Windows DNS Client Remote Code Execution Vulnerability

This repository is a small Visual Studio C++ project that builds a Windows dynamic-link library acting as a dnsapi.dll proxy/hijack implant. The structure is minimal: a solution file, a VC++ project file, one main source file (dllmain.cpp), and standard precompiled-header scaffolding. The README references CVE-2026-41096 and describes the repository as a real-world attack surface example rather than a polished exploit framework. The core logic is in dllmain.cpp. The DLL uses many linker export-forwarding directives to preserve the dnsapi export surface by forwarding calls to a renamed backing DLL identified as 'tmpbwnkjl'. This is a classic proxy DLL pattern intended to keep the host application functioning while allowing attacker code to run when the malicious DLL is loaded. The code explicitly exports DnsQueryRaw and overrides its behavior. When DnsQueryRaw is invoked, it emits a debug string, calls LogProcessInfo(), records the current process filename and PID to C:\tmp\rlog.txt, and returns DNS_STATUS_TIMEOUT. Operationally, this is not a remote network exploit by itself; it is a local execution primitive/persistence or hijack component that depends on DLL search-order abuse, side-loading, or replacement of dnsapi.dll in a vulnerable application context. Its main capability is code execution inside any process that loads the malicious DLL, with lightweight telemetry/logging and behavior tampering for DnsQueryRaw. There is no shell, downloader, C2, or external network infrastructure embedded in the visible code. The observable artifacts are primarily the local log path and the forwarding target name used to chain to the legitimate DLL.

This repository is a compact two-component proof-of-concept for CVE-2026-41096, described as a heap overflow in Microsoft dnsapi.dll within DnsRawTruncateMessageForUdp(). The repo contains three files: a README with usage and expected outcomes, a Python rogue DNS server, and a Win32 C trigger client. The exploit flow is straightforward: rogue_dns_server.py binds UDP/53 on 0.0.0.0 and answers every received DNS query with a deliberately malformed DNS response whose header sets QDCOUNT=0 and ARCOUNT=1, followed by a single oversized OPT record. The response is 623 bytes total (12-byte DNS header + 11-byte OPT RR header + 600 bytes of RDATA), intentionally exceeding normal UDP DNS truncation expectations. trigger_client.c is the victim-side trigger. It loads dnsapi.dll dynamically, resolves DnsQueryRaw, configures a custom UDP DNS server using the operator-supplied IP, and submits an asynchronous query for trigger.cve202641096.test. A completion callback records the result, while SetUnhandledExceptionFilter is used to catch process-wide crashes, including those on callback threads. The client interprets outcomes as: patched if queryStatus is DNS_ERROR_BAD_PACKET (0x251E), vulnerable if a crash occurs or if status 0 indicates the malformed response was processed. This is not a weaponized RCE exploit; it is an operational crash/verification PoC intended to confirm the presence of the heap overflow via network-triggered malformed DNS parsing.

This repository is a small proof-of-concept for a Windows DNS client-side vulnerability in the DnsQueryRaw path, specifically noted in DnsRawTruncateMessageForUdp. It contains two code files and a README. client.c is the victim-side trigger: a minimal Windows program using the WinDNS API to repeatedly call DnsQueryRaw for example.com over UDP with DNS_QUERY_BYPASS_CACHE, asynchronously waiting on a callback. The code requires manual configuration of the network interface index and appears intended to force the vulnerable parsing path on Windows 11 / certain Windows Server builds. poc.py is the attacker-side network trigger built with Scapy. It sniffs UDP/53 traffic on a specified interface, looks for DNS queries for www.example.com., extracts the DNS transaction ID, and sends back a handcrafted raw DNS response rather than using Scapy's DNS builder. The malformed response is notable for qdcount=0 and inclusion of only an OPT RR (EDNS0 type 41) with a large 0xff-length data section padded with 0x42 bytes, which the README states is necessary to trigger the bug. Overall, the repository is not a complete RCE exploit; it is a targeted network-triggering PoC intended to crash or otherwise exercise the vulnerable DNS parsing logic. There is no persistence, shell payload, or post-exploitation logic. The structure is straightforward: README for setup notes, client.c to invoke the vulnerable API on the target, and poc.py to generate the malicious DNS response.