VNC Server (Reflective Injection), Bind TCP Stager (Windows x86) - Metasploit


This page contains detailed information about how to use the payload/windows/vncinject/bind_tcp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
Module: payload/windows/vncinject/bind_tcp
Source code: modules/payloads/stagers/windows/bind_tcp.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): x86
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use payload/windows/vncinject/bind_tcp
msf payload(bind_tcp) > show options
    ... show and set options ...
msf payload(bind_tcp) > generate

To learn how to generate payload/windows/vncinject/bind_tcp with msfvenom, please read this.

Go back to menu.

Msfconsole Usage

Here is how the windows/vncinject/bind_tcp payload looks in the msfconsole:

msf6 > use payload/windows/vncinject/bind_tcp

msf6 payload(windows/vncinject/bind_tcp) > show info

       Name: VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
     Module: payload/windows/vncinject/bind_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 298
       Rank: Normal

Provided by:
  sf <[email protected]>
  hdm <[email protected]>
  skape <[email protected]>

Basic options:
Name                  Current Setting  Required  Description
----                  ---------------  --------  -----------
AUTOVNC               true             yes       Automatically launch VNC viewer if present
DisableCourtesyShell  true             no        Disables the Metasploit Courtesy shell
EXITFUNC              process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LPORT                 4444             yes       The listen port
RHOST                                  no        The target address
VNCHOST               127.0.0.1        yes       The local host to use for the VNC proxy
VNCPORT               5900             yes       The local port to use for the VNC proxy
ViewOnly              true             no        Runs the viewer in view mode

Description:
  Inject a VNC Dll via a reflective loader (staged). Listen for a 
  connection (Windows x86)

Module Options

This is a complete list of options available in the windows/vncinject/bind_tcp payload:

msf6 payload(windows/vncinject/bind_tcp) > show options

Module options (payload/windows/vncinject/bind_tcp):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   AUTOVNC               true             yes       Automatically launch VNC viewer if present
   DisableCourtesyShell  true             no        Disables the Metasploit Courtesy shell
   EXITFUNC              process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT                 4444             yes       The listen port
   RHOST                                  no        The target address
   VNCHOST               127.0.0.1        yes       The local host to use for the VNC proxy
   VNCPORT               5900             yes       The local port to use for the VNC proxy
   ViewOnly              true             no        Runs the viewer in view mode

Advanced Options

Here is a complete list of advanced options supported by the windows/vncinject/bind_tcp payload:

msf6 payload(windows/vncinject/bind_tcp) > show advanced

Module advanced options (payload/windows/vncinject/bind_tcp):

   Name                       Current Setting  Required  Description
   ----                       ---------------  --------  -----------
   DisableSessionTracking     false            no        Disables the VNC payload from following the active session as users log in an out of the input desktop
   EnableStageEncoding        false            no        Encode the second stage payload
   PayloadUUIDName                             no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                              no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                             no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking        false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries            0                yes       How many additional successful pingbacks
   PingbackSleep              30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate             false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                          no        Process to spawn and run shellcode in
   StageEncoder                                no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                   no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback      true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   VERBOSE                    false            no        Enable detailed status messages
   WORKSPACE                                   no        Specify the workspace for this module

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • sf
  • hdm
  • skape

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.