CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/vnc.rb
Views: 1904
require 'metasploit/framework/tcp/client'1require 'metasploit/framework/login_scanner/base'2require 'metasploit/framework/login_scanner/rex_socket'34module Metasploit5module Framework6module LoginScanner7# This is the LoginScanner class for dealing with the VNC RFB protocol.8# It is responsible for taking a single target, and a list of credentials9# and attempting them. It then saves the results.10class VNC11include Metasploit::Framework::LoginScanner::Base12include Metasploit::Framework::LoginScanner::RexSocket13include Metasploit::Framework::Tcp::Client141516#17# CONSTANTS18#1920LIKELY_PORTS = (5900..5910).to_a21LIKELY_SERVICE_NAMES = [ 'vnc' ]22PRIVATE_TYPES = [ :password ]23REALM_KEY = nil2425# Error indicating retry should occur for UltraVNC26ULTRA_VNC_RETRY_ERROR = 'connection has been rejected'27# Error indicating retry should occur for VNC 4 Server28VNC4_SERVER_RETRY_ERROR = 'Too many security failures'29# Known retry errors for all supported versions of VNC30RETRY_ERRORS = [31ULTRA_VNC_RETRY_ERROR,32VNC4_SERVER_RETRY_ERROR33]3435# This method attempts a single login with a single credential against the target36# @param credential [Credential] The credential object to attempt to login with37# @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object38def attempt_login(credential)39result_options = {40credential: credential,41host: host,42port: port,43protocol: 'tcp',44service_name: 'vnc'45}4647begin48# Make our initial socket to the target49disconnect if self.sock50connect5152# Create our VNC client overtop of the socket53vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)5455if vnc.handshake56type = vnc.negotiate_authentication57if type != Rex::Proto::RFB::AuthType::ARD58credential.public = nil59end60if vnc_auth(vnc,type,credential.public,credential.private)61result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL62else63result_options.merge!(64proof: vnc.error,65status: Metasploit::Model::Login::Status::INCORRECT66)67end68else69result_options.merge!(70proof: vnc.error,71status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT72)73end74rescue ::EOFError, Errno::ENOTCONN, Rex::ConnectionError, ::Timeout::Error => e75result_options.merge!(76proof: e.message,77status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT78)79ensure80disconnect81end8283::Metasploit::Framework::LoginScanner::Result.new(result_options)84end8586private8788# Check the VNC error to see if we should wait and retry.89#90# @param error [String] The VNC error message received91# @return [false] don't retry92# @return [true] retry93def retry?(error)94RETRY_ERRORS.include?(error)95end9697# This method sets the sane defaults for things98# like timeouts and TCP evasion options99def set_sane_defaults100self.connection_timeout ||= 30101self.port ||= 5900102self.max_send_size ||= 0103self.send_delay ||= 0104end105106# This method attempts the actual VNC authentication. It has built in retries to handle107# delays built into the VNC RFB authentication.108# @param client [Rex::Proto::RFB::Client] The VNC client object to authenticate through109# @param type [Rex::Proto::RFB::AuthType] The VNC authentication type to attempt110# @param username [String] the username to attempt the authentication with111# @param password [String] the password to attempt the authentication with112def vnc_auth(client,type,username,password)113success = false1145.times do |n|115if client.authenticate_with_type(type,username,password)116success = true117break118end119break unless retry?(client.error)120121# Wait for an increasing amount of time before retrying122delay = (2**(n+1)) + 1123::Rex.sleep(delay)124end125success126end127end128129end130end131end132133134