Windows Netlogon Remote Code Execution Vulnerability

Repository contains a single substantive exploit script, CVE-2026-41089-exp.py, plus a README, license, and .gitignore. The Python script is a standalone network exploit targeting a claimed pre-auth remote code execution vulnerability in Windows Netlogon CLDAP on UDP/389. Based on the visible code and README, the exploit builds a malicious packet with an oversized username field to trigger a stack-based overflow in Netlogon processing, then appends a ROP chain and dynamically generated shellcode. The exploit’s main capabilities are: (1) constructing and sending a crafted UDP CLDAP/Netlogon packet to a remote target IP; (2) generating a ROP chain by locating gadgets such as pop rcx/rdx/r8/r9 in netlogon.dll and resolving VirtualProtect from kernel32.dll; (3) caching gadget search results in .rop_gadgets_cache.json; and (4) generating shellcode that executes an arbitrary operator-provided command, with README examples including calc.exe, whoami redirection, account creation, and PowerShell. The script appears to support optional operator-supplied DLL files and base addresses to improve exploit reliability across targets. The code is not a framework module and appears to be an operational standalone exploit rather than a detector. It uses Python standard libraries plus optional pefile and ROPgadget for export parsing and gadget discovery. The main entry point is the script’s main() function, which parses CLI arguments, generates the ROP chain and shellcode, builds the exploit packet, sends it to the target, and performs a basic success verification step. Fingerprintable observables include UDP port 389, the hardcoded domain string dc.target.lab, local DLL paths and cache file names, and reference URLs in comments/README.

Small standalone PoC repository with 4 files: license/metadata, a detailed README, and one Python exploit script (`poc.py`). The script is not part of a larger exploitation framework. Its purpose is to demonstrate CVE-2026-41089, described as a pre-auth Netlogon CLDAP stack buffer overflow affecting Windows Domain Controllers. `poc.py` manually builds BER-encoded LDAP/CLDAP packets without third-party dependencies. Helper routines encode BER lengths, integers, enums, strings, and sequences, then assemble LDAP equality filters and an AND filter for `DnsDomain`, `User`, and `NtVer`. The exploit logic sends UDP CLDAP search requests to the target DC on port 389. Operational flow is three-phase: (1) send a normal ping using `testuser` to confirm the DC responds, (2) send an overflow attempt using a long username (default length 130, configurable with `-l`), and (3) after a short delay, send another normal ping to determine whether LSASS likely crashed. Main exploit capability: unauthenticated network-triggered denial of service against a vulnerable Domain Controller by corrupting the Netlogon CLDAP response-building path. The README claims potential RCE in theory, but the provided code does not include shellcode, ROP, memory corruption primitives beyond packet crafting, or any post-exploitation logic. As implemented, it is an operational DoS PoC that fingerprints success by loss of CLDAP responsiveness and expected reboot behavior. Fingerprintable targets are minimal and mostly operator-supplied: target IP, domain name, and UDP/389. The code embeds LDAP attribute names `DnsDomain`, `User`, and `NtVer`, and uses default `NtVer` value `0x00000016`. No hardcoded victim IPs, C2 infrastructure, or exfiltration endpoints are present.