Share
## https://sploitus.com/exploit?id=EE91804C-7619-5280-A1EA-CD09C9E65284
# CVE-2026-54992 PoC

Proof of concept for the Microsoft Message Queuing remote-read integer
overflow tracked as CVE-2026-54992.

The PoC uses two Windows VMs. A normal user on the vulnerable target asks the
local MSMQ service to read from a queue hosted by the helper. The helper returns
a malformed MS-MQRR response, causing `mqsvc.exe` on the target to crash. The
PoC demonstrates denial of service; it does not demonstrate code execution.

## Root cause

`mqqm.dll` validates each returned packet section separately but, on affected
versions, sums their allocation lengths using a 32-bit value without checking
for aggregate overflow. This PoC supplies section lengths `0x2000` and
`0xffffe010`. Their mathematical sum is `0x100000010`, which wraps to `0x10`.
MSMQ allocates packet storage using the wrapped size and then processes the
original section lengths, resulting in an out-of-bounds write.

## Build

Build the two x64 binaries with MinGW-w64, then copy the folder to both Windows
VMs:

```sh
make clean all
```

## Run

Use two disposable Windows VMs on an isolated network. The helper and the real
MSMQ service both use TCP port 2105, so they must run on separate machines.

On the vulnerable target, run from an elevated PowerShell window:

```powershell
Set-ExecutionPolicy -Scope Process Bypass
.\setup-target.ps1
```

On the helper VM, run from an elevated PowerShell window:

```powershell
Set-ExecutionPolicy -Scope Process Bypass
.\start-emulator.ps1
```

Then, on the target, run from a normal non-elevated PowerShell window, replacing
the address with the helper VM's IPv4 address:

```powershell
.\invoke-crash.ps1 -Server 192.168.122.53 -IUnderstandThisWillCrashMSMQ
```

On an affected build, `mqsvc.exe` terminates and MSMQ stops with service exit
code 1067. To reset the lab, run `restore-helper.ps1` on the helper and restart
MSMQ on the target.