CVE-2016-2345
published 2016-03-17CVE-2016-2345: Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in SolarWinds DameWare Mini Remote Control 12.0 allows remote attackers to execute arbitrary code…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
51.21%
98.8th percentile
Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in SolarWinds DameWare Mini Remote Control 12.0 allows remote attackers to execute arbitrary code via a crafted string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dameware | mini_remote_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, cve CVE_2016_2345, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
|44 9c 00 00|
bytes
|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|
- →Monitor TCP connections to port 6129 (DameWare DMRC default port) for exploitation attempts; the exploit sends a crafted message type 0x9c44 followed by a NOP sled and shellcode. ↗
- →The exploit payload begins with message type bytes 0x9c44 (little-endian: 44 9c 00 00) at the start of the second TCP send; use this as a depth:4 content match on traffic to port 6129.
- →The exploit embeds a short-jump-forward sequence followed by a pop/pop/ret gadget address and a short-jump-back: bytes eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff — match this byte sequence in the payload.
- →The exploit sends an initial handshake with Init Version value 4400 (0x1130) and a type value of 444.0 packed as a double, followed by 'C' padding to 40 bytes, before sending the overflow payload. ↗
- →Look for the dwrcs.exe process receiving anomalously large TCP payloads on port 6129, particularly payloads containing long NOP sleds (0x90 sequences) consistent with a stack-based buffer overflow. ↗
- ·The ROP gadget address 0x00401161 is specific to dwrcs.exe version 12.0.0.520; this address may differ across builds, limiting the reliability of byte-exact gadget-address matching for other versions. ↗
- ·The Snort/ET rule (sid:2022712) was generated from the public PoC exploit; real-world attackers may alter the NOP sled length, shellcode, or message structure to evade content-based signatures.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)
suricata·2016-04-06·CVSS 9.8
CVE-2016-2345 [CRITICAL] ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)
ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)
Rule: alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, cve CVE_2016_2345, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
No writeups or analysis indexed.
http://packetstormsecurity.com/files/136293/Solarwinds-Dameware-Mini-Remote-Code-Execution.htmlhttp://www.kb.cert.org/vuls/id/897144http://www.securityfocus.com/archive/1/537823/100/0/threadedhttps://www.securifera.com/advisories/CVE-2016-2345http://packetstormsecurity.com/files/136293/Solarwinds-Dameware-Mini-Remote-Code-Execution.htmlhttp://www.kb.cert.org/vuls/id/897144http://www.securityfocus.com/archive/1/537823/100/0/threadedhttps://www.securifera.com/advisories/CVE-2016-2345
2016-03-17
Published