CVE-2007-1748

EXPLOITED

Windows 2000 Server SP4 and Server 2003 SP1/SP2 - Remote Code Execution via DNS RPC Zone Name Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2007-1748 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including Metasploit, Andres Tarasco, Winny Thomas, including a Metasploit module exploits/windows/smb/ms07_029_msdns_zonename.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the Microsoft DNS RPC service (CVE-2007-1748) via escaped octal strings in zone names. It bypasses NX/DEP on Windows 2003 SP1/SP2 and requires SMB authentication.

Description

Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16366

This is a Metasploit module exploiting a stack buffer overflow in the Microsoft DNS RPC service (CVE-2007-1748) via escaped octal strings in zone names. It bypasses NX/DEP on Windows 2003 SP1/SP2 and requires SMB authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft DNS Server (Windows 2000, 2003)
Auth required
Prerequisites: Valid SMB credentials · Access to DNS RPC service via SMB
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16748

This is a Metasploit module exploiting a stack buffer overflow in the Microsoft DNS RPC service (CVE-2007-1748). It bypasses NX/DEP on Windows 2003 SP1/SP2 and targets multiple Windows versions with locale-specific payloads.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft DNS Server (Windows 2000, 2003 SP0, SP1, SP2)
No auth needed
Prerequisites: Network access to the target DNS RPC service · Target must be running a vulnerable version of Microsoft DNS Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andres Tarasco · textremotewindows
https://www.exploit-db.com/exploits/3746

This exploit targets a vulnerability in Microsoft DNS Server (CVE-2007-1748) via RPC, allowing remote code execution or denial of service. It supports multiple Windows versions and includes fingerprinting and dynamic port detection.

Classification
Working Poc 95%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft DNS Server (Windows 2000 SP4, Windows 2003 SP2)
No auth needed
Prerequisites: Network access to target · RPC/DNS service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Winny Thomas · pythonremotewindows
https://www.exploit-db.com/exploits/3737

This exploit targets CVE-2007-1748, a vulnerability in the Windows DNS RPC service. It uses a buffer overflow to execute shellcode that binds a shell to TCP port 4444, providing remote code execution on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows DNS RPC Service (Windows 2000 SP4)
No auth needed
Prerequisites: Network access to the target · DNS RPC service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by devcode · cremotewindows
https://www.exploit-db.com/exploits/3740

This is a functional proof-of-concept exploit for CVE-2007-1748, targeting a stack-based buffer overflow in the Windows DNS service's DnssrvQuery function via a crafted RPC request. It includes shellcode for a bind shell on port 4444 and is designed for Windows 2000 Advanced Server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows DNS Service (Windows 2000 Advanced Server, Windows Server 2003)
No auth needed
Prerequisites: Network access to the target DNS service · DNS RPC service exposed on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by hdm, Unknown, bcoles · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb

This Metasploit module exploits a stack buffer overflow in the Microsoft DNS RPC service (CVE-2007-1748) via a long zone name parameter with escaped octal strings. It bypasses NX/DEP on Windows 2003 SP1/SP2 and requires SMB authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft DNS Server (Windows 2000 SP0-SP4, 2003 SP0-SP2)
Auth required
Prerequisites: Valid SMB credentials · Access to DNS RPC service via SMB
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by hdm, Unknown, bcoles · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb

This is a functional Metasploit module exploiting a stack buffer overflow in the Microsoft DNS RPC service via a long zone name parameter with escaped octal strings. It includes multiple targets for Windows 2000 and 2003, with techniques to bypass NX/DEP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft DNS Server (Windows 2000 SP0-SP4, Windows 2003 SP0-SP2)
No auth needed
Prerequisites: Network access to the target DNS RPC service · Target system running vulnerable Microsoft DNS Server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (15)

Core 15
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24871
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/468871/100/200/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/465863/100/100/threaded
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-128A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23470
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33629
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017910
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1366
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1228
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-103A.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/555920

Scores

EPSS 0.8397
EPSS Percentile 99.3%

Details

VulnCheck KEV 2007-05-08
CWE
CWE-119
Status published
Products (3)
microsoft/windows_2000
microsoft/windows_2003_server sp1 (3 CPE variants)
microsoft/windows_2003_server sp2 (3 CPE variants)
Published Apr 13, 2007
Tracked Since Feb 18, 2026