cbcvebase.
CVE-2016-2345
published 2016-03-17

CVE-2016-2345: Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in SolarWinds DameWare Mini Remote Control 12.0 allows remote attackers to execute arbitrary code…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
51.21%
98.8th percentile
Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in SolarWinds DameWare Mini Remote Control 12.0 allows remote attackers to execute arbitrary code via a crafted string.

Affected

1 ranges
VendorProductVersion rangeFixed in
damewaremini_remote_control

Detection & IOCsextracted from sources · hover to see the quote

port6129
processdwrcs.exe
commandbuf += struct.pack("I", 0x9c44) #msg type
other0x00401161 (pop pop return gadget in dwrcs.exe)
snort
alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, cve CVE_2016_2345, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
|44 9c 00 00|
bytes
|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|
  • Monitor TCP connections to port 6129 (DameWare DMRC default port) for exploitation attempts; the exploit sends a crafted message type 0x9c44 followed by a NOP sled and shellcode.
  • The exploit payload begins with message type bytes 0x9c44 (little-endian: 44 9c 00 00) at the start of the second TCP send; use this as a depth:4 content match on traffic to port 6129.
  • The exploit embeds a short-jump-forward sequence followed by a pop/pop/ret gadget address and a short-jump-back: bytes eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff — match this byte sequence in the payload.
  • The exploit sends an initial handshake with Init Version value 4400 (0x1130) and a type value of 444.0 packed as a double, followed by 'C' padding to 40 bytes, before sending the overflow payload.
  • Look for the dwrcs.exe process receiving anomalously large TCP payloads on port 6129, particularly payloads containing long NOP sleds (0x90 sequences) consistent with a stack-based buffer overflow.
  • ·The ROP gadget address 0x00401161 is specific to dwrcs.exe version 12.0.0.520; this address may differ across builds, limiting the reliability of byte-exact gadget-address matching for other versions.
  • ·The Snort/ET rule (sid:2022712) was generated from the public PoC exploit; real-world attackers may alter the NOP sled length, shellcode, or message structure to evade content-based signatures.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.