Skip to content
/ CVE-2024-49113 Public

LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49113

License

BSD-3-Clause license
461 stars 106 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SafeBreach-Labs/CVE-2024-49113

BranchesTags

Repository files navigation

LDAP Nightmare

An exploit for CVE-2024-49113 reported by Yuki Chen (@guhe120). A vulnerability in Windows Lightweight Directory Access Protocol (LDAP).

Created by SafeBreach Labs (published on January 1st 2025). For the full technical analysis of the vulnerability and how we managed to exploit it check out the blog post here

Overview

CVE-2024-49113 is a critical vulnerability in Windows LDAP client that according to Microsoft allows remote code execution. This exploit leverages the vulnerability to crash target Windows Server systems by interacting with their Netlogon Remote Protocol (NRPC), and LDAP client.

Demo

demo.mp4

Setup

  1. Install Dependencies:

    Ensure that all required Python packages are installed. You can install them using pip and the provided requirements.txt file:

    pip install -r requirements.txt

  2. Configure the Exploit:

    • target_ip: IP address of the target machine.
    • port: TCP port for RPC communication (default: 49664).
    • listen_port: UDP port for the exploit server to listen on (default: 389). If not changed, the tool is required to be run with admin or root privileges
    • domain_name: A domain name on the internet that the attacker owns. This domain must have two DNS SRV records under it. (SRV records map a domain to a port and another domain):
      • _ldap._tcp.dc._msdcs.domain_name -> listen_port attacker's machine hostname
      • _ldap._tcp.default-first-site-name._sites.dc._msdcs.domain_name -> listen_port attacker's machine hostname
      • Note - attacker's machine hostname will work assuming the victim server can find the attacker machine by its hostname using NBNS. Instead of the attacker's hostname, this value can be replaced with a domain name on the internet that point towards the IP of a malicious LDAP server exploiting the vulnerability.
    • account: Account name parameter (default: Administrator).
    • site_name: Site name parameter (default: empty string).

Usage

python LdapNightmare.py <target_ip> --domain-name <domain_name> [options]

Example:

python LdapNightmare.py 192.168.1.100 --domain-name example.com

How It Works

  1. Starts the Exploit Server:

    The script initiates an asynchronous LDAP server that listens for incoming connections on the specified UDP port.

  2. Invokes DsrGetDcNameEx2:

    The script calls the DsrGetDcNameEx2 function via the Netlogon Remote Protocol to trigger the victim server to send an LDAP query to the attacker.

  3. Triggers the Vulnerability:

    By sending specially crafted response, the exploit triggers the CVE-2024-49113 vulnerability, causing the victim server to crash

References

Authors - Or Yair & Shahak Morag

Or Yair Shahak Morag
LinkedIn Or Yair Shahak Morag
Twitter @oryair1999 @shahakmo

About

LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49113

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

461 stars

Watchers

4 watching

Forks

106 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages