Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-26937 PoC — Windows Network File System Remote Code Execution Vulnerability

Source
https://github.com/corelight/CVE-2022-26937
Associated Vulnerability
Title:Windows Network File System Remote Code Execution Vulnerability (CVE-2022-26937)
Description:Windows Network File System Remote Code Execution Vulnerability
Description
A Zeek package to detect CVE-2022-26937, a vulnerability in the Network Lock Manager (NLM) protocol in Windows NFS server.
Readme
# CVE-2022-26937

A package to detect CVE-2022-26937, a vulnerability in Microsoft's NFS implementation.

## Example

You can run this logic on the included PCAP in the `testing\traces` directory:

```
$ zeek -Cr CVE-2022-26937-exploited.pcap ~/Source/CVE-2022-26937/scripts/__load__.zeek 
$ cat notice.log 
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-05-11-16-42-00
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1652285129.626881	Ci4lmM2HkJESnOzn6g	fe80::88d1:4bb:492e:b104	49798	fe80::1550:7290:1622:4dce	111	-	-	-	tcp	CVE202226937::CVE_2022_26937_Attempt	Potential NFS CVE-2022-26937 exploit attempt: fe80::1550:7290:1622:4dce attempted exploit against fe80::88d1:4bb:492e:b104	-	fe80::88d1:4bb:492e:b104	fe80::1550:7290:1622:4dce	111	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2022-05-11-16-42-00
```
File Snapshot

 [4.0K]  /data/pocs/66cb71fa9787f240e46a758d93e3d347e03db691
├── [  49]  COPYING
├── [1.5K]  LICENSE
├── [1.3K]  README.md
├── [4.0K]  scripts
│   ├── [  41]  __load__.zeek
│   ├── [1.0K]  main.zeek
│   └── [1.4K]  signatures.sig
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  cve202226937.run-pcap
│   │       ├── [1.2K]  conn.log
│   │       ├── [1.1K]  notice.log
│   │       └── [ 115]  output
│   ├── [ 565]  btest.cfg
│   ├── [4.0K]  cve202226937
│   │   └── [ 268]  run-pcap.zeek
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [  28]  Makefile
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   ├── [1.3K]  get-zeek-env
│   │   └── [ 303]  README
│   └── [4.0K]  Traces
│       └── [5.8K]  CVE-2022-26937-exploited.pcap
└── [ 381]  zkg.meta

8 directories, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →