cbcvebase.
CVE-2005-2842
published 2005-09-08

CVE-2005-2842: Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
21.12%
97.3th percentile
Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.

Affected

4 ranges
VendorProductVersion rangeFixed in
dameware_developmentmini_remote_control_server
dameware_developmentmini_remote_control_server
dameware_developmentmini_remote_control_server
dameware_developmentmini_remote_control_server

Detection & IOCsextracted from sources · hover to see the quote

processdwrcs.exe
port6129
otherEIP=0x77c35459 (msvcrt.dll push esp/retn, Windows XP SP3 EN)
otherEIP=0x750362c3 (ws2_32.dll, WIN 2000)
otherEIP=0x71ab7bfb (kernel32.dll/ws2_32.dll, WIN XP)
otherEIP=0x77E216B8 (advapi32.dll, WIN 2003)
commandPrependEncoder: \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
bytes
\x30\x11\x00\x00\x00\x00\x00\x00\xd7\xa3\x70\x3d\x0a\xd7\x0d\x40
bytes
\x30\x11\x00\x00\x00\x00\x00\x00\xC3\xF5\x28\x5C\x8F\xC2\x0D\x40
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x41\x42\x41\x42\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Exploit sends an oversized username (259-byte buffer with EIP overwrite at offset 100) to port 6129/TCP on dwrcs.exe; detect abnormally large username fields in DameWare protocol traffic on this port.
  • Exploit packet begins with the 4-byte magic header \x30\x11\x00\x00 at offset 0; this is a reliable network signature for both known exploit variants targeting CVE-2005-2842.
  • Egghunter tag \x41\x42\x41\x42 (ABAB) is used as the egg marker in the shellcode; scanning process memory or network payloads for this tag alongside the egghunter stub can identify exploitation attempts.
  • BadChars for the payload are \x00\x0a\x0d; any payload on port 6129 containing long runs of non-null bytes without these characters in the username field should be treated as suspicious.
  • ·The Metasploit module targets only Windows XP SP3 EN with a single hardcoded return address; the standalone exploit (EDB-1190) includes additional offsets for WIN 2000, WIN 2003, and WIN NT4 but several are marked unknown/placeholder.
  • ·The standalone exploit author notes the return address offsets 'Could proberly be doing with some better offsets', indicating reliability issues on some target OS versions.
  • ·Payload compatibility requires the ws2ord symbol lookup method; standard reverse shells not using ws2_32 ordinal resolution will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.