## https://sploitus.com/exploit?id=018B5871-29BC-5EF3-B24E-99416F43FF2C
# CVE-2026-41089 โ SentinelCore Defensive Toolkit




Python 3 toolkit to detect and remediate exposure to CVE-2026-41089 on Windows Domain Controllers. Passive only โ nothing writes to target systems.
---
## Table of Contents
- [Background & PoC](#background--poc)
- [Installation](#installation)
- [Modules](#modules)
- [Output & Formats](#output--formats)
---
## Background & PoC
**CVE-2026-41089** is a critical vulnerability in the Netlogon service (MS-NRPC) affecting Windows Server 2016 through 2025. It allows unauthenticated remote code execution via a stack buffer overflow in the CLDAP DC locator implementation.
### Vulnerability mechanism
The vulnerable code path:
```
I_NetLogonLdapLookupEx
โ NlGetLocalPingResponse
โ BuildSamLogonResponse
โ NetpLogonPutUnicodeString โ overflow here
```
`NlGetLocalPingResponse` allocates a 528-byte stack buffer and passes it to `BuildSamLogonResponse`, which calls `NetpLogonPutUnicodeString` multiple times without bounds checking. The `User` field in the CLDAP filter is attacker-controlled. An oversized username โ combined with server name, domain name, GUIDs, and DNS names โ pushes the total write past 528 bytes and overflows the stack.
**Attack vector:** UDP 389 (CLDAP), pre-authentication, no credentials required
**Impact:** lsass crash โ DC reboot (~60 seconds). RCE possible but not demonstrated here.
**CVSS:** 9.8 CRITICAL โ CWE-121
### What this toolkit does
Strictly passive and defensive. It does not trigger exploitation โ it probes the DC's response to a crafted CLDAP ping to determine whether the patch is applied:
```
1. Safe CLDAP ping (short username)
โ no response โ not a DC or CLDAP filtered
โ response โ DC reachable, continue
2. Probe ping (80-char username โ exercises the vulnerable code path)
โ no response โ LIKELY_VULNERABLE
โ response โ patched (input validation active)
```
The toolkit does **not**:
- Write any data to target systems
- Trigger the actual overflow
- Modify memory on the target
- Affect service stability
### Finding the domain name
The `--domain` argument is required. To enumerate it:
```bash
# From a domain-joined Windows machine
echo %USERDNSDOMAIN%
# From Linux on the same network
nmap -p 389 --script ldap-rootdse
# Via anonymous LDAP
ldapsearch -x -H ldap:// -s base -b "" namingContexts 2>/dev/null | grep naming
```
Output looks like `DC=corp,DC=local` โ the DNS domain is `corp.local`.
### Ethical use
This tool is for defensive security professionals โ pentesters, SOC teams, auditors. Use only on infrastructure you are explicitly authorized to test. Unauthorized use against third-party systems is illegal.
---
## Installation
```bash
git clone https://github.com/Orthos-s0c/CVE.git
cd CVE
# Optional โ required only for the monitor module
pip install pyevtx-rs
python3 cve_2026_41089_defensive.py --help
```
Standard library only (no install required): `socket`, `struct`, `ipaddress`, `concurrent.futures`, `argparse`, `json`, `pathlib`, `datetime`
---
## Modules
### `audit` โ Network Exposure Scan
Passive CLDAP probe over UDP 389. Sends a safe ping to confirm DC reachability, then an 80-char username probe to exercise the vulnerable code path. Response presence/absence is the detection signal.
```bash
# Single IP
python3 cve_2026_41089_defensive.py audit --target 192.168.1.10 --domain corp.local
# CIDR range
python3 cve_2026_41089_defensive.py audit --target 10.0.0.0/24 --domain corp.local \
--workers 50 --timeout 8.0
# JSON export for SOAR pipeline
python3 cve_2026_41089_defensive.py audit --target 10.0.0.0/24 --domain corp.local \
--json audit_$(date +%Y%m%d_%H%M%S).json
```
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `--target` | str | *required* | Single IP or CIDR notation |
| `--domain` | str | *required* | DNS domain name (e.g. `corp.local`) |
| `--workers` | int | `30` | Concurrent threads |
| `--timeout` | float | `5.0` | Per-host UDP timeout in seconds |
| `--port` | int | `389` | CLDAP port |
| `--json` | str | โ | Output path for full JSON results |
**Assessment states:**
| Assessment | Meaning |
|---|---|
| `LIKELY_VULNERABLE` | Responded to safe ping, silent on probe โ vulnerable code path confirmed |
| `patched` | Responded to both probes โ input validation active |
| `unreachable` | No response on UDP 389 โ not a DC or port filtered |
---
### `monitor` โ EVTX Log Analysis
Analyzes Windows EVTX logs for post-exploitation indicators. Requires `pyevtx-rs`.
```bash
python3 cve_2026_41089_defensive.py monitor --evtx "C:\Windows\System32\winevt\Logs"
```
| Log | Event ID | Meaning |
|-----|----------|---------|
| Application | 1000 | `lsass.exe` crash โ primary exploitation indicator |
| Security | 5827, 5828 | Netlogon refused insecure channel |
| Security | 5829 | Netlogon **allowed** insecure channel |
| Security | 4625 | Anonymous logon failure spike |
| System | 7034, 7036 | Netlogon service state change |
Without `pyevtx-rs`, the module prints equivalent PowerShell commands for live monitoring on the DC.
---
### `firewall` โ Hardening Rules
Generates a PowerShell firewall script deployable via GPO. UDP 389 (CLDAP) is the primary block โ TCP RPC ports are blocked as a secondary layer.
```bash
python3 cve_2026_41089_defensive.py firewall > firewall_rules.ps1
# Apply on DC (admin required)
powershell -ExecutionPolicy Bypass -File .\firewall_rules.ps1
```
Edit `$DC_SUBNET` and `$ADMIN_SUBNET` at the top of the script before deploying.
| Rule | Protocol | Ports | Action |
|------|----------|-------|--------|
| Block CLDAP Inbound | UDP | 389 | BLOCK (all profiles) |
| Allow CLDAP โ DC Subnet | UDP | 389 | ALLOW (domain profile) |
| Allow CLDAP โ Admin Subnet | UDP | 389 | ALLOW (domain profile) |
| Block Netlogon RPC Inbound | TCP | 135, 445, 464, 3268, 3269 | BLOCK (all profiles) |
| Allow RPC โ DC Subnet | TCP | above | ALLOW (domain profile) |
---
### `sigma` โ SIEM Detection Rules
Exports three Sigma 1.0 rules compatible with Splunk, Elasticsearch, and Microsoft Sentinel.
```bash
python3 cve_2026_41089_defensive.py sigma > sigma_rules.yml
# Compile to Splunk SPL
sigma compile -t splunk -r sigma_rules.yml
```
| Rule | Event ID | Level |
|------|----------|-------|
| lsass Crash Indicator | 1000 | `critical` |
| Anonymous Logon Failure Spike (>5 / 60s) | 4625 | `high` |
| Netlogon Insecure Channel Anomaly | 5827, 5828 | `medium` |
---
### `patch` โ Patch Verification
Generates a PowerShell script to run directly on the DC. Detects the OS, identifies the expected KB, checks installation via `Get-HotFix`.
```bash
python3 cve_2026_41089_defensive.py patch > patch_check.ps1
# Run on the DC
powershell -ExecutionPolicy Bypass -File .\patch_check.ps1
# Exit 0 = patched | Exit 1 = vulnerable | Exit 2 = OS not in matrix
```
| OS | KB |
|----|----|
| Windows Server 2025 | KB5058387 |
| Windows Server 2022 | KB5058385 |
| Windows Server 2019 | KB5058383 |
| Windows Server 2016 | KB5058392 |
| Windows Server 2012 R2 | KB5058395 |
---
## Output & Formats
### Console
```
[14:32:15] CVE-2026-41089 CLDAP audit โ 3 host(s), domain=corp.local
HOST ASSESSMENT DETAIL
โ 192.168.1.10 LIKELY_VULNERABLE responded to safe ping, silent on oversized username
192.168.1.11 unreachable no response on UDP :389 โ not a DC or CLDAP filtered
192.168.1.12 patched responded to both probes (312B) โ input validation active
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SUMMARY: 1 likely vulnerable / 1 patched / 2 reachable on UDP:389 / 3 total
```
### JSON (`--json results.json`)
```json
[
{
"timestamp": "2026-06-02T14:32:15.123456+00:00",
"host": "192.168.1.10",
"domain": "corp.local",
"port": 389,
"reachable": true,
"assessment": "LIKELY_VULNERABLE",
"detail": "responded to safe ping, silent on oversized username โ consistent with CVE-2026-41089 code path",
"resp_bytes": 284
}
]
```
---
**Version:** 1.0.0 โ **Author:** SentinelCore Security Team โ **License:** MIT