CVE-2008-4037

Microsoft Windows - Remote Code Execution via SMB Credential Reflection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2008-4037. PoCs published by Metasploit, Andres Tarasco, Haamed Gheibi, including Metasploit module exploits/windows/smb/smb_relay.

AI-analyzed exploit summary This exploit code is a Metasploit module for CVE-2008-4037, which performs an SMB relay attack to gain authenticated SMB sessions and execute arbitrary payloads on Windows systems. It leverages SMB authentication relaying to achieve remote code execution.

Description

Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote SMB servers to execute arbitrary code on a client machine by replaying the NTLM credentials of a client user, as demonstrated by backrush, aka "SMB Credential Reflection Vulnerability." NOTE: some reliable sources report that this vulnerability exists because of an insufficient fix for CVE-2000-0834.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16360

This exploit code is a Metasploit module for CVE-2008-4037, which performs an SMB relay attack to gain authenticated SMB sessions and execute arbitrary payloads on Windows systems. It leverages SMB authentication relaying to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows SMB (pre-MS08-068 patch)
No auth needed
Prerequisites: Victim must attempt SMB authentication to the attacker's system · Target system must allow network logins for the relayed credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andres Tarasco · textremotewindows
https://www.exploit-db.com/exploits/7125

This is a tool for performing NTLM replay attacks via SMB, allowing an attacker to relay authentication credentials. It exploits the vulnerability in SMB protocol handling to capture and reuse NTLM hashes.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows SMB protocol implementations
No auth needed
Prerequisites: Network access to SMB traffic · Ability to intercept or capture NTLM authentication attempts
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Haamed Gheibi · textremotewindows
https://www.exploit-db.com/exploits/20

This exploit targets an authentication flaw in the Windows SMB protocol by modifying the Samba source code to intercept and manipulate SMB authentication challenges/responses. It allows mounting remote Windows shares (e.g., C$) without proper credentials by exploiting weak challenge-response mechanisms.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Windows 2000 (SP0-SP3), Windows XP (SP0-SP1)
No auth needed
Prerequisites: Modified Samba server (2.2.8a) with applied patch · Victim must connect to the malicious SMB server (e.g., via HTML email or web page) · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm, juan vazquez, agalway-r7, alanfoster, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/smb_relay.rb

This Metasploit module exploits CVE-2008-4037 by relaying SMB authentication requests to another host, allowing code execution if the victim has administrative privileges. It supports multiple attack vectors including PSEXEC and SMB session creation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows SMB (pre-MS08-068 patch)
No auth needed
Prerequisites: Victim must attempt SMB authentication to attacker-controlled server · Target system must allow network logins for the relayed user
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (15)

Core 15
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=122703006921213&w=2
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-316A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6012
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/49736
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1021163
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3110
Various Sources x_refsource_misc
http://www.xfocus.net/articles/200305/smbrelay.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32633
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/7385
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7125

Scores

EPSS 0.5914
EPSS Percentile 99.0%

Details

CWE
CWE-287
Status published
Products (5)
microsoft/windows server_2003 sp1 (6 CPE variants)
microsoft/windows xp sp2 (4 CPE variants)
microsoft/windows_2000
microsoft/windows_server_2008 (3 CPE variants)
microsoft/windows_vista (3 CPE variants)
Published Nov 12, 2008
Tracked Since Feb 18, 2026