Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS

Presented at DEF CON 33 (2025), Aug. 10, 2025, 12:30 p.m. (45 minutes).

DCs are organizations’ core. A successful DoS attack against them can break authentication and paralyze operations. Following our LdapNightmare release, the first public DoS exploit for CVE-2024-49113, we found two new DoS-style attack surfaces on DCs: new critical DoS vulnerabilities, and creating a botnet harnessing public DCs for DDoS. Our goal: create the Win-DoS epidemic - infect DCs with Win-DoS and make them infect others, forming Win-DDoS. Building on LDAPNightmare, we explored client-side targeting, often exposing weaker code. By turning DCs into LDAP clients via NetLogon RPC, using LDAP referrals, we redirected them to chosen domains/ports, matching our goals. Moreover, we knew DDoS was powerful, but aimed to replicate its effect from a single machine. We focused on RPC servers - abundant in Windows with wide attack surfaces, especially those not requiring authentication. By abusing security gaps in RPC bindings, we hit the same RPC server relentlessly from one system, far surpassing standard concurrency limits! and WOW, found vulns crashing any Windows: servers and endpoints alike! We present “Win-DoS Epidemic” - DoS tools exploiting four new Win-DoS and one Win-DDoS zero-click vulns! Crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS. The epidemic has begun References: - [link](https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/)

Presenters:

• Or "oryair1999" Yair
  Or Yair (@oryair1999) is a security research professional with seven years of experience, currently serving as the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in the Windows operating system’s components, though his past work also included research of Linux kernel components and some Android components. Or's research is driven by innovation and a commitment to challenging conventional thinking. He enjoys contradicting assumptions and considers creativity as a key skill for research. Or frequently presents his vulnerability and security research discoveries internationally at top conferences he speaks at such as Black Hat, DEF CON, RSAC, SecTor, and many more.
• Shahak Morag
  Shahak, Currently serving as the Research Lead at SafeBreach, with over seven years of experience in security research. My background includes extensive expertise in Linux kernel and embedded systems, with more than one year of focused research on Windows platforms.

Similar Presentations:

• ToorCon: Seattle 2008 / Asterisk IAX2 DoS and Exploit Framework
• DEF CON 33 (2025) / You snooze you lose: RPC-Racer winning RPC endpoints against services
• TROOPERS16 (2016) / Imma Chargin Mah Lazer - How to protect against (D)DoS attacks