From c98a547104df9c16cb53df5e34da497bee951fa8 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 15 Mar 2017 16:19:55 +0000
Subject: [PATCH] Check for RealVNC auth bypass even if other auth types are
 offered

---
 scripts/realvnc-auth-bypass.nse | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/scripts/realvnc-auth-bypass.nse b/scripts/realvnc-auth-bypass.nse
index 857b9d1f3..298c12ebf 100644
--- a/scripts/realvnc-auth-bypass.nse
+++ b/scripts/realvnc-auth-bypass.nse
@@ -74,11 +74,21 @@ request in which the client specifies an insecure security type such as
   socket:send("RFB 003.008\n")
   status, result = socket:receive_bytes(2)
 
-  if (not status or result ~= "\001\002") then
+  if not status then
     socket:close()
     return report:make_output(vuln)
   end
 
+  local numtypes = result:byte(1)
+  for i=1, numtypes do
+    local sectype = result:byte(i+1)
+    if sectype == 1 then
+      --already supports None auth
+      socket:close()
+      return report:make_output(vuln)
+    end
+  end
+
   socket:send("\001")
   status, result = socket:receive_bytes(4)