CVE-2022-27502 PoC — RealVNC VNC Server 安全漏洞

Source

https://github.com/alirezac0/CVE-2022-27502

Associated Vulnerability

Title:RealVNC VNC Server 安全漏洞 (CVE-2022-27502)
Description:RealVNC VNC Server 6.9.0 through 5.1.0 for Windows allows local privilege escalation because an installer repair operation executes %TEMP% files as SYSTEM.

Description

Exploit of RealVNC VNC Server

Readme

# RealVNC server up to 6.9.0 DLL Hijacking Exploit (CVE-2022-27502)


You can use pre-compiled version (64-bit) of it from [HERE](https://github.com/alirezac0/CVE-2022-27502/blob/main/x64/Release/adsldpc.dll)
Copy it to %TEMP% and initiate a repair of RealVNC Server from add or remove programs.
It will write the output of `whoami` command in %TEMP%\output.txt

If you want to change the executed command, change line [191 of dllmain.cpp](https://github.com/alirezac0/CVE-2022-27502/blob/main/adsldpc/dllmain.cpp#L191) and recompile it

File Snapshot


 [4.0K]  /data/pocs/e4cfb7c4e9c09f9cfb72a5fa9bff049421725a9f
├── [4.0K]  adsldpc
│   ├── [8.5K]  adsldpc.vcxproj
│   ├── [1.2K]  adsldpc.vcxproj.filters
│   ├── [ 168]  adsldpc.vcxproj.user
│   ├── [4.0K]  Debug
│   │   ├── [  18]  adsldpc.log
│   │   ├── [7.4M]  adsldpc.pch
│   │   ├── [4.0K]  adsldpc.tlog
│   │   │   ├── [ 205]  adsldpc.lastbuildstate
│   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   ├── [ 14K]  CL.read.1.tlog
│   │   │   ├── [1.1K]  CL.write.1.tlog
│   │   │   └── [   0]  unsuccessfulbuild
│   │   ├── [ 18K]  dllmain.obj
│   │   ├── [151K]  pch.obj
│   │   ├── [251K]  vc142.idb
│   │   └── [492K]  vc142.pdb
│   ├── [ 21K]  dllmain.cpp
│   ├── [ 154]  framework.h
│   ├── [ 191]  pch.cpp
│   ├── [ 576]  pch.h
│   ├── [4.0K]  Release
│   │   ├── [1.2K]  adsldpc.Build.CppClean.log
│   │   ├── [ 463]  adsldpc.log
│   │   ├── [7.4M]  adsldpc.pch
│   │   ├── [4.0K]  adsldpc.tlog
│   │   │   ├── [ 207]  adsldpc.lastbuildstate
│   │   │   ├── [ 606]  adsldpc.write.1u.tlog
│   │   │   ├── [1.8K]  CL.command.1.tlog
│   │   │   ├── [ 14K]  CL.read.1.tlog
│   │   │   ├── [ 888]  CL.write.1.tlog
│   │   │   ├── [1.4K]  link.command.1.tlog
│   │   │   ├── [3.6K]  link.read.1.tlog
│   │   │   └── [ 498]  link.write.1.tlog
│   │   ├── [   0]  adsldpc.vcxproj.FileListAbsolute.txt
│   │   ├── [ 22K]  dllmain.obj
│   │   ├── [347K]  pch.obj
│   │   └── [492K]  vc142.pdb
│   └── [4.0K]  x64
│       └── [4.0K]  Release
│           ├── [ 543]  adsldpc.Build.CppClean.log
│           ├── [ 471]  adsldpc.log
│           ├── [7.4M]  adsldpc.pch
│           ├── [4.0K]  adsldpc.tlog
│           │   ├── [ 205]  adsldpc.lastbuildstate
│           │   ├── [1.9K]  adsldpc.write.1u.tlog
│           │   ├── [1.7K]  CL.command.1.tlog
│           │   ├── [ 14K]  CL.read.1.tlog
│           │   ├── [ 928]  CL.write.1.tlog
│           │   ├── [1.4K]  link.command.1.tlog
│           │   ├── [1.7K]  link.delete.1.tlog
│           │   ├── [3.7K]  link.read.1.tlog
│           │   └── [ 530]  link.write.1.tlog
│           ├── [   0]  adsldpc.vcxproj.FileListAbsolute.txt
│           ├── [ 22K]  dllmain.obj
│           ├── [351K]  pch.obj
│           └── [492K]  vc142.pdb
├── [1.4K]  adsldpc.sln
├── [ 537]  README.md
├── [4.0K]  Release
│   ├── [ 22K]  adsldpc.dll
│   ├── [ 33K]  adsldpc.exp
│   ├── [151K]  adsldpc.iobj
│   ├── [2.1K]  adsldpc.ipdb
│   ├── [ 40K]  adsldpc.lib
│   └── [860K]  adsldpc.pdb
└── [4.0K]  x64
    └── [4.0K]  Release
        ├── [ 24K]  adsldpc.dll
        ├── [ 33K]  adsldpc.exp
        ├── [153K]  adsldpc.iobj
        ├── [2.2K]  adsldpc.ipdb
        ├── [ 40K]  adsldpc.lib
        └── [836K]  adsldpc.pdb

11 directories, 63 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!