cbcvebase.
CVE-2006-4691
published 2006-11-14

CVE-2006-4691: Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.21%
99.6th percentile
Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.

Detection & IOCsextracted from sources · hover to see the quote

port445
path\pipe\wkssvc
other6bffd098-a112-3610-9833-46c3f87e345a v1.0
otherRPC opnum 0x16 (NetrJoinDomain2)
registrywkssvc.dll
  • Detect oversized NetrJoinDomain2 RPC requests (opnum 0x16) over the \pipe\wkssvc named pipe on SMB port 445; a long hostname/domain parameter indicates exploitation of CVE-2006-4691.
  • Look for the NOP sled pattern (repeated \x90\x90) of over 1000 bytes embedded within a NetrJoinDomain2 RPC request payload as a shellcode delivery indicator.
  • Monitor for SMB connections to IPC$ share followed by opening of the \wkssvc named pipe from external/untrusted hosts, which is the attack transport channel.
  • Flag use of known exploit return addresses in memory regions associated with ws2help.dll (0x75022ac4), ws2_32.dll (0x71ab21cd), user32.dll (0x77E11627), or ntdll.dll (0x77f81573 / 0x77F92A9B) appearing in RPC stub data.
  • Machines already joined to a domain are not exploitable; unenrolled Windows 2000 SP4 and XP SP2 hosts with port 445 exposed are the primary targets.
  • ·Windows XP SP2 exploitation requires Administrator credentials to reach the vulnerable code path, making it harder to exploit remotely without prior credential access.
  • ·Exploitation requires a valid, live Windows domain name to be specified; the exploit will fail without a reachable domain controller responding to LDAP/DNS queries.
  • ·The exploit shellcode and return addresses differ between exploit variants and target OS versions (Win2000 SP4 vs XP SP0/SP1); detection signatures should cover multiple shellcode byte sequences.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.