CVE-2007-3039

Microsoft Message Queuing - Stack-based Buffer Overflow via RPC Opnum 0x06

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2007-3039. PoCs published by Metasploit, Marcin Kozlowski, Andres Tarasco, including Metasploit module exploits/windows/dcerpc/ms07_065_msmq.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the Microsoft Message Queueing (MSMQ) service via a maliciously crafted DNS name path. It leverages DCERPC to trigger the vulnerability and execute arbitrary code with elevated privileges.

Description

Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. NOTE: this is remotely exploitable on Windows 2000 Server.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16750

This exploit targets a stack buffer overflow in the Microsoft Message Queueing (MSMQ) service via a maliciously crafted DNS name path. It leverages DCERPC to trigger the vulnerability and execute arbitrary code with elevated privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Message Queueing Service (MSMQ) on Windows 2000 Server
No auth needed
Prerequisites: Target system must be configured with a DNS name · DNS name must be supplied in the 'DNAME' option · MSMQ service must be running on port 2103
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Marcin Kozlowski · cremotewindows
https://www.exploit-db.com/exploits/4934

This exploit targets CVE-2007-3039, a buffer overflow vulnerability in the Windows Message Queuing Service (MS07-065). It crafts a malicious RPC request to trigger a stack-based buffer overflow, leading to remote code execution via embedded shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Message Queuing Service (MSMQ)
No auth needed
Prerequisites: Network access to the target system · Windows Message Queuing Service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andres Tarasco · textremotewindows
https://www.exploit-db.com/exploits/4760

This is a working exploit for CVE-2007-3039, targeting a buffer overflow in Microsoft Message Queue (MSMQ) via RPC. It achieves remote code execution by exploiting the QMCreateObjectInternal() function, tested against Windows 2000 Advanced Server SP4.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Message Queue (MSMQ) on Windows 2000 Advanced Server SP4
No auth needed
Prerequisites: Network access to target · MSMQ service running on target · RPC ports accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by axis · c++remotewindows
https://www.exploit-db.com/exploits/4745

This exploit targets CVE-2007-3039, a buffer overflow vulnerability in the Windows Message Queuing Service (MS07-065). It sends a maliciously crafted RPC request to trigger the overflow and execute shellcode, resulting in a bind shell on port 1154.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Message Queuing Service (MSMQ) on Windows 2000 SP4
No auth needed
Prerequisites: Target DNS name · Network access to port 2103/2105/2107
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/dcerpc/ms07_065_msmq.rb

This Metasploit module exploits a stack buffer overflow in the Microsoft Message Queueing (MSMQ) service via a maliciously crafted DNS name path in an RPC request. It leverages SEH overwrites to achieve remote code execution on vulnerable Windows 2000 Server systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Message Queueing (MSMQ) Service on Windows 2000 Server
No auth needed
Prerequisites: Target must have a configured DNS name · DNS name must be supplied in the 'DNAME' option · MSMQ service must be running on port 2103
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-345A.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4934
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4760
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4745
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4474
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/485268/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019077
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28011
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/26797
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4181
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/484891/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28051

Scores

EPSS 0.8339
EPSS Percentile 99.3%

Details

CWE
CWE-119
Status published
Products (1)
microsoft/message_queuing
Published Dec 12, 2007
Tracked Since Feb 18, 2026