Create x11-unauth-access.yaml

2024-08-01 14:36:53 +05:30 · 2024-08-01 14:36:53 +05:30 · dfd6d5cbd4
parent 7c71421f7b
commit dfd6d5cbd4
1 changed files with 44 additions and 0 deletions
--- a/javascript/misconfiguration/x11/x11-unauth-access.yaml
+++ b/javascript/misconfiguration/x11/x11-unauth-access.yaml
@ -0,0 +1,44 @@
+id: x11-unauth-access
+
+info:
+  name: x11 - Unauthenticated
+  author: pussycat0x
+  severity: high
+  description: |
+    To check if you can connect to a remote X server, send an X11 initial connection request to TCP port 6000+n (where n is the display number). The response success byte (0x00 or 0x01) indicates if you are allowed; if successful, the script will display "X server access is granted," confirming that an attacker can connect to the X server
+  reference:
+    - https://nmap.org/nsedoc/scripts/x11-access.html
+    - https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11
+    - https://www.hackingarticles.in/penetration-testing-on-x11-server/
+  tags: x11,network,js,remote,unauth
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port);
+    code: |
+      let packet = bytes.NewBuffer();
+      const c = require("nuclei/net");
+      const cmd = "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"
+      packet.WriteString(cmd)
+      let conn = c.Open('tcp', `${Host}:${Port}`);
+      conn.SendHex(packet.Hex());
+      const result = conn.RecvFull();
+
+      let accessGranted;
+
+      if (result[0] === 1) {
+      accessGranted = true;
+        } else {
+          conn.Close();
+        }
+
+      accessGranted
+
+    args:
+      Host: "{{Host}}"
+      Port: 6000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - response