mirror of
https://github.com/nmap/nmap.git
synced 2025-12-07 13:11:28 +00:00
3c89e089fc
socket:connect(host.ip, port.number) socket:connect(host.ip, port.number, port.protocol) to this: socket:connect(host, port) connect can take host and port tables now, and the default protocol is taken from the port table if possible.
64 lines
1.1 KiB
Lua
64 lines
1.1 KiB
Lua
description = [[
|
|
Checks if a VNC server is vulnerable to the RealVNC authentication bypass
|
|
(CVE-2006-2369).
|
|
]]
|
|
author = "Brandon Enright"
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
|
|
---
|
|
-- @output
|
|
-- PORT STATE SERVICE VERSION
|
|
-- 5900/tcp open vnc VNC (protocol 3.8)
|
|
-- |_realvnc-auth-bypass: Vulnerable
|
|
|
|
categories = {"default", "vuln", "safe"}
|
|
|
|
require "shortport"
|
|
|
|
portrule = shortport.port_or_service(5900, "vnc")
|
|
|
|
action = function(host, port)
|
|
local socket = nmap.new_socket()
|
|
local result
|
|
local status = true
|
|
|
|
socket:connect(host, port)
|
|
|
|
status, result = socket:receive_lines(1)
|
|
|
|
if (result == "TIMEOUT") then
|
|
socket:close()
|
|
return
|
|
end
|
|
|
|
socket:send("RFB 003.008\n")
|
|
status, result = socket:receive_bytes(2)
|
|
|
|
if (result == "TIMEOUT") then
|
|
socket:close()
|
|
return
|
|
end
|
|
|
|
if (result ~= "\001\002") then
|
|
socket:close()
|
|
return
|
|
end
|
|
|
|
socket:send("\001")
|
|
status, result = socket:receive_bytes(4)
|
|
|
|
if (result == "TIMEOUT") then
|
|
socket:close()
|
|
return
|
|
end
|
|
|
|
if (result ~= "\000\000\000\000") then
|
|
socket:close()
|
|
return
|
|
end
|
|
|
|
socket:close()
|
|
|
|
return "Vulnerable"
|
|
end
|