CVE-2010-0017

Windows 7 and Server 2008 - Remote Code Execution via SMB Negotiate Response Race Condition

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-0017. PoCs published by laurent gaffie, including Metasploit module auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.

AI-analyzed exploit summary This exploit targets CVE-2010-0017, a vulnerability in the SMB client implementation in Windows. It manipulates NetBIOS and SMB packets to trigger a buffer overflow, potentially leading to remote code execution or denial of service.

Description

Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by laurent gaffie · pythondoswindows

https://www.exploit-db.com/exploits/12258

View Code ZIP pw:eip

This exploit targets CVE-2010-0017, a vulnerability in the SMB client implementation in Windows. It manipulates NetBIOS and SMB packets to trigger a buffer overflow, potentially leading to remote code execution or denial of service.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows SMB Client

No auth needed

Prerequisites: Network access to the target · Target system must be running a vulnerable SMB client

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb

View Code ZIP pw:eip

This Metasploit module exploits a denial-of-service vulnerability in Microsoft Windows 7 and Server 2008 R2 SMB clients by triggering an infinite loop when a vulnerable client connects to a malicious SMB server. The exploit sends a crafted SMB response to induce a crash.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows 7 / Server 2008 R2 SMB Client

No auth needed

Prerequisites: Network access to the target · Target must initiate SMB connection to attacker-controlled server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-006

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8298

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA10-040A.html

Scores

EPSS 0.4104

EPSS Percentile 97.5%

Details

CWE

CWE-362

Status published

Products (4)

microsoft/windows_7

microsoft/windows_server_2008 (5 CPE variants)

microsoft/windows_server_2008 r2

microsoft/windows_vista (4 CPE variants)

Published Feb 10, 2010

Tracked Since Feb 18, 2026