Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Dameware critical hole

from [ad] Network Security [Permanent Link]
Subject: [Full-disclosure] Dameware critical hole
Date: Wed, 31 Aug 2005 21:54:20 +0100 
haven't notice any warning about this but someone posted that POC  to my forum 
and is confirming that it works, this is urgent to update your dameware .....

/************************************************************************************************
 
* _ ______ 
* (_)___ ____ ____ / ____/ 
* / / __ \/ __ \/ __ \/___ \ 
* / / /_/ / / / / /_/ /___/ / 
* __/ / .___/_/ /_/\____/_____/ 
* /___/_/====================== 
*************************************************************************************************
 
* 
* DameWare Mini Remote Control Client Agent Service 
* Another Pre-Authentication Buffer Overflow 
* By Jackson Pollocks No5 
* www.jpno5.com 
* 
* 
* Summary 
* 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
* DameWare Mini Remote Control is "A lightweight remote control intended 
primarily 
* for administrators and help desks for quick and easy deployment without 
* external dependencies and machine reboot. 
* 
* Developed specifically for the 32-bit Windows environment (Windows 
95/98/Me/NT/2000/XP), 
* DameWare Mini Remote Control is capable of using the Windows 
challenge/response authentication 
* and is able to be run as both an application and a service. 
* 
* Some additional features include View Only, Cursor control, Remote Clipboard, 
Performance Settings, 
* Inactivity control, TCP only, Service Installation and Ping." 
* 
* A buffer overflow vulnerability can be exploited remotely by an 
unauthenticated attacker 
* who can access the DameWare Mini Remote Control Server. 
* 
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. 
* An attacker can construct a specialy crafted packet and exploit this 
vulnerability. 
* The vulnerability is caused by insecure calls to the lstrcpyA function when 
checking the username. 
* 
* 
* Severity: Critical 
* 
* Impact: Code Execution 
* 
* Local: Yes 
* 
* Remote: Yes 
* 
* Patch: Download version 4.9.0 or later and install over your existing 
installation. 
* You can download the latest version of your DameWare Development Product at 
* http://www.dameware.com/download 
* 
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9 
* of the Mini Remote Client Agent Service (dwrcs.exe). 
* 
* Discovery: i discovered this while using the dameware mini remote control 
client. 
* i accidently pasted in a large string of text instead of my username. 
* Clicking connect led to a remote crash of the application server. 
* 
* Credits: Can't really remember who's shellcode i used, more than likely it 
was 
* written by Brett Moore. 
* 
* The egghunter was written by MMiller(skape). {Which kicks ass btw} 
* 
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm 
* universal syscall down. 
* 
* Some creds to Adik as well, i did code my own exploit but it had none 
* of that fancy shit like OS and SP detection. So basicly i just modded 
* the payload from the old dameware exploit(ver 3.72). 
* 
* A little cred to me as well, after all i did put all them guys great 
* work together to make something decent  
* 
************************************************************************************/

GIF image

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Dameware critical hole, ad <=
Previous by Date:  [Full-disclosure] Re: Fwd: Disk Cleaning Tools, Dave Korn
Next by Date:  [Full-disclosure] Possible issue for shared computers, n3td3v
Previous by Thread:  [Full-disclosure] [ GLSA 200508-22 ] pam_ldap: Authentication bypass vulnerability, Sune Kloppenborg Jeppesen
Next by Thread:  [Full-disclosure] Possible issue for shared computers, n3td3v
Indexes:  [Date] [Thread] [Top] [All Lists]