• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > Building a Vulnerable Box: RemoteMouse

Building a Vulnerable Box: RemoteMouse

January 29, 2021 By Ken Smith

At the start of every year, I review my lab repository of intentionally vulnerable machines and do my best to add new ones to the list. I recently came across a particularly interesting flaw, from a teaching perspective, and thought it would be worth capturing.

RemoteMouse is Windows/Linux/Mac compatible software that can be used in conjunction with a mobile app to turn your phone or tablet into a mouse/keyboard/touchpad. Version 3.008 does not check for authentication which makes it possible for any machine that knows how to communicate with the server take control.

I chose to include this flaw in my lab for a couple of reasons:

  • It’s not particularly common software, and I like to include a good mix of ‘realistic corporate’ and unique (more CTF-ish) examples
  • It’s very easy to visualize because when exploited, the mouse pointer will actually move and the commands-to-execute are written out (which makes it a great teaching tool)

As with previous entries in this series, we’ll briefly walk through setting up the vulnerable software and then give an example exploit.

The Setup

This one is really easy to get off the ground. The vulnerable version of RemoteMouse is currently available through The Exploit Database alongside a proof-of-concept exploit (Figure 1). That can be downloaded directly to your virtual machine. The exploit itself was tested on Windows 10, and I admittedly haven’t explored it beyond that.

Figure 1: RemoteMouse on the Exploit-DB

The one thing you’ll need to do after installing the software (Figure 2) is to ensure the RemoteMouse service is permitted through the firewall (Figure 3). Allowing port 1978 to be accessed inbound in the Advanced Firewall Settings is a simple way to approach that. Allowing all RemoteMouse traffic is even easier.

Figure 2: RemoteMouse Installed Successfully (Windows 10)
Figure 3: Opening Port 1978 for RemoteMouse

Scanning the newly created target with an nmap service scan, we can note that nmap (at the time of this posting) does not have a built-in fingerprint available for the RemoteMouse service (Figure 4). However, if we pull language out of the banner grab it provides and go to Google, we can quickly determine that the service is RemoteMouse.

Figure 4: nmap Fingerprinting
Figure 5: Fingerprinting with Google

Proof of Concept

As mentioned, there is a Python exploit for this exposure available on the Exploit Database.  Always review exploit code you pull down from the internet so you don’t accidentally compromise yourself (or inadvertently give someone else access to your target).

The proof of concept itself is really straightforward (and very obviously Windows-specific); we’re taking control of the mouse and keyboard. The proof of concept first performs a banner grab to fingerprint the RemoteMouse service (similar to what we did earlier with nmap) (Figure 6). With that confirmed, it (slowly) moves the mouse to the bottom left corner of the screen and then virtually types ‘calc.exe’ into the search bar and hits ‘Enter’ to pop open Calculator (Video 1). Once again, what makes this a great teaching tool is that the Python is pretty easily translatable for non-coders and because the mouse is moving and the ‘keyboard’ is typing, it’s a much less ethereal exploit than something like ms17-010 or BlueKeep.

Figure 6: Function to Move the mouse and open Calculator

 

https://warroom.rsmus.com/wp-content/uploads/2021/01/transfer.mp4

Exploitation

Weaponizing this exploit can take any different number of paths depending on what controls are in place on the target system. Substituting a Metasploit web_delivery payload in either PowerShell or Python would be a good option except that after a certain number of characters (Figures 7 & 8), Windows Search does not appear to recognize the string as a command (Video 2…sped up 12x).

Figure 7: web_delivery in Metasploit (PowerShell)
Figure 8: Modified Python exploit to include the payload string from the web_delivery module

 

https://warroom.rsmus.com/wp-content/uploads/2021/01/Web_Delivery-Failure.mp4

Dropping the payload string into a bat file and wget-ing it down and then exploiting RemoteMouse a second time to run the bat file does seem to work though it isn’t particularly elegant and is liable to be picked off immediately. In any case, it makes for a cool, if somewhat CTF-ish experience.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Ken Smith

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.