CVE-2022-27502 PoC — RealVNC VNC Server 安全漏洞

Source

https://github.com/alirezac0/CVE-2022-27502

Associated Vulnerability

Title:RealVNC VNC Server 安全漏洞 (CVE-2022-27502)
Description:RealVNC VNC Server是英国RealVNC公司的一个远程访问软件的 VNC 服务器。 RealVNC VNC Server 存在安全漏洞。攻击者可以通过 MSI Repair 绕过 RealVNC VNC Server 的限制，以提升他的权限。

Description

Exploit of RealVNC VNC Server

Readme

# RealVNC server up to 6.9.0 DLL Hijacking Exploit (CVE-2022-27502)


You can use pre-compiled version (64-bit) of it from [HERE](https://github.com/alirezac0/CVE-2022-27502/blob/main/x64/Release/adsldpc.dll)
Copy it to %TEMP% and initiate a repair of RealVNC Server from add or remove programs.
It will write the output of `whoami` command in %TEMP%\output.txt

If you want to change the executed command, change line [191 of dllmain.cpp](https://github.com/alirezac0/CVE-2022-27502/blob/main/adsldpc/dllmain.cpp#L191) and recompile it

File Snapshot


 [4.0K]  /data/pocs/e4cfb7c4e9c09f9cfb72a5fa9bff049421725a9f
├── [4.0K]  adsldpc
│   ├── [8.5K]  adsldpc.vcxproj
│   ├── [1.2K]  adsldpc.vcxproj.filters
│   ├── [ 168]  adsldpc.vcxproj.user
│   ├── [4.0K]  Debug
│   │   ├── [  18]  adsldpc.log
│   │   ├── [7.4M]  adsldpc.pch
│   │   ├── [4.0K]  adsldpc.tlog
│   │   │   ├── [ 205]  adsldpc.lastbuildstate
│   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   ├── [ 14K]  CL.read.1.tlog
│   │   │   ├── [1.1K]  CL.write.1.tlog
│   │   │   └── [   0]  unsuccessfulbuild
│   │   ├── [ 18K]  dllmain.obj
│   │   ├── [151K]  pch.obj
│   │   ├── [251K]  vc142.idb
│   │   └── [492K]  vc142.pdb
│   ├── [ 21K]  dllmain.cpp
│   ├── [ 154]  framework.h
│   ├── [ 191]  pch.cpp
│   ├── [ 576]  pch.h
│   ├── [4.0K]  Release
│   │   ├── [1.2K]  adsldpc.Build.CppClean.log
│   │   ├── [ 463]  adsldpc.log
│   │   ├── [7.4M]  adsldpc.pch
│   │   ├── [4.0K]  adsldpc.tlog
│   │   │   ├── [ 207]  adsldpc.lastbuildstate
│   │   │   ├── [ 606]  adsldpc.write.1u.tlog
│   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   ├── [ 14K]  CL.read.1.tlog
│   │   │   ├── [ 888]  CL.write.1.tlog
│   │   │   ├── [1.4K]  link.command.1.tlog
│   │   │   ├── [3.6K]  link.read.1.tlog
│   │   │   └── [ 498]  link.write.1.tlog
│   │   ├── [   0]  adsldpc.vcxproj.FileListAbsolute.txt
│   │   ├── [ 22K]  dllmain.obj
│   │   ├── [347K]  pch.obj
│   │   └── [492K]  vc142.pdb
│   └── [4.0K]  x64
│       └── [4.0K]  Release
│           ├── [ 543]  adsldpc.Build.CppClean.log
│           ├── [ 471]  adsldpc.log
│           ├── [7.4M]  adsldpc.pch
│           ├── [4.0K]  adsldpc.tlog
│           │   ├── [ 205]  adsldpc.lastbuildstate
│           │   ├── [1.9K]  adsldpc.write.1u.tlog
│           │   ├── [1.7K]  CL.command.1.tlog
│           │   ├── [ 14K]  CL.read.1.tlog
│           │   ├── [ 928]  CL.write.1.tlog
│           │   ├── [1.4K]  link.command.1.tlog
│           │   ├── [1.7K]  link.delete.1.tlog
│           │   ├── [3.7K]  link.read.1.tlog
│           │   └── [ 530]  link.write.1.tlog
│           ├── [   0]  adsldpc.vcxproj.FileListAbsolute.txt
│           ├── [ 22K]  dllmain.obj
│           ├── [351K]  pch.obj
│           └── [492K]  vc142.pdb
├── [1.4K]  adsldpc.sln
├── [ 537]  README.md
├── [4.0K]  Release
│   ├── [ 22K]  adsldpc.dll
│   ├── [ 33K]  adsldpc.exp
│   ├── [151K]  adsldpc.iobj
│   ├── [2.1K]  adsldpc.ipdb
│   ├── [ 40K]  adsldpc.lib
│   └── [860K]  adsldpc.pdb
└── [4.0K]  x64
    └── [4.0K]  Release
        ├── [ 24K]  adsldpc.dll
        ├── [ 33K]  adsldpc.exp
        ├── [153K]  adsldpc.iobj
        ├── [2.2K]  adsldpc.ipdb
        ├── [ 40K]  adsldpc.lib
        └── [836K]  adsldpc.pdb

11 directories, 63 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!