CVE-2008-4114

Microsoft Windows - Denial of Service via SMB WRITE_ANDX Packet Buffer Size Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-4114. PoCs published by Javier Vicente Vallejo, including Metasploit module auxiliary/dos/windows/smb/ms09_001_write.

AI-analyzed exploit summary This exploit targets CVE-2008-4114, a vulnerability in the SMB protocol implementation on Windows Vista. It attempts to trigger a buffer overflow by manipulating SMB packet fields, specifically the DataLenLow and DataOffset values, to achieve remote code execution.

Description

srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Javier Vicente Vallejo · rubydoswindows
https://www.exploit-db.com/exploits/6463

This exploit targets CVE-2008-4114, a vulnerability in the SMB protocol implementation on Windows Vista. It attempts to trigger a buffer overflow by manipulating SMB packet fields, specifically the DataLenLow and DataOffset values, to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Windows Vista SMB implementation
Auth required
Prerequisites: Network access to the target SMB service · Valid SMB credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms09_001_write.rb

This exploit targets a denial-of-service vulnerability in Microsoft's SRV.SYS driver by sending malformed SMB WriteAndX requests with invalid DataOffset values. It iterates through various payload sizes and offsets to trigger a crash in the remote host.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on Vista) with SRV.SYS driver
Auth required
Prerequisites: Network access to SMB service · Valid SMB credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6044
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6463
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31179
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31883
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2583
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-013A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45146
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1020887
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5262
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/496354/100/0/threaded

Scores

EPSS 0.7366
EPSS Percentile 98.8%

Details

CWE
CWE-399
Status published
Products (7)
microsoft/windows_2000
microsoft/windows_server_2003 (4 CPE variants)
microsoft/windows_server_2008 (3 CPE variants)
microsoft/windows_vista (2 CPE variants)
microsoft/windows_vista gold
microsoft/windows_vista sp1
microsoft/windows_xp (4 CPE variants)
Published Sep 16, 2008
Tracked Since Feb 18, 2026