-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
vnc.lua
390 lines (327 loc) · 10.4 KB
/
vnc.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
---
-- The VNC library provides some basic functionality needed in order to
-- communicate with VNC servers, and derivates such as Tight- or Ultra-
-- VNC.
--
-- Summary
-- -------
-- The library currently supports the VNC Authentication security type only.
-- This security type is supported by default in VNC, TightVNC and
-- "Remote Desktop Sharing" in eg. Ubuntu. For servers that do not support
-- this authentication security type the login method will fail.
--
-- Overview
-- --------
-- The library contains the following classes:
--
-- o VNC
-- - This class contains the core functions needed to communicate with VNC
--
-- o VNCSocket
-- - This is a copy of the DB2Socket class which provides fundamental buffering
--
--
-- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
-- @author "Patrik Karlsson <patrik@cqure.net>"
-- Version 0.1
-- Created 07/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
local bin = require "bin"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
_ENV = stdnse.module("vnc", stdnse.seeall)
local HAVE_SSL, openssl = pcall(require,'openssl')
VNC = {
-- We currently support version 3.8 of the protocol only
versions = {
["RFB 003.003\n"] = "3.3",
["RFB 003.007\n"] = "3.7",
["RFB 003.008\n"] = "3.8",
-- Mac Screen Sharing, could probably be used to fingerprint OS
["RFB 003.889\n"] = "3.889",
},
sectypes = {
INVALID = 0,
NONE = 1,
VNCAUTH = 2,
RA2 = 5,
RA2NE = 6,
TIGHT = 16,
ULTRA = 17,
TNS = 18,
VENCRYPT = 19,
GTK_VNC_SASL = 20,
MD5 = 21,
COLIN_DEAN_XVP = 22,
MAC_OSX_SECTYPE_30 = 30,
MAC_OSX_SECTYPE_35 = 35,
},
-- Security types are fetched from the rfbproto.pdf
sectypes_str = {
[0] = "Invalid security type",
[1] = "None",
[2] = "VNC Authentication",
[5] = "RA2",
[6] = "RA2ne",
[16]= "Tight",
[17]= "Ultra",
[18]= "TLS",
[19]= "VeNCrypt",
[20]= "GTK-VNC SASL",
[21]= "MD5 hash authentication",
[22]= "Colin Dean xvp",
-- Mac OS X screen sharing uses 30 and 35
[30]= "Mac OS X security type (30)",
[35]= "Mac OS X security type (35)",
},
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.vncsocket = VNCSocket:new()
o.cli_version = nmap.registry.args['vnc-brute.version'] or "RFB 003.889\n"
return o
end,
--- Connects the VNC socket
connect = function(self)
local data, status, msg
if ( not(HAVE_SSL) ) then
return false, "The VNC module requires OpenSSL support"
end
status, msg = self.vncsocket:connect(self.host, self.port, "tcp")
return status, msg
end,
--- Disconnects the VNC socket
disconnect = function(self)
self.vncsocket:close()
end,
--- Performs the VNC handshake and determines
-- o The RFB Protocol to use
-- o The supported authentication security types
--
-- @return status, true on success, false on failure
-- @return error string containing error message if status is false
handshake = function(self)
local status, data = self.vncsocket:recv( 12 )
local vncsec = {}
local tmp
if ( not(status) ) then
return status, "ERROR: VNC:handshake failed to receive protocol version"
end
self.protover = VNC.versions[data]
if ( not(self.protover) ) then
stdnse.print_debug("ERROR: VNC:handshake unsupported version (%s)", data:sub(1,11))
return false, ("Unsupported version (%s)"):format(data:sub(1,11))
end
status = self.vncsocket:send( self.cli_version )
if ( not(status) ) then
stdnse.print_debug("ERROR: VNC:handshake failed to send client version")
return false, "ERROR: VNC:handshake failed"
end
if ( self.protover == "3.3" ) then
vncsec.count = 1
vncsec.types = {}
status, tmp = self.vncsocket:recv(4)
if( not(status) ) then
return false, "VNC:handshake failed to receive security data"
end
vncsec.types[1] = select(2, bin.unpack("I", tmp) )
self.vncsec = vncsec
-- do we have an invalid security type, if so we need to handle an
-- error condition
if ( vncsec.types[1] == 0 ) then
local len, err
status, tmp = self.vncsocket:recv(4)
if( not(status) ) then
return false, "VNC:handshake failed to retrieve error message"
end
len = select(2, bin.unpack(">I", tmp) )
status, err = self.vncsocket:recv(len)
if( not(status) ) then
return false, "VNC:handshake failed to retrieve error message"
end
return false, err
end
else
status, tmp = self.vncsocket:recv(1)
if ( not(status) ) then
stdnse.print_debug("ERROR: VNC:handshake failed to receive security data")
return false, "ERROR: VNC:handshake failed to receive security data"
end
vncsec.count = select(2, bin.unpack("C", tmp))
if ( vncsec.count == 0 ) then
local len, err
status, tmp = self.vncsocket:recv(4)
if( not(status) ) then
return false, "VNC:handshake failed to retrieve error message"
end
len = select(2, bin.unpack(">I", tmp) )
status, err = self.vncsocket:recv(len)
if( not(status) ) then
return false, "VNC:handshake failed to retrieve error message"
end
return false, err
end
status, tmp = self.vncsocket:recv(vncsec.count)
if ( not(status) ) then
stdnse.print_debug("ERROR: VNC:handshake failed to receive security data")
return false, "ERROR: VNC:handshake failed to receive security data"
end
vncsec.types = {}
for i=1, vncsec.count do
table.insert( vncsec.types, select(2, bin.unpack("C", tmp, i) ) )
end
self.vncsec = vncsec
end
return true
end,
--- Creates the password bit-flip needed before DES encryption
--
-- @param password string containing the password to process
-- @return password string containing the processed password
createVNCDESKey = function( self, password )
local _, bitstr
local newpass = ""
if ( #password < 8 ) then
for i=1, (8 - #password) do
password = password .. string.char(0x00)
end
end
for i=1, 8 do
_, bitstr = bin.unpack("B", password, i)
newpass = newpass .. bin.pack("B", bitstr:reverse())
end
return newpass
end,
--- Attempts to login to the VNC service
-- Currently the only supported auth sectype is VNC Authentication
--
-- @param username string, could be anything when VNCAuth is used
-- @param password string containing the password to use for authentication
-- @return status true on success, false on failure
-- @return err string containing error message when status is false
login = function( self, username, password )
local status, result
local chall, resp, key
if ( not(password) ) then
return false, "No password was supplied"
end
if ( not( self:supportsSecType( VNC.sectypes.VNCAUTH ) ) ) then
return false, "The server does not support the \"VNC Authentication\" security type."
end
-- Announce that we support VNC Authentication
status = self.vncsocket:send( bin.pack("C", VNC.sectypes.VNCAUTH) )
if ( not(status) ) then
return false, "Failed to select authentication type"
end
status, chall = self.vncsocket:recv( 16 )
if ( not(status) ) then
return false, "Failed to receive authentication challenge"
end
key = self:createVNCDESKey(password)
resp = openssl.encrypt("des-ecb", key, nil, chall, false )
status = self.vncsocket:send( resp )
if ( not(status) ) then
return false, "Failed to send authentication response to server"
end
status, result = self.vncsocket:recv(4)
if ( not(status) ) then
return false, "Failed to retrieve authentication status from server"
end
if ( select(2, bin.unpack("I", result) ) ~= 0 ) then
return false, ("Authentication failed with password %s"):format(password)
end
return true, ""
end,
--- Returns all supported security types as a table of strings
--
-- @return table containing a string entry for each security type
getSecTypesAsStringTable = function( self )
local tmp = {}
for i=1, self.vncsec.count do
table.insert( tmp, VNC.sectypes_str[self.vncsec.types[i]] or ("Unknown security type (%d)"):format(self.vncsec.types[i]) )
end
return true, tmp
end,
--- Checks if the supplied security type is supported or not
--
-- @param sectype number containing the security type to check for
-- @return status true if supported, false if not supported
supportsSecType = function( self, sectype )
for i=1, self.vncsec.count do
if ( self.vncsec.types[i] == sectype ) then
return true
end
end
return false
end,
--- Returns the protocol version reported by the server
--
-- @param version string containing the version number
getProtocolVersion = function( self )
return self.protover
end,
}
VNCSocket =
{
retries = 3,
new = function(self)
local o = {}
setmetatable(o, self)
self.__index = self
o.Socket = nmap.new_socket()
o.Buffer = nil
return o
end,
--- Establishes a connection.
--
-- @param hostid Hostname or IP address.
-- @param port Port number.
-- @param protocol <code>"tcp"</code>, <code>"udp"</code>, or
-- @return Status (true or false).
-- @return Error code (if status is false).
connect = function( self, hostid, port, protocol )
-- VNC servers sometimes take a long time to respond 10seconds seems ok
self.Socket:set_timeout(10000)
return self.Socket:connect( hostid, port, protocol )
end,
--- Closes an open connection.
--
-- @return Status (true or false).
-- @return Error code (if status is false).
close = function( self )
return self.Socket:close()
end,
--- Opposed to the <code>socket:receive_bytes</code> function, that returns
-- at least x bytes, this function returns the amount of bytes requested.
--
-- @param count of bytes to read
-- @return true on success, false on failure
-- @return data containing bytes read from the socket
-- err containing error message if status is false
recv = function( self, count )
local status, data
self.Buffer = self.Buffer or ""
if ( #self.Buffer < count ) then
status, data = self.Socket:receive_bytes( count - #self.Buffer )
if ( not(status) or #data < count - #self.Buffer ) then
return false, data
end
self.Buffer = self.Buffer .. data
end
data = self.Buffer:sub( 1, count )
self.Buffer = self.Buffer:sub( count + 1)
return true, data
end,
--- Sends data over the socket
--
-- @return Status (true or false).
-- @return Error code (if status is false).
send = function( self, data )
return self.Socket:send( data )
end,
}
return _ENV;