Rapid7 Vulnerability & Exploit Database

MS06-025 Microsoft RRAS Service Overflow

Back to Search

MS06-025 Microsoft RRAS Service Overflow



This module exploits a stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.


  • Nicolas Pouvesle <nicolas.pouvesle@gmail.com>
  • hdm <x@hdm.io>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) > show targets
msf exploit(ms06_025_rras) > set TARGET < target-id >
msf exploit(ms06_025_rras) > show options
    ...show and set options...
msf exploit(ms06_025_rras) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security