Headline
CVE-2022-3218: wifi mouse rce by h00die · Pull Request #16985 · rapid7/metasploit-framework
Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC’s authentication mechanism is trivially bypassed, which can result in remote code execution.
This PR adds a new module to exploit an auth bypass to rce in 'wifi mouse’.
Leaving it draft right now, talking to @todb / @todb-r7 about a possible CVE for it.
@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose?
This is a neat exploit as you connect to the server, ask it to open cmd, then type out what you want on the user’s screen. its fun to watch shell code :). Wrote in a cmdstager method, but due to the payload length and it appearing on the user’s screen, its unreliable (needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail. wrote second method which uses what the original exploit does to host the payload on a web server and just download it. MUCH faster and more reliable.
Verification
- install and start software. i tried it on the one linked in EDB and the most recent one on the website
- Start msfconsole
- use exploit/windows/misc/wifi_mouse_rce
- Set rhost and lhost as required.
- run
- Verify it works via both methods (targets)
- Document looks good