CVE-2006-2370

Windows 2000 and 2003 Server - Remote Code Execution via RRAS RPC Request

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2006-2370. PoCs published by Metasploit, Pusscat, H D Moore, including Metasploit module exploits/windows/smb/ms06_025_rras.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in the Windows Routing and Remote Access Service (RRAS) via a malicious registry key. It uses an egghunter and DCERPC to achieve remote code execution on Windows 2000 SP4.

Description

Buffer overflow in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests," aka the "RRAS Memory Corruption Vulnerability."

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16375

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in the Windows Routing and Remote Access Service (RRAS) via a malicious registry key. It uses an egghunter and DCERPC to achieve remote code execution on Windows 2000 SP4.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows 2000 SP4 (RRAS Service)

Auth required

Prerequisites: Valid username and password for Windows 2000 · Access to SMB/DCERPC

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16364

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in the Windows Routing and Remote Access Service (RRAS) via a malformed DCERPC request. It targets Windows 2000 SP4 and Windows XP SP1, requiring authentication for Windows 2000.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows RRAS Service (Windows 2000 SP4, Windows XP SP1)

Auth required

Prerequisites: Valid credentials for Windows 2000 · Network access to the target · SMB/DCERPC connectivity

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Pusscat · remotewindows

https://www.exploit-db.com/exploits/1965

View Code ZIP pw:eip

This is a Metasploit module exploiting a stack overflow in the Windows Routing and Remote Access Service (RRAS) via a maliciously crafted registry key. It uses DCERPC and SMB to trigger the vulnerability, achieving remote code execution on Windows 2000 and XP systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 2000, Windows XP (RRAS Service)

Auth required

Prerequisites: Valid SMB credentials for Windows 2000 · Network access to target · SMB pipe access (ROUTER or SRVSVC)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by H D Moore · remotewindows

https://www.exploit-db.com/exploits/1940

View Code ZIP pw:eip

This is a Metasploit exploit module for CVE-2006-2370, targeting a stack overflow in the Windows Routing and Remote Access Service (RRAS). It leverages DCERPC to deliver a payload, with specific targets for Windows 2000 and XP SP1.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows RRAS (2000, XP SP1)

Auth required

Prerequisites: Network access to target · Valid SMB credentials for Windows 2000 · Correct pipe name (ROUTER or SRVSVC)

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_025_rras.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in the Windows Routing and Remote Access Service (RRAS) via a malformed DCERPC request. It targets Windows 2000 SP4 and XP SP1, requiring authentication for Windows 2000.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows RRAS Service (Windows 2000 SP4, Windows XP SP1)

Auth required

Prerequisites: Network access to target · Valid credentials for Windows 2000 · SMB/DCERPC connectivity

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by pusscat, hdm · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in the Windows Routing and Remote Access Service (RRAS) via a malicious registry key. It uses an egghunter to locate and execute the payload, targeting Windows 2000 SP4.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 2000 SP4 (RRAS Service)

Auth required

Prerequisites: Valid username and password for Windows 2000 · Access to SMB/DCERPC

MITRE ATT&CK