vnc reverse question

[mmiller at hick.org (mmiller at hick.org)]

On Fri, Sep 17, 2004 at 11:46:24AM -0500, Neil wrote:
> I have a question regarding the win32_reverse_vncinject. I am just a little 
> confuse with the filename specifically on the word "reverse". We know for a 
> fact that a vncserver listens on port 5900. My question is: when using this 
> kind of payload, does the target have to have a running vnc server? 

No, the target server does not have to be running VNC, nor does it
matter if the host is already running VNC.  Reverse refers to how the 
second stage payload (the thing that loads the VNC DLL into memory) will be 
obtained, whether by connecting back to the attacker on a given port,
or by having the attacker connect to the target on a given port.  After
the VNC DLL has been read in and loaded, the VNC DLL will re-use the
connection that was created between msf and the target machine for 
the actual VNC protocol.  As such, no ports need to be bound on the target
machine for VNC to accept incoming connections because the VNC session
is simply tunneled through the existing connection.

Remember that the VNC "server" that is injected into the target process
is a stripped down version of VNC -- it requires no installation and
does nothing intrusive to the actual machine itself (such as modifying
the registry).  It was modified specifically for use with the library
injection system in metasploit.

Matt