Share
## https://sploitus.com/exploit?id=PACKETSTORM:180978
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'VNC Authentication None Detection',  
'Description' => 'Detect VNC servers that support the "None" authentication method.',  
'References' => [  
['CVE', '2006-2369'], # a related instance where "None" could be offered and used when not configured as allowed.  
['URL', 'https://en.wikipedia.org/wiki/RFB'],  
['URL', 'https://en.wikipedia.org/wiki/Vnc'],  
],  
'Author' => [  
'Matteo Cantoni <goony[at]nothink.org>',  
'jduck'  
],  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
Opt::RPORT(5900)  
]  
)  
end  
  
def run_host(target_host)  
connect  
vnc = Rex::Proto::RFB::Client.new(sock, allow_none: true)  
unless vnc.handshake  
print_error("#{target_host}:#{rport} - Handshake failed: #{vnc.error}")  
return  
end  
  
ver = "#{vnc.majver}.#{vnc.minver}"  
print_status("#{target_host}:#{rport} - VNC server protocol version: #{ver}")  
svc = report_service(  
host: rhost,  
port: rport,  
proto: 'tcp',  
name: 'vnc',  
info: "VNC protocol version #{ver}"  
)  
  
type = vnc.negotiate_authentication  
unless type  
print_error("#{target_host}:#{rport} - Auth negotiation failed: #{vnc.error}")  
return  
end  
  
# Show the allowed security types  
sec_type = []  
vnc.auth_types.each do |t|  
sec_type << Rex::Proto::RFB::AuthType.to_s(t)  
end  
print_status("#{target_host}:#{rport} - VNC server security types supported: #{sec_type.join(', ')}")  
  
if (vnc.auth_types.include? Rex::Proto::RFB::AuthType::None)  
print_good("#{target_host}:#{rport} - VNC server security types includes None, free access!")  
report_vuln(  
{  
host: rhost,  
service: svc,  
name: name,  
info: "Module #{fullname} identified the VNC 'none' security type: #{sec_type.join(', ')}",  
refs: references,  
exploited_at: Time.now.utc  
}  
)  
end  
ensure  
disconnect  
end  
end