CVE-2006-4688

Microsoft Windows <SP1 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-4688. PoCs published by Metasploit, pusscat, including Metasploit module exploits/windows/smb/ms06_066_nwapi.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in the nwapi32.dll module of the NetWare client service on Windows XP SP2. It uses an egghunter technique to locate and execute the payload, achieving remote code execution via a maliciously crafted DCERPC request.

Description

Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16373

This Metasploit module exploits a stack buffer overflow in the nwapi32.dll module of the NetWare client service on Windows XP SP2. It uses an egghunter technique to locate and execute the payload, achieving remote code execution via a maliciously crafted DCERPC request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 with NetWare client service running
No auth needed
Prerequisites: NetWare client service running on target · SMB access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16369

This exploit targets a stack buffer overflow in the nwapi32.dll module via the NetWare client service in svchost. It leverages a malformed DCERPC request to achieve remote code execution on vulnerable Windows XP SP2 systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 with NetWare client service enabled
No auth needed
Prerequisites: NetWare client service running on target · Access to SMB/DCERPC
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by pusscat · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_066_nwapi.rb

This Metasploit module exploits a stack buffer overflow in the nwapi32.dll module via the svchost service when the NetWare client service is running. It uses an egghunter to locate and execute the payload, targeting Windows XP SP2.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 with NetWare client service
No auth needed
Prerequisites: NetWare client service running on target · SMB access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by pusscat · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_066_nwwks.rb

This Metasploit module exploits a stack buffer overflow in the nwapi32.dll module via the svchost service when the NetWare client service is running. It leverages a DCERPC call to trigger the vulnerability and execute arbitrary payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 with NetWare client service
No auth needed
Prerequisites: NetWare client service running on target · SMB access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017224
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21023
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4504
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A404
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/451844/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29952
Patch third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22866

Scores

EPSS 0.7525
EPSS Percentile 99.5%

Details

Status published
Products (3)
microsoft/windows_2000
microsoft/windows_2003_server sp1
microsoft/windows_xp
Published Nov 14, 2006
Tracked Since Feb 18, 2026