PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Check for RealVNC auth bypass even if other auth types are offered

Browse Source
This commit is contained in:
dmiller
2017-03-15 16:19:55 +00:00
parent 8854d2e33a
commit c98a547104
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/realvnc-auth-bypass.nse
View File

@@ -74,11 +74,21 @@ request in which the client specifies an insecure security type such as
socket:send("RFB 003.008\n") socket:send("RFB 003.008\n")
status, result = socket:receive_bytes(2) status, result = socket:receive_bytes(2)
if (not status or result ~= "\001\002") then if not status then
socket:close() socket:close()
return report:make_output(vuln) return report:make_output(vuln)
end end
local numtypes = result:byte(1)
for i=1, numtypes do
local sectype = result:byte(i+1)
if sectype == 1 then
--already supports None auth
socket:close()
return report:make_output(vuln)
end
end
socket:send("\001") socket:send("\001")
status, result = socket:receive_bytes(4) status, result = socket:receive_bytes(4)