CVE-2006-3439

EXPLOITED

Microsoft Windows <2003 - Buffer Overflow

Title source: llm

Exploitation Summary

CVE-2006-3439 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Metasploit, Trirat Puttaraksa, ub3rst4r, including a Metasploit module exploits/windows/smb/ms06_040_netapi.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the NetApi32 CanonicalizePathName() function via the NetpwPathCanonicalize RPC call in the Microsoft Server Service. It targets multiple Windows versions and can result in remote code execution or denial of service.

Description

Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16367

View Code ZIP pw:eip

This is a Metasploit module exploiting a stack buffer overflow in the NetApi32 CanonicalizePathName() function via the NetpwPathCanonicalize RPC call in the Microsoft Server Service. It targets multiple Windows versions and can result in remote code execution or denial of service.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Server Service (NetApi32.dll)

Auth required

Prerequisites: Network access to the target · SMB access · Valid credentials for authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Trirat Puttaraksa · remotewindows

https://www.exploit-db.com/exploits/2355

View Code ZIP pw:eip

This is a functional exploit for CVE-2006-3439 targeting Windows Server 2003 SP0. It leverages a buffer overflow in the Server service via DCERPC to achieve remote code execution by bypassing stack protection via overwriting the security cookie.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows Server 2003 SP0

No auth needed

Prerequisites: Network access to target's SMB port (445/tcp) · Target must be unpatched (pre-MS06-040)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by ub3rst4r · cremotewindows

https://www.exploit-db.com/exploits/2265

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2006-3439, targeting a vulnerability in the Microsoft Server Service. It leverages a buffer overflow in the NetprPathCanonicalize RPC call to achieve remote code execution on vulnerable Windows systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 2000 SP0-SP4, Windows XP SP0-SP1, Windows NT 4.0

No auth needed

Prerequisites: Network access to the target system · Target system must have the vulnerable Server Service exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Preddy · cremotewindows

https://www.exploit-db.com/exploits/2223

View Code ZIP pw:eip

This exploit targets CVE-2006-3439, a buffer overflow in Microsoft Windows' CanonicalizePathName() function. It sends a series of crafted SMB packets to trigger the vulnerability and spawns a reverse shell on port 54321.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows XP SP1 (and potentially Windows 2000)

No auth needed

Prerequisites: Network access to target's SMB port (139) · Target system must be vulnerable (unpatched)

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by H D Moore · remotewindows

https://www.exploit-db.com/exploits/2162

View Code ZIP pw:eip

This is a Metasploit module exploiting a stack overflow in the NetApi32 NetpIsRemote() function via the NetpwPathCanonicalize RPC call in the Server Service. It targets multiple Windows versions (NT 4.0, 2000, XP SP0/SP1) and achieves remote code execution by leveraging either wcscpy() or stack overflow methods.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Server Service (NetApi32.dll)

No auth needed

Prerequisites: Network access to target's SMB service (port 445/tcp) · Vulnerable version of Windows (NT 4.0, 2000, XP SP0/SP1)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by hdm · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_040_netapi.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function via the NetpwPathCanonicalize RPC call in the Server Service, leading to remote code execution on vulnerable Windows systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Unreliable

Target: Microsoft Server Service (NetApi32.dll) on Windows NT 4.0, Windows 2000 SP0-SP4, Windows XP SP0-SP1, and Windows 2003 SP0

No auth needed

Prerequisites: Network access to the target's SMB service · Vulnerable version of the Server Service

MITRE ATT&CK