CVE-2001-0167
published 2001-05-03CVE-2001-0167: Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long…
PriorityP344high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
50.81%
98.8th percentile
Buffer overflow in AT&T WinVNC (Virtual Network Computing) client 3.3.3r7 and earlier allows remote attackers to execute arbitrary commands via a long rfbConnFailed packet with a long reason string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| att | winvnc | <= 3.3.3r7 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x00\x04\x06
- →Detect exploit attempts by monitoring for inbound connections on TCP/5900 (VNC) that send an rfbConnFailed packet with an oversized reason string (~993+ bytes following the 8-byte header \x00\x00\x00\x00\x00\x00\x04\x06). ↗
- →Flag VNC handshake sequences where the server sends 'RFB 003.003' and immediately follows with a large rfbConnFailed payload exceeding normal reason-string lengths, indicative of a rogue/malicious VNC server targeting a connecting client. ↗
- →The exploit payload bad-character set can help tune IDS signatures: bytes \x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 will NOT appear in the shellcode portion of the malicious packet. ↗
- →Monitor for vncviewer.exe spawning unexpected child processes or threads, as the exploit uses EXITFUNC=thread to avoid crashing the viewer process after shellcode execution. ↗
- ·The Metasploit module targets specific Windows OS/SP combinations with hardcoded return addresses; the exploit will fail or crash the client on non-targeted platforms. ↗
- ·The exploit operates as a rogue server (listener), not a client-side scanner — the attacker must wait for a VNC client to connect to their malicious server on the configured SRVPORT (default 5900). ↗
- ·Payload space is constrained to 500 bytes with MaxNops=0 and a stack adjustment of -3500; custom payloads exceeding this space will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealVNC 3.3.7 - Client Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2001-0167 RealVNC 3.3.7 - Client Buffer Overflow (Metasploit)
RealVNC 3.3.7 - Client Buffer Overflow (Metasploit)
---
##
# $Id: realvnc_client.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'RealVNC 3.3.7 Client Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2001-0167' ],
[ 'OSVDB', '6281' ],
[ 'BID', '2305' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x
Metasploit
RealVNC 3.3.7 Client Buffer Overflow
metasploit
RealVNC 3.3.7 Client Buffer Overflow
RealVNC 3.3.7 Client Buffer Overflow
This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).
No writeups or analysis indexed.
2001-05-03
Published