CVE-2006-4688
published 2006-11-14CVE-2006-4688: Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.88%
99.5th percentile
Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00
- →Detect exploit attempts by monitoring for DCERPC bind requests to interface UUID e67ab081-9844-3521-9d32-834f038001c0 v1.0 over named pipes (ncacn_np), particularly on pipes \srvsvc and \nwwks. ↗
- →Alert on DCERPC opnum 0x09 calls to the above UUID over \srvsvc (nwapi32.dll exploit vector) with oversized UnicodeConformantVaryingString arguments beginning with '\\\\' (double backslash in Unicode). ↗
- →Alert on DCERPC opnum 0x01 calls to the above UUID over \nwwks (nwwks.dll exploit vector) with oversized UnicodeConformantVaryingString arguments. ↗
- →Monitor svchost.exe for unexpected child processes or shellcode execution when the NetWare Client Service (CSNW) is running, as the overflow occurs within svchost hosting nwapi32.dll/nwwks.dll. ↗
- →Egghunter shellcode delivery pattern: look for large SMB named-pipe write payloads containing repeated random padding blocks (~1024 bytes) surrounding a tagged egg value, followed by a NOP sled and hunter stub. ↗
- →The nwapi32.dll exploit uses a return address of 0x00EBEEEC for Windows XP SP2; the nwwks.dll exploit uses 0x616566fb (modemui.dll gadget). Presence of these values in network traffic or memory is a strong indicator of exploitation. ↗
- →The nwwks.dll exploit uses return address 0x616566fb described as a 'popaw, ret' gadget in modemui.dll for Windows XP SP2. ↗
- ·The Metasploit modules only include a target for Windows XP SP2; Windows 2000 SP4 and Server 2003 up to SP1 are also vulnerable per the CVE but lack pre-built return addresses in these exploits. ↗
- ·The nwapi32.dll exploit payload space is only 296 bytes with a stack adjustment of -3500, requiring an egghunter stage; the nwwks.dll variant has 1000 bytes of payload space and delivers shellcode directly. ↗
- ·Both exploits require the target to have the NetWare Client Service (CSNW) actively running; systems without CSNW installed are not vulnerable to remote exploitation via this path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)
exploitdb·2010-08-25
CVE-2006-4688 Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)
Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)
---
##
# $Id: ms06_066_nwapi.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Services MS06-066 nwapi32.dll',
'Description' => %q{
This module exploits a stack buffer overflow in the svchost service, when the netware
client service is running. This specific vulnerability is in the nwapi32.dll module.
},
'Author' => [ 'pusscat' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10150 $',
'References' =>
[
[ 'CVE', '2006-4688'],
[ 'OSV
Exploit-DB
Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)
exploitdb·2010-05-09
CVE-2006-4688 Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)
Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)
---
##
# $Id: ms06_066_nwwks.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Services MS06-066 nwwks.dll',
'Description' => %q{
This module exploits a stack buffer overflow in the svchost service, when the netware
client service is running. This specific vulnerability is in the nwapi32.dll module.
},
'Author' => [ 'pusscat' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2006-4688'],
[ 'OSVDB', '
Metasploit
MS06-066 Microsoft Services nwapi32.dll Module Exploit
metasploit
MS06-066 Microsoft Services nwapi32.dll Module Exploit
MS06-066 Microsoft Services nwapi32.dll Module Exploit
This module exploits a stack buffer overflow in the svchost service when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.
Metasploit
MS06-066 Microsoft Services nwwks.dll Module Exploit
metasploit
MS06-066 Microsoft Services nwwks.dll Module Exploit
MS06-066 Microsoft Services nwwks.dll Module Exploit
This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.
No writeups or analysis indexed.
http://secunia.com/advisories/22866http://securitytracker.com/id?1017224http://www.securityfocus.com/archive/1/451844/100/0/threadedhttp://www.securityfocus.com/bid/21023http://www.us-cert.gov/cas/techalerts/TA06-318A.htmlhttp://www.vupen.com/english/advisories/2006/4504https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-066https://exchange.xforce.ibmcloud.com/vulnerabilities/29952https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A404http://secunia.com/advisories/22866http://securitytracker.com/id?1017224http://www.securityfocus.com/archive/1/451844/100/0/threadedhttp://www.securityfocus.com/bid/21023http://www.us-cert.gov/cas/techalerts/TA06-318A.htmlhttp://www.vupen.com/english/advisories/2006/4504https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-066https://exchange.xforce.ibmcloud.com/vulnerabilities/29952https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A404
2006-11-14
Published