CVE-2011-0654

Windows Server 2003 - Remote Code Execution via Malformed BROWSER ELECTION Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-0654. PoCs published by Cupidon-3005, Cupidon-3005, jduck, including Metasploit module auxiliary/dos/windows/smb/ms11_019_electbowser.

AI-analyzed exploit summary This exploit targets a heap overflow vulnerability in Microsoft Windows Server 2003's Browser Election protocol (CVE-2011-0654). It crafts a malicious election packet to trigger the overflow in Mrxsmb.sys, potentially leading to remote code execution or denial of service.

Description

Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability." NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Cupidon-3005 · pythondoswindows
https://www.exploit-db.com/exploits/16166

This exploit targets a heap overflow vulnerability in Microsoft Windows Server 2003's Browser Election protocol (CVE-2011-0654). It crafts a malicious election packet to trigger the overflow in Mrxsmb.sys, potentially leading to remote code execution or denial of service.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Windows Server 2003
No auth needed
Prerequisites: Network access to broadcast traffic · Target system running Windows Server 2003
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Cupidon-3005, jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb

This Metasploit module exploits a denial-of-service vulnerability (CVE-2011-0654) in Microsoft Windows SMB service on Windows Server 2003 domain controllers by sending a crafted browser election request, causing a pool overflow and system crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server 2003 (Domain Controller)
No auth needed
Prerequisites: Network access to UDP port 138 · Target configured as a domain controller
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA11-102A.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/323172
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/16166
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0394
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1025328
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0284.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/46360
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0938
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/43299
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/65376
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12637

Scores

EPSS 0.7808
EPSS Percentile 99.0%

Details

CWE
CWE-119
Status published
Products (2)
microsoft/windows_2003_server (4 CPE variants)
microsoft/windows_server_2003 (2 CPE variants)
Published Feb 16, 2011
Tracked Since Feb 18, 2026