At the start of every year, I review my lab repository of intentionally vulnerable machines and do my best to add new ones to the list. I recently came across a particularly interesting flaw, from a teaching perspective, and thought it would be worth capturing.
RemoteMouse is Windows/Linux/Mac compatible software that can be used in conjunction with a mobile app to turn your phone or tablet into a mouse/keyboard/touchpad. Version 3.008 does not check for authentication which makes it possible for any machine that knows how to communicate with the server take control.
I chose to include this flaw in my lab for a couple of reasons:
- It’s not particularly common software, and I like to include a good mix of ‘realistic corporate’ and unique (more CTF-ish) examples
- It’s very easy to visualize because when exploited, the mouse pointer will actually move and the commands-to-execute are written out (which makes it a great teaching tool)
As with previous entries in this series, we’ll briefly walk through setting up the vulnerable software and then give an example exploit.
This one is really easy to get off the ground. The vulnerable version of RemoteMouse is currently available through The Exploit Database alongside a proof-of-concept exploit (Figure 1). That can be downloaded directly to your virtual machine. The exploit itself was tested on Windows 10, and I admittedly haven’t explored it beyond that.
The one thing you’ll need to do after installing the software (Figure 2) is to ensure the RemoteMouse service is permitted through the firewall (Figure 3). Allowing port 1978 to be accessed inbound in the Advanced Firewall Settings is a simple way to approach that. Allowing all RemoteMouse traffic is even easier.
Scanning the newly created target with an nmap service scan, we can note that nmap (at the time of this posting) does not have a built-in fingerprint available for the RemoteMouse service (Figure 4). However, if we pull language out of the banner grab it provides and go to Google, we can quickly determine that the service is RemoteMouse.
Proof of Concept
As mentioned, there is a Python exploit for this exposure available on the Exploit Database. Always review exploit code you pull down from the internet so you don’t accidentally compromise yourself (or inadvertently give someone else access to your target).
The proof of concept itself is really straightforward (and very obviously Windows-specific); we’re taking control of the mouse and keyboard. The proof of concept first performs a banner grab to fingerprint the RemoteMouse service (similar to what we did earlier with nmap) (Figure 6). With that confirmed, it (slowly) moves the mouse to the bottom left corner of the screen and then virtually types ‘calc.exe’ into the search bar and hits ‘Enter’ to pop open Calculator (Video 1). Once again, what makes this a great teaching tool is that the Python is pretty easily translatable for non-coders and because the mouse is moving and the ‘keyboard’ is typing, it’s a much less ethereal exploit than something like ms17-010 or BlueKeep.
Weaponizing this exploit can take any different number of paths depending on what controls are in place on the target system. Substituting a Metasploit web_delivery payload in either PowerShell or Python would be a good option except that after a certain number of characters (Figures 7 & 8), Windows Search does not appear to recognize the string as a command (Video 2…sped up 12x).
Dropping the payload string into a bat file and wget-ing it down and then exploiting RemoteMouse a second time to run the bat file does seem to work though it isn’t particularly elegant and is liable to be picked off immediately. In any case, it makes for a cool, if somewhat CTF-ish experience.