
microsoft/windows_2003_server 64-bit
microsoft/windows_2003_server itanium
microsoft/windows_2003_server r2
microsoft/windows_2003_server sp1 (2 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Jul 31, 2006
Tracked Since Feb 18, 2026