Share
## https://sploitus.com/exploit?id=12802E65-0A5D-5524-8341-FB33DCDF9DBB
## Exploiting open ports in RCC Service
Having all RCC ports open is dangerous, we all might know this, but what can actually happen from it?


## Description


in RCC (2016 for this demostration) having your ports public is risky, SOAP ports not enforce any sort of authentication or authorization, and this assumes one or all of the ports are publically avaliable may result in many vulnerabilities, for this one we will focus on server code execution.

Anyone who has the server IP and the SOAP port can achieve many vulnerabilities, for this one we will focus on unauthenticated privileged remote code execution (RCE) by sending requests to RCCService with the attacker's choice of Lua code to SOAP.

when RCE is acheived, code will ALWAYS run on the server and have the highest thread identity (7).

Attackers are able to easily find the server IP and they may get the port using `nmap` (or any similar tool) and with a tiny bit of luck, the SOAP port is hardcoded as `64989` but may differ.

You can test this your self by building RCCService (2016) from [here](https://github.com/SANS3R66/roblox-2016-source-code) or if you already have it built you can `RCCService.exe -Console` and then `py main.py` to run the PoC


CWE: https://cwe.mitre.org/data/definitions/306.html | https://cwe.mitre.org/data/definitions/749.html

yes it would work in any game that uses an insecure RCC setup (ex. revivals of 2016 clients) and so on


for devs: block ports or add checks and if your revival is actually vulnerable to something like this then its vulnerable to a billion other things please read https://web.archive.org/web/20240315185705/https://lrre.wiki/Security

if im retarded please tell me



https://github.com/user-attachments/assets/41bacef0-7e8e-417c-ae92-c23bc84b4953