Share
## https://sploitus.com/exploit?id=018B5871-29BC-5EF3-B24E-99416F43FF2C
# CVE-2026-41089 โ€” SentinelCore Defensive Toolkit

![Status](https://img.shields.io/badge/Status-Stable-brightgreen)
![CVSS](https://img.shields.io/badge/CVSS_3.1-9.8_CRITICAL-red?style=for-the-badge)
![CWE](https://img.shields.io/badge/CWE-121-orange?style=for-the-badge)
![Python](https://img.shields.io/badge/Python-3.8+-blue?style=for-the-badge&logo=python&logoColor=white)

Python 3 toolkit to detect and remediate exposure to CVE-2026-41089 on Windows Domain Controllers. Passive only โ€” nothing writes to target systems.

---

## Table of Contents

- [Background & PoC](#background--poc)
- [Installation](#installation)
- [Modules](#modules)
- [Output & Formats](#output--formats)

---

## Background & PoC

**CVE-2026-41089** is a critical vulnerability in the Netlogon service (MS-NRPC) affecting Windows Server 2016 through 2025. It allows unauthenticated remote code execution via a stack buffer overflow in the CLDAP DC locator implementation.

### Vulnerability mechanism

The vulnerable code path:

```
I_NetLogonLdapLookupEx
  โ†’ NlGetLocalPingResponse
    โ†’ BuildSamLogonResponse
      โ†’ NetpLogonPutUnicodeString   โ† overflow here
```

`NlGetLocalPingResponse` allocates a 528-byte stack buffer and passes it to `BuildSamLogonResponse`, which calls `NetpLogonPutUnicodeString` multiple times without bounds checking. The `User` field in the CLDAP filter is attacker-controlled. An oversized username โ€” combined with server name, domain name, GUIDs, and DNS names โ€” pushes the total write past 528 bytes and overflows the stack.

**Attack vector:** UDP 389 (CLDAP), pre-authentication, no credentials required  
**Impact:** lsass crash โ†’ DC reboot (~60 seconds). RCE possible but not demonstrated here.  
**CVSS:** 9.8 CRITICAL โ€” CWE-121

### What this toolkit does

Strictly passive and defensive. It does not trigger exploitation โ€” it probes the DC's response to a crafted CLDAP ping to determine whether the patch is applied:

```
1. Safe CLDAP ping (short username)
        โ†“ no response โ†’ not a DC or CLDAP filtered
        โ†“ response    โ†’ DC reachable, continue
2. Probe ping (80-char username โ€” exercises the vulnerable code path)
        โ†“ no response โ†’ LIKELY_VULNERABLE
        โ†“ response    โ†’ patched (input validation active)
```

The toolkit does **not**:
- Write any data to target systems
- Trigger the actual overflow
- Modify memory on the target
- Affect service stability

### Finding the domain name

The `--domain` argument is required. To enumerate it:

```bash
# From a domain-joined Windows machine
echo %USERDNSDOMAIN%

# From Linux on the same network
nmap -p 389 --script ldap-rootdse 

# Via anonymous LDAP
ldapsearch -x -H ldap:// -s base -b "" namingContexts 2>/dev/null | grep naming
```

Output looks like `DC=corp,DC=local` โ€” the DNS domain is `corp.local`.

### Ethical use

This tool is for defensive security professionals โ€” pentesters, SOC teams, auditors. Use only on infrastructure you are explicitly authorized to test. Unauthorized use against third-party systems is illegal.

---

## Installation

```bash
git clone https://github.com/Orthos-s0c/CVE.git
cd CVE

# Optional โ€” required only for the monitor module
pip install pyevtx-rs

python3 cve_2026_41089_defensive.py --help
```

Standard library only (no install required): `socket`, `struct`, `ipaddress`, `concurrent.futures`, `argparse`, `json`, `pathlib`, `datetime`

---

## Modules

### `audit` โ€” Network Exposure Scan

Passive CLDAP probe over UDP 389. Sends a safe ping to confirm DC reachability, then an 80-char username probe to exercise the vulnerable code path. Response presence/absence is the detection signal.

```bash
# Single IP
python3 cve_2026_41089_defensive.py audit --target 192.168.1.10 --domain corp.local

# CIDR range
python3 cve_2026_41089_defensive.py audit --target 10.0.0.0/24 --domain corp.local \
  --workers 50 --timeout 8.0

# JSON export for SOAR pipeline
python3 cve_2026_41089_defensive.py audit --target 10.0.0.0/24 --domain corp.local \
  --json audit_$(date +%Y%m%d_%H%M%S).json
```

| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `--target` | str | *required* | Single IP or CIDR notation |
| `--domain` | str | *required* | DNS domain name (e.g. `corp.local`) |
| `--workers` | int | `30` | Concurrent threads |
| `--timeout` | float | `5.0` | Per-host UDP timeout in seconds |
| `--port` | int | `389` | CLDAP port |
| `--json` | str | โ€” | Output path for full JSON results |

**Assessment states:**

| Assessment | Meaning |
|---|---|
| `LIKELY_VULNERABLE` | Responded to safe ping, silent on probe โ€” vulnerable code path confirmed |
| `patched` | Responded to both probes โ€” input validation active |
| `unreachable` | No response on UDP 389 โ€” not a DC or port filtered |

---

### `monitor` โ€” EVTX Log Analysis

Analyzes Windows EVTX logs for post-exploitation indicators. Requires `pyevtx-rs`.

```bash
python3 cve_2026_41089_defensive.py monitor --evtx "C:\Windows\System32\winevt\Logs"
```

| Log | Event ID | Meaning |
|-----|----------|---------|
| Application | 1000 | `lsass.exe` crash โ€” primary exploitation indicator |
| Security | 5827, 5828 | Netlogon refused insecure channel |
| Security | 5829 | Netlogon **allowed** insecure channel |
| Security | 4625 | Anonymous logon failure spike |
| System | 7034, 7036 | Netlogon service state change |

Without `pyevtx-rs`, the module prints equivalent PowerShell commands for live monitoring on the DC.

---

### `firewall` โ€” Hardening Rules

Generates a PowerShell firewall script deployable via GPO. UDP 389 (CLDAP) is the primary block โ€” TCP RPC ports are blocked as a secondary layer.

```bash
python3 cve_2026_41089_defensive.py firewall > firewall_rules.ps1

# Apply on DC (admin required)
powershell -ExecutionPolicy Bypass -File .\firewall_rules.ps1
```

Edit `$DC_SUBNET` and `$ADMIN_SUBNET` at the top of the script before deploying.

| Rule | Protocol | Ports | Action |
|------|----------|-------|--------|
| Block CLDAP Inbound | UDP | 389 | BLOCK (all profiles) |
| Allow CLDAP โ€” DC Subnet | UDP | 389 | ALLOW (domain profile) |
| Allow CLDAP โ€” Admin Subnet | UDP | 389 | ALLOW (domain profile) |
| Block Netlogon RPC Inbound | TCP | 135, 445, 464, 3268, 3269 | BLOCK (all profiles) |
| Allow RPC โ€” DC Subnet | TCP | above | ALLOW (domain profile) |

---

### `sigma` โ€” SIEM Detection Rules

Exports three Sigma 1.0 rules compatible with Splunk, Elasticsearch, and Microsoft Sentinel.

```bash
python3 cve_2026_41089_defensive.py sigma > sigma_rules.yml

# Compile to Splunk SPL
sigma compile -t splunk -r sigma_rules.yml
```

| Rule | Event ID | Level |
|------|----------|-------|
| lsass Crash Indicator | 1000 | `critical` |
| Anonymous Logon Failure Spike (>5 / 60s) | 4625 | `high` |
| Netlogon Insecure Channel Anomaly | 5827, 5828 | `medium` |

---

### `patch` โ€” Patch Verification

Generates a PowerShell script to run directly on the DC. Detects the OS, identifies the expected KB, checks installation via `Get-HotFix`.

```bash
python3 cve_2026_41089_defensive.py patch > patch_check.ps1

# Run on the DC
powershell -ExecutionPolicy Bypass -File .\patch_check.ps1
# Exit 0 = patched | Exit 1 = vulnerable | Exit 2 = OS not in matrix
```

| OS | KB |
|----|----|
| Windows Server 2025 | KB5058387 |
| Windows Server 2022 | KB5058385 |
| Windows Server 2019 | KB5058383 |
| Windows Server 2016 | KB5058392 |
| Windows Server 2012 R2 | KB5058395 |

---

## Output & Formats

### Console

```
[14:32:15] CVE-2026-41089 CLDAP audit โ€” 3 host(s), domain=corp.local
HOST               ASSESSMENT               DETAIL
โš   192.168.1.10   LIKELY_VULNERABLE        responded to safe ping, silent on oversized username
   192.168.1.11   unreachable              no response on UDP :389 โ€” not a DC or CLDAP filtered
   192.168.1.12   patched                  responded to both probes (312B) โ€” input validation active

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
SUMMARY: 1 likely vulnerable / 1 patched / 2 reachable on UDP:389 / 3 total
```

### JSON (`--json results.json`)

```json
[
  {
    "timestamp": "2026-06-02T14:32:15.123456+00:00",
    "host": "192.168.1.10",
    "domain": "corp.local",
    "port": 389,
    "reachable": true,
    "assessment": "LIKELY_VULNERABLE",
    "detail": "responded to safe ping, silent on oversized username โ€” consistent with CVE-2026-41089 code path",
    "resp_bytes": 284
  }
]
```

---

**Version:** 1.0.0 โ€” **Author:** SentinelCore Security Team โ€” **License:** MIT