Rapid7 Vulnerability & Exploit Database

Microsoft Windows Browser Pool DoS

Back to Search

Microsoft Windows Browser Pool DoS



This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.


  • Cupidon-3005
  • jduck <jduck@metasploit.com>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/dos/windows/smb/ms11_019_electbowser
msf auxiliary(ms11_019_electbowser) > show actions
msf auxiliary(ms11_019_electbowser) > set ACTION < action-name >
msf auxiliary(ms11_019_electbowser) > show options
    ...show and set options...
msf auxiliary(ms11_019_electbowser) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security