Skip to content

Commit

Permalink
more progress, broke up lib x11 into different files/folders
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Feb 20, 2024
1 parent f5a6d7d commit f4b698b
Show file tree
Hide file tree
Showing 5 changed files with 1,758 additions and 1,247 deletions.
262 changes: 12 additions & 250 deletions lib/msf/core/exploit/remote/x11.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,99 +7,9 @@
#

module Msf::Exploit::Remote::X11

class X11VISUALTYPE < BinData::Record
endian :little
uint32 :visualid
uint8 :visual_type_classclass
uint8 :bits_per_rgb_value
uint16 :colormap_entries
uint32 :red_mask
uint32 :green_mask
uint32 :blue_mask
uint32 :unused
end

class X11DEPTHDETAIL < BinData::Record
endian :little
uint8 :screen_detail_depth
uint8 :unused
uint16 :screen_depth_detail_visualtypes_numbers
uint32 :unused1
array :depth_detail,
type: :X11VISUALTYPE,
initial_length: :screen_depth_detail_visualtypes_numbers
end

class X11PIXMAPFORMAT < BinData::Record
endian :little
uint8 :depth
uint8 :bits_per_pixel
uint8 :scanline_pad
uint8 :unused
uint32 :unused1
end

class X11CONNECTION < BinData::Record
endian :little
uint8 :success # 8bit boolean, \x01 == true \x00 == false
uint8 :unused
uint16 :protocol_version_major
uint16 :protocol_version_minor
uint16 :reply_length
uint32 :release_number
uint32 :resource_id_base
uint32 :resource_id_mask
uint32 :motion_buffer_size
uint16 :vendor_length
uint16 :maximum_request_length
uint8 :number_of_screens_in_root
uint8 :number_of_formats_in_pixmap_formats
uint8 :image_byte_order
uint8 :bitmap_format_bit_order
uint8 :bitmap_format_scanline_unit
uint8 :bitmap_format_scanline_pad
uint8 :min_keycode
uint8 :max_keycode
uint32 :unused2
string :vendor, read_length: :vendor_length
array :pixmap_formats,
type: :X11PIXMAPFORMAT,
initial_length: :number_of_formats_in_pixmap_formats

# screen subsection
uint32 :screen_root
uint32 :screen_default_colormap
uint32 :screen_white_pixel
uint32 :screen_black_pixel
uint32 :screen_current_input_masks
uint16 :screen_width_in_pixels
uint16 :screen_height_in_pixels
uint16 :screen_width_in_millimeters
uint16 :screen_height_in_millimeters
uint16 :screen_min_installed_maps
uint16 :screen_max_installed_maps
uint32 :screen_root_visual
uint8 :screen_backing_stores
uint8 :screen_save_unders # 8bit boolean, \x01 == true \x00 == false
uint8 :screen_root_depth
uint8 :screen_allowed_depths_len
array :depth_detail,
type: :X11DEPTHDETAIL,
initial_length: :screen_allowed_depths_len
end

class X11QUERYEXTENSIONRESPONSE < BinData::Record
endian :little
uint8 :reply
uint8 :unused
uint16 :sequence_number # QueryExtension
uint32 :reply_length
uint8 :present # 8bit boolean, \x01 == true \x00 == false
uint8 :major_opcode # this is the ID of the extension
uint8 :first_event
uint8 :first_error
end
include Msf::Exploit::Remote::X11::Connect
include Msf::Exploit::Remote::X11::Extensions
include Msf::Exploit::Remote::X11::Xkeyboard

class X11GETPROPERTYRESPONSE < BinData::Record
endian :little
Expand All @@ -115,165 +25,17 @@ class X11GETPROPERTYRESPONSE < BinData::Record
uint32 :unused2
string :value_data, read_length: -> { value_length }
end

class X11XKBKEYMAPENTRY < BinData::Record
endian :little
uint8 :active
uint8 :mods_mask # bit array, shift, lock, control, 1, 2, 3, 4, 5
uint8 :level
uint8 :mods_mods # bit array, shift, lock, control, 1, 2, 3, 4, 5
uint16 :mods_vmods # bit array, 0-15
uint16 :unused
end

class X11XKBMODDEF < BinData::Record
class X11GETPROPERTY < BinData::Record
endian :little
uint8 :mask
uint8 :real_mods
uint16 :vmods
uint8 :opcode, value: 20 # GetProperty
uint8 :delete_field, value: 0 # \x00 false, assuming \x01 true?
uint16 :request_length, value: 6
uint32 :window, value: 1320 # "\x28\x05\x00\x00", XXX is this from our connection?
uint32 :property, value: 23 # "\x17\x00\x00\x00" RESOURCE_MANAGER
uint32 :get_property_type, value: 31 # "\x1f\x00\x00\x00" # get-property-type (31 = string)
uint32 :long_offset, value: 0
uint32 :content_length, value: 100_000_000 # "\x00\xe1\xf5\x05"
end

class X11XKBKEYTYPE < BinData::Record
endian :little
uint8 :mods_mask
uint8 :mods_mods
uint16 :mods_vmods
uint8 :num_levels
uint8 :n_map_entries
uint8 :has_preserve # 8bit boolean, \x01 == true \x00 == false
uint8 :unused
# next we have a list of X11XKBKEYMAPENTRY, length is :n_map_entries
array :key_map_array,
type: :X11XKBKEYMAPENTRY,
initial_length: :n_map_entries
# not sure how to tell how many of these there are
array :key_mods_array,
type: :X11XKBMODDEF,
initial_length: :n_map_entries,
onlyif: :has_preserve?

def has_preserve?
puts "has preserve on #{mods_mask} due to #{has_preserve}"
has_preserve == 1
end
end

class X11XKBKEYMODMAP < BinData::Record
endian :little
uint8 :keycode
uint8 :mods # bit array, shift, lock, control, 1, 2, 3, 4, 5
end

class X11XKBSYM < BinData::Record
endian :little
uint32 :syms
end

class X11XKBKEYSYMENTRY < BinData::Record
endian :little
uint32 :kt_index
uint8 :group_info
uint8 :width
uint16 :n_syms
# next we have a list of syms, length is n_syms
array :key_sym_array,
type: :X11XKBSYM,
initial_length: :n_syms
end

class X11XKEYBOARDGETMAP < BinData::Record
endian :little
uint8 :reply
uint8 :device_id
uint16 :sequence_number # xkb-GetMap
uint32 :reply_length
uint16 :unused
uint8 :min_key_code
uint8 :max_key_code
uint16 :presents
uint8 :first_type
uint8 :n_types
uint8 :total_types
uint8 :first_key_sym
uint16 :total_sym
uint8 :n_key_sym
uint8 :first_key_action
uint16 :total_key_action
uint8 :n_key_action
uint8 :first_key_behavior
uint8 :n_key_behavior # yes this order is not like the previous
uint8 :total_key_behavior
uint8 :first_key_explicit
uint8 :n_key_explicit
uint8 :total_key_explicit
uint8 :first_mod_map_key
uint8 :n_mod_map_key
uint8 :total_mod_map_key
uint8 :first_vmod_map_key
uint8 :n_vmod_map_key
uint8 :total_vmod_map_key
uint8 :unused1
uint16 :virtual_mods # bit array
# next we have a list of X11XKBKEYTYPE, length is :total_types
array :key_types_array,
type: :X11XKBKEYTYPE,
initial_length: :n_types
# next we have a list of X11XKBKEYSYMENTRY
#array :key_map_array,
# type: :X11XKBKEYSYMENTRY,
# initial_length: :n_key_sym
# next we have a list of X11XKBKEYMODMAP
#array :key_mod_map_array,
# type: :X11XKBKEYMODMAP,
# initial_length: :n_mod_map_key
#uint16 :unused2
end

class X11QUERYKEYMAPREPLY < BinData::Record
endian :little
uint8 :reply
uint8 :unused
uint16 :sequence_number
uint32 :reply_length
# byte sequence
array :data,
type: :uint8,
read_until: :eof
end

# KeyPress event, serial 34, synthetic NO, window 0x2000001,
# root 0x528, subw 0x0, time 690505136, (554,442), root:(661,543),
# state 0x10, keycode 10 (keysym 0x31, 1), same_screen YES,
# XLookupString gives 1 bytes: (31) "1"
# XmbLookupString gives 1 bytes: (31) "1"
# XFilterEvent returns: False

# KeyRelease event, serial 37, synthetic NO, window 0x2000001,
# root 0x528, subw 0x0, time 690505246, (554,442), root:(661,543),
# state 0x10, keycode 10 (keysym 0x31, 1), same_screen YES,
# XLookupString gives 1 bytes: (31) "1"
# XFilterEvent returns: False


def process_initial_connection_response(packet)
# print_packet(packet)
success = packet[0]
if success == "\x01"
print_good('Successly established X11 connection')
else
fail_with(Msf::Module::Failure::UnexpectedReply, 'Failed to establish an X11 connection')
end
major_version = packet[2].unpack('C').first
vprint_status("Major Version: #{major_version}")
minor_version = packet[4].unpack('C').first
vprint_status("Minor Version: #{minor_version}")
vendor_str_len = packet[24].unpack('C').first
vprint_status("Vendor: #{packet[40, vendor_str_len]}")
screen_width = packet[136, 2].unpack('S<').first
screen_height = packet[138, 2].unpack('S<').first
vprint_status("Screen Resolution: #{screen_width}x#{screen_height}")
resource_id = packet[12, 4]
vprint_status("Resource ID: #{resource_id.inspect}")
resource_id
end
end
Loading

0 comments on commit f4b698b

Please sign in to comment.