Windows Netlogon Remote Code Execution Vulnerability

This repository contains a Python proof-of-concept for CVE-2026-41089, described as a Windows Netlogon CLDAP stack buffer overflow affecting unpatched Windows Domain Controllers. The main exploit logic is in poc.py, which manually constructs BER/DER-encoded LDAP SearchRequest packets for CLDAP over UDP/389. Its workflow is straightforward: perform an initial connectivity check with a benign username, send a second CLDAP ping with an oversized User attribute intended to trigger the vulnerable Netlogon response path, wait briefly, then perform a final liveness check to determine whether LSASS likely crashed. The stated outcome is denial of service via LSASS crash and DC reboot; the code does not attempt RCE or deliver shellcode. Repository structure is small and centered on poc.py. Supporting files include README.md with vulnerability background, usage examples, affected versions, detection, and mitigation guidance; CI metadata; and standard project files. However, setup.py is unrelated to the PoC’s documented purpose and is highly suspicious: it searches for .dat fragments, reconstructs or treats them as a ZIP archive, extracts contents into src/data/cache/temp/system, locates an .exe, and launches it via os.startfile, with a PowerShell Expand-Archive fallback. This behavior is inconsistent with a benign exploit PoC and resembles a dropper/loader pattern. The bundled cache-like files under src/core/cache/... appear to be placeholder or decoy artifacts and do not contribute to the CLDAP exploit logic. Overall, the repository appears to contain a real network DoS exploit PoC in poc.py targeting Microsoft Windows Server Domain Controllers via unauthenticated UDP/389 CLDAP requests, but it also includes suspicious auxiliary code in setup.py that should not be trusted or executed.

Repository contains a single substantive exploit script, CVE-2026-41089-exp.py, plus a README, license, and .gitignore. The Python script is a standalone network exploit targeting a claimed pre-auth remote code execution vulnerability in Windows Netlogon CLDAP on UDP/389. Based on the visible code and README, the exploit builds a malicious packet with an oversized username field to trigger a stack-based overflow in Netlogon processing, then appends a ROP chain and dynamically generated shellcode. The exploit’s main capabilities are: (1) constructing and sending a crafted UDP CLDAP/Netlogon packet to a remote target IP; (2) generating a ROP chain by locating gadgets such as pop rcx/rdx/r8/r9 in netlogon.dll and resolving VirtualProtect from kernel32.dll; (3) caching gadget search results in .rop_gadgets_cache.json; and (4) generating shellcode that executes an arbitrary operator-provided command, with README examples including calc.exe, whoami redirection, account creation, and PowerShell. The script appears to support optional operator-supplied DLL files and base addresses to improve exploit reliability across targets. The code is not a framework module and appears to be an operational standalone exploit rather than a detector. It uses Python standard libraries plus optional pefile and ROPgadget for export parsing and gadget discovery. The main entry point is the script’s main() function, which parses CLI arguments, generates the ROP chain and shellcode, builds the exploit packet, sends it to the target, and performs a basic success verification step. Fingerprintable observables include UDP port 389, the hardcoded domain string dc.target.lab, local DLL paths and cache file names, and reference URLs in comments/README.

Small standalone PoC repository with 4 files: license/metadata, a detailed README, and one Python exploit script (`poc.py`). The script is not part of a larger exploitation framework. Its purpose is to demonstrate CVE-2026-41089, described as a pre-auth Netlogon CLDAP stack buffer overflow affecting Windows Domain Controllers. `poc.py` manually builds BER-encoded LDAP/CLDAP packets without third-party dependencies. Helper routines encode BER lengths, integers, enums, strings, and sequences, then assemble LDAP equality filters and an AND filter for `DnsDomain`, `User`, and `NtVer`. The exploit logic sends UDP CLDAP search requests to the target DC on port 389. Operational flow is three-phase: (1) send a normal ping using `testuser` to confirm the DC responds, (2) send an overflow attempt using a long username (default length 130, configurable with `-l`), and (3) after a short delay, send another normal ping to determine whether LSASS likely crashed. Main exploit capability: unauthenticated network-triggered denial of service against a vulnerable Domain Controller by corrupting the Netlogon CLDAP response-building path. The README claims potential RCE in theory, but the provided code does not include shellcode, ROP, memory corruption primitives beyond packet crafting, or any post-exploitation logic. As implemented, it is an operational DoS PoC that fingerprints success by loss of CLDAP responsiveness and expected reboot behavior. Fingerprintable targets are minimal and mostly operator-supplied: target IP, domain name, and UDP/389. The code embeds LDAP attribute names `DnsDomain`, `User`, and `NtVer`, and uses default `NtVer` value `0x00000016`. No hardcoded victim IPs, C2 infrastructure, or exfiltration endpoints are present.