Implement VNC security type 30 (Apple Remote Desktop) authentication

Author: jgor

lib/metasploit/framework/login_scanner/vnc.rb

@@ -46,8 +46,6 @@ def attempt_login(credential)
               service_name: 'vnc'
           }
 
-          credential.public = nil
-
           begin
             # Make our initial socket to the target
             disconnect if self.sock
@@ -57,7 +55,11 @@ def attempt_login(credential)
             vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
 
             if vnc.handshake
-              if vnc_auth(vnc,credential.private)
+              type = vnc.negotiate_authentication
+              if type != Rex::Proto::RFB::AuthType::ARD
+                credential.public = nil
+              end
+              if vnc_auth(vnc,type,credential.public,credential.private)
                 result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
               else
                 result_options.merge!(
@@ -106,11 +108,13 @@ def set_sane_defaults
         # This method attempts the actual VNC authentication. It has built in retries to handle
         # delays built into the VNC RFB authentication.
         # @param client [Rex::Proto::RFB::Client] The VNC client object to authenticate through
+        # @param type [Rex::Proto::RFB::AuthType] The VNC authentication type to attempt
+        # @param username [String] the username to attempt the authentication with
         # @param password [String] the password to attempt the authentication with
-        def vnc_auth(client,password)
+        def vnc_auth(client,type,username,password)
           success = false
           5.times do |n|
-            if client.authenticate(password)
+            if client.authenticate_with_type(type,username,password)
               success = true
               break
             end

lib/rex/proto/rfb/cipher.rb

@@ -75,6 +75,36 @@ def self.decrypt(cipher, password = "\x17\x52\x6b\x06\x23\x4e\x58\x07")
     c.update(cipher)
   end
 
+
+  def self.encrypt_ard(username, password, generator, key_length, prime_modulus, peer_public_key)
+    generator = OpenSSL::BN.new(generator, 2)
+    prime_modulus = OpenSSL::BN.new(prime_modulus, 2)
+    peer_public_key = OpenSSL::BN.new(peer_public_key, 2)
+
+    user_struct = username + ("\0" * (64 - username.length)) + password + ("\0" * (64 - password.length))
+
+    dh_peer = OpenSSL::PKey::DH.new(key_length * 8, generator)
+    dh_peer.set_key(peer_public_key, nil)
+
+    dh = OpenSSL::PKey::DH.new(dh_peer)
+    dh.set_pqg(prime_modulus, nil, generator)
+    dh.generate_key!
+
+    shared_key = dh.compute_key(dh_peer.pub_key)
+
+    md5 = OpenSSL::Digest::MD5.new
+    key_digest = md5.digest(shared_key)
+
+    cipher = OpenSSL::Cipher.new("aes-128-ecb")
+    cipher.encrypt
+    cipher.key = key_digest
+    cipher.padding = 0
+    ciphertext = cipher.update(user_struct) + cipher.final
+
+    response = ciphertext + dh.pub_key.to_s(2)
+    return response
+  end
+
 end
 
 end

lib/rex/proto/rfb/client.rb

@@ -88,7 +88,15 @@ def send_client_init
   end
 
   def authenticate(password = nil)
+    authenticate_with_user(nil, password)
+  end
+
+  def authenticate_with_user(username = nil, password = nil)
     type = negotiate_authentication
+    authenticate_with_type(type, username, password)
+  end
+
+  def authenticate_with_type(type, username = nil, password = nil)
     return false if not type
 
     # Authenticate.
@@ -99,6 +107,9 @@ def authenticate(password = nil)
     when AuthType::VNC
       return false if not negotiate_vnc_auth(password)
 
+    when AuthType::ARD
+      return false if not negotiate_ard_auth(username, password)
+
     end
 
     # Handle reading the security result message
@@ -176,6 +187,7 @@ def negotiate_authentication
     selected = nil
     selected ||= AuthType::None if @opts[:allow_none] and @auth_types.include? AuthType::None
     selected ||= AuthType::VNC if @auth_types.include? AuthType::VNC
+    selected ||= AuthType::ARD if @auth_types.include? AuthType::ARD
 
     if not selected
       @error = "No supported authentication method found."
@@ -201,6 +213,21 @@ def negotiate_vnc_auth(password = nil)
     true
   end
 
+  def negotiate_ard_auth(username = nil, password = nil)
+    generator = @sock.get_once(2)
+    generator = generator.unpack("n").first
+    key_length = @sock.get_once(2)
+    key_length = key_length.unpack("n").first
+    prime_modulus = @sock.get_once(key_length)
+    peer_public_key = @sock.get_once(key_length)
+
+    response = Cipher.encrypt_ard(username, password, generator, key_length, prime_modulus, peer_public_key)
+    @sock.put(response)
+
+    true
+ end
+
+
   attr_reader :error, :majver, :minver, :auth_types
   attr_reader :view_only
 end

lib/rex/proto/rfb/constants.rb

@@ -36,6 +36,7 @@ class AuthType
   GtkVncSasl = 20
   MD5Hash = 21
   ColinDeanXVP = 22
+  ARD = 30
 
   def self.to_s(num)
     self.constants.each { |c|