CVE-2006-4691

Microsoft Windows <XP - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-4691. PoCs published by Metasploit, Winny Thomas, S A Stevens, including Metasploit module exploits/windows/smb/ms06_070_wkssvc.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the NetApi32 NetpManageIPCConnect function via the Workstation service in Windows 2000 SP4 and Windows XP SP0/SP1. It requires a valid domain name and leverages DCERPC to trigger the vulnerability.

Description

Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16372

This is a Metasploit module exploiting a stack buffer overflow in the NetApi32 NetpManageIPCConnect function via the Workstation service in Windows 2000 SP4 and Windows XP SP0/SP1. It requires a valid domain name and leverages DCERPC to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 SP4, Windows XP SP0/SP1
Auth required
Prerequisites: Valid domain name · SMB access · Valid credentials (Admin for XP SP2)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Winny Thomas · pythonremotewindows
https://www.exploit-db.com/exploits/2809

This exploit targets CVE-2006-4691, a vulnerability in the Windows WorkStation NetpManageIPCConnect function. It crafts a malicious NetrJoinDomain2 request to trigger a buffer overflow, executing shellcode for remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 Server SP4 (WorkStation Service)
No auth needed
Prerequisites: Network access to target · Samba configured as a domain controller · Python and Impacket library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by S A Stevens · c++remotewindows
https://www.exploit-db.com/exploits/2800

This exploit targets a stack overflow vulnerability in Microsoft Windows Wkssvc NetrJoinDomain2 (MS06-070) on Windows 2000 Server SP4. It uses a crafted RPC request to trigger the overflow and execute shellcode for a bind shell on port 4443.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 Server SP4
No auth needed
Prerequisites: Network access to target · Valid domain name for the exploit to function
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by cocoruder · c++remotewindows
https://www.exploit-db.com/exploits/2789

This exploit targets CVE-2006-4691, a stack overflow vulnerability in Microsoft Windows Wkssvc NetrJoinDomain2 (MS06-070). It crafts a malicious SMB packet to trigger a buffer overflow, leading to remote code execution via embedded shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 Server SP4 (Wkssvc)
No auth needed
Prerequisites: Network access to target · Valid domain name for the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_070_wkssvc.rb

This Metasploit module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function via the Workstation service in Windows 2000 SP4 and Windows XP SP0/SP1. It leverages DCERPC to trigger the vulnerability, requiring a valid domain name for successful exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 SP4, Windows XP SP0/SP1
Auth required
Prerequisites: Valid Windows domain name · SMB access to target · Administrator privileges for Windows XP SP2
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (12)

Core 12
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20985
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A607
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29948
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22883
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/778036
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017221
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/451588/100/0/threaded
Various Sources third-party-advisory x_refsource_eeye
http://research.eeye.com/html/advisories/published/AD20061114.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A908
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4508

Scores

EPSS 0.8886
EPSS Percentile 99.5%

Details

Status published
Products (2)
microsoft/windows_2000
microsoft/windows_xp
Published Nov 14, 2006
Tracked Since Feb 18, 2026