Share
## https://sploitus.com/exploit?id=A55FFB43-5646-5751-B599-6BA4C8FC689C
# CVE-2026-30784-rustdesk-poc
CVE-2026-30784: RustDesk hbbs Traffic Amplification PoC & PCAP Analysis

### PCAP Capture Context & Details

> โš ๏ธ **Important Note on the Packet Capture:** > To prevent server from being further utilized as an active amplifier in a distributed botnet attack, the `rustdesk-server` (`hbbs`)+(`hbbr`) service was completely stopped before/during the packet capture. 

Because the service was disabled to mitigate ongoing outbound amplification, the provided PCAP file (`attack_only.pcap`) contains **incoming traffic only**. Even without the server's responses, the incoming vectors clearly demonstrate the malicious intent and structural footprint of the attack:

* **Inbound Flooding Only:** Since `hbbs` was down, there is no corresponding outbound amplified response traffic in this specific trace. This was a deliberate action to protect third-party victims.
* **Distinct and Static Pattern:** The incoming UDP packets hitting port 21116 exhibit a highly uniform and easily identifiable payload pattern (visible as a distinct Base64-like string beginning with specific markers such as `szpontnet...`).
* **Evidence Preservation:** This capture serves purely as forensic evidence of the unauthenticated scanning and flooding phase that triggers the amplification behavior when the service is active.