CVE-2006-6696

Microsoft Windows < Vista - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-6696. PoCs published by Ruben Santamarta, anonymous.

AI-analyzed exploit summary This exploit leverages the NtRaiseHardError function in Windows to trigger a memory disclosure vulnerability in csrss.exe by reading arbitrary memory addresses. It uses NtQuerySystemInformation to locate csrss.exe threads and then reads memory contents via crafted NtRaiseHardError calls.

Description

Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Ruben Santamarta · clocalwindows

https://www.exploit-db.com/exploits/3024

View Code ZIP pw:eip

This exploit leverages the NtRaiseHardError function in Windows to trigger a memory disclosure vulnerability in csrss.exe by reading arbitrary memory addresses. It uses NtQuerySystemInformation to locate csrss.exe threads and then reads memory contents via crafted NtRaiseHardError calls.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (csrss.exe)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code

MITRE ATT&CK

T1003 - OS Credential Dumping T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by anonymous · doswindows

https://www.exploit-db.com/exploits/2967

View Code ZIP pw:eip

This exploit demonstrates a denial-of-service (DoS) vulnerability in Windows by repeatedly calling MessageBoxA with a malformed string, causing system instability. The code leverages the MB_SERVICE_NOTIFICATION flag to trigger the bug.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows (specific version not specified)

No auth needed

Prerequisites: Windows system with vulnerable user32.dll

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (23)

Core 23

Core References

Various Sources x_refsource_misc

http://www.kuban.ru/forum_new/forum2/files/19124.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455546/100/0/threaded

Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp

http://www.securityfocus.com/archive/1/466331/100/200/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1017433

Various Sources x_refsource_misc

http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

Various Sources x_refsource_misc

http://www.security.nnov.ru/Gnews944.html

Various Sources x_refsource_misc

http://research.eeye.com/html/alerts/zeroday/20061215.html

Various Sources x_refsource_misc

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455088/100/0/threaded

Various Sources x_refsource_confirm

http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455158/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/21688

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-021

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1816

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/1325

Various Sources x_refsource_misc

http://www.security.nnov.ru/files/messagebox.c

Mailing List mailing-list x_refsource_fulldisc

http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/23324

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455104/100/0/threaded

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/455061/100/0/threaded

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/23448

Various Sources x_refsource_misc

http://isc.sans.org/diary.php?n&storyid=1965

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/5120

Scores

EPSS 0.0328

EPSS Percentile 86.8%

Details

CWE

CWE-119

Status published

Products (8)

microsoft/windows_2000 (5 CPE variants)

microsoft/windows_2003_server datacenter_edition (3 CPE variants)

microsoft/windows_2003_server enterprise_edition sp1 (2 CPE variants)

microsoft/windows_2003_server sp1

microsoft/windows_2003_server standard (3 CPE variants)

microsoft/windows_2003_server web (3 CPE variants)

microsoft/windows_vista (4 CPE variants)

microsoft/windows_xp (8 CPE variants)

Published Dec 22, 2006

Tracked Since Feb 18, 2026