def __init__(self, extendedInfoConditional): CompositeType.__init__(self) #code page self.codePage = UInt32Le() #support flag self.flag = UInt32Le(InfoFlag.INFO_MOUSE | InfoFlag.INFO_UNICODE | InfoFlag.INFO_LOGONNOTIFY | InfoFlag.INFO_LOGONERRORS | InfoFlag.INFO_DISABLECTRLALTDEL) self.cbDomain = UInt16Le(lambda: sizeof(self.domain) - 2) self.cbUserName = UInt16Le(lambda: sizeof(self.userName) - 2) self.cbPassword = UInt16Le(lambda: sizeof(self.password) - 2) self.cbAlternateShell = UInt16Le( lambda: sizeof(self.alternateShell) - 2) self.cbWorkingDir = UInt16Le(lambda: sizeof(self.workingDir) - 2) #microsoft domain self.domain = String( readLen=CallableValue(lambda: self.cbDomain.value + 2), unicode=True) self.userName = String( readLen=CallableValue(lambda: self.cbUserName.value + 2), unicode=True) self.password = String( readLen=CallableValue(lambda: self.cbPassword.value + 2), unicode=True) #shell execute at start of session self.alternateShell = String( readLen=CallableValue(lambda: self.cbAlternateShell.value + 2), unicode=True) #working directory for session self.workingDir = String( readLen=CallableValue(lambda: self.cbWorkingDir.value + 2), unicode=True) self.extendedInfo = RDPExtendedInfo( conditional=extendedInfoConditional)
def readEncryptedPayload(self, s, saltedMacGeneration): """ @summary: decrypt basic RDP security payload @param s: {Stream} encrypted stream @param saltedMacGeneration: {bool} use salted mac generation @return: {Stream} decrypted """ #if update is needed if self._nbDecryptedPacket == 4096: log.debug("update decrypt key") self._currentDecrytKey = updateKey( self._initialDecrytKey, self._currentDecrytKey, self.getGCCServerSettings().SC_SECURITY.encryptionMethod.value) self._decryptRc4 = rc4.RC4Key(self._currentDecrytKey) self._nbDecryptedPacket = 0 signature = String(readLen = CallableValue(8)) encryptedPayload = String() s.readType((signature, encryptedPayload)) decrypted = rc4.crypt(self._decryptRc4, encryptedPayload.value) #ckeck signature if not saltedMacGeneration and macData(self._macKey, decrypted)[:8] != signature.value: raise InvalidExpectedDataException("bad signature") if saltedMacGeneration and macSaltedData(self._macKey, decrypted, self._nbDecryptedPacket)[:8] != signature.value: raise InvalidExpectedDataException("bad signature") #count self._nbDecryptedPacket += 1 return Stream(decrypted)
def writeEncryptedPayload(self, data, saltedMacGeneration): """ @summary: sign and crypt data @param data: {Type} raw stream @param saltedMacGeneration: {bool} use salted mac generation @return: {Tuple} (signature, encryptedData) """ if self._nbEncryptedPacket == 4096: log.debug("update encrypt key") self._currentEncryptKey = updateKey( self._initialEncryptKey, self._currentEncryptKey, self.getGCCServerSettings().SC_SECURITY.encryptionMethod.value) self._encryptRc4 = rc4.RC4Key(self._currentEncryptKey) self._nbEncryptedPacket = 0 self._nbEncryptedPacket += 1 s = Stream() s.writeType(data) if saltedMacGeneration: return (String( macSaltedData(self._macKey, s.getvalue(), self._nbEncryptedPacket - 1)[:8]), String(rc4.crypt(self._encryptRc4, s.getvalue()))) else: return (String(macData(self._macKey, s.getvalue())[:8]), String(rc4.crypt(self._encryptRc4, s.getvalue())))
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.rdpVersion = UInt32Le(Version.RDP_VERSION_5_PLUS) self.desktopWidth = UInt16Le(1280) self.desktopHeight = UInt16Le(800) self.colorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP) self.sasSequence = UInt16Le(Sequence.RNS_UD_SAS_DEL) self.kbdLayout = UInt32Le(KeyboardLayout.US) self.clientBuild = UInt32Le(3790) self.clientName = String("rdpy" + "\x00" * 11, readLen=UInt8(32), unicode=True) self.keyboardType = UInt32Le(KeyboardType.IBM_101_102_KEYS) self.keyboardSubType = UInt32Le(0) self.keyboardFnKeys = UInt32Le(12) self.imeFileName = String("\x00" * 64, readLen=UInt8(64)) self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP) self.clientProductId = UInt16Le(1) self.serialNumber = UInt32Le(0) self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP) self.supportedColorDepths = UInt16Le(Support.RNS_UD_15BPP_SUPPORT | Support.RNS_UD_16BPP_SUPPORT | Support.RNS_UD_24BPP_SUPPORT | Support.RNS_UD_32BPP_SUPPORT) self.earlyCapabilityFlags = UInt16Le( CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU) self.clientDigProductId = String("\x00" * 64, readLen=UInt8(64)) self.connectionType = UInt8() self.pad1octet = UInt8() self.serverSelectedProtocol = UInt32Le()
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000003, constant = True) self.LmChallengeResponseLen = UInt16Le() self.LmChallengeResponseMaxLen = UInt16Le(lambda:self.LmChallengeResponseLen.value) self.LmChallengeResponseBufferOffset = UInt32Le() self.NtChallengeResponseLen = UInt16Le() self.NtChallengeResponseMaxLen = UInt16Le(lambda:self.NtChallengeResponseLen.value) self.NtChallengeResponseBufferOffset = UInt32Le() self.DomainNameLen = UInt16Le() self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value) self.DomainNameBufferOffset = UInt32Le() self.UserNameLen = UInt16Le() self.UserNameMaxLen = UInt16Le(lambda:self.UserNameLen.value) self.UserNameBufferOffset = UInt32Le() self.WorkstationLen = UInt16Le() self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value) self.WorkstationBufferOffset = UInt32Le() self.EncryptedRandomSessionLen = UInt16Le() self.EncryptedRandomSessionMaxLen = UInt16Le(lambda:self.EncryptedRandomSessionLen.value) self.EncryptedRandomSessionBufferOffset = UInt32Le() self.NegotiateFlags = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.MIC = String("\x00" * 16, readLen = CallableValue(16)) self.Payload = String()
def __init__(self, listener): """ @param listener: listener use to inform new orders """ RawLayer.__init__(self) #set client listener self._clientListener = listener #useful for RFB protocol self._callbackBody = None #protocol version negotiated self._version = String(ProtocolVersion.RFB003008) #number security launch by server self._securityLevel = UInt8(SecurityType.INVALID) #shared FrameBuffer client init message self._sharedFlag = UInt8(False) #server init message #which contain FrameBuffer dim and pixel format self._serverInit = ServerInit() #client pixel format self._pixelFormat = PixelFormat() #server name self._serverName = String() #nb rectangle self._nbRect = 0 #current rectangle header self._currentRect = Rectangle() #for vnc security type self._password = '******' * 8
def __init__(self): CompositeType.__init__(self) self.dwVersion = UInt32Le() self.cbCompanyName = UInt32Le(lambda:sizeof(self.pbCompanyName)) #may contain "Microsoft Corporation" from server microsoft self.pbCompanyName = String("Microsoft Corporation", readLen = self.cbCompanyName, unicode = True) self.cbProductId = UInt32Le(lambda:sizeof(self.pbProductId)) #may contain "A02" from microsoft license server self.pbProductId = String("A02", readLen = self.cbProductId, unicode = True)
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.lenUsername = UInt16Le(lambda: sizeof(self.username)) self.username = String(readLen=self.lenUsername) self.lenPassword = UInt16Le(lambda: sizeof(self.password)) self.password = String(readLen=self.lenPassword) self.lenDomain = UInt16Le(lambda: sizeof(self.domain)) self.domain = String(readLen=self.lenDomain) self.lenHostname = UInt16Le(lambda: sizeof(self.hostname)) self.hostname = String(readLen=self.lenHostname)
def __init__(self, conditional): CompositeType.__init__(self, conditional = conditional) self.clientAddressFamily = UInt16Le(AfInet.AF_INET) self.cbClientAddress = UInt16Le(lambda:sizeof(self.clientAddress)) self.clientAddress = String(readLen = self.cbClientAddress, unicode = True) self.cbClientDir = UInt16Le(lambda:sizeof(self.clientDir)) self.clientDir = String(readLen = self.cbClientDir, unicode = True) #TODO make tiomezone self.clientTimeZone = String("\x00" * 172) self.clientSessionId = UInt32Le() self.performanceFlags = UInt32Le()
def __init__(self): CompositeType.__init__(self) self.dwSigAlgId = UInt32Le(0x00000001, constant=True) self.dwKeyAlgId = UInt32Le(0x00000001, constant=True) self.wPublicKeyBlobType = UInt16Le(0x0006, constant=True) self.wPublicKeyBlobLen = UInt16Le(lambda: sizeof(self.PublicKeyBlob)) self.PublicKeyBlob = RSAPublicKey(readLen=self.wPublicKeyBlobLen) self.wSignatureBlobType = UInt16Le(0x0008, constant=True) self.wSignatureBlobLen = UInt16Le(lambda: (sizeof(self.SignatureBlob) - 8)) self.SignatureBlob = String(readLen=self.wSignatureBlobLen) self.padding = String(b"\x00" * 8, readLen=UInt8(8))
def __init__(self, readLen): CompositeType.__init__(self, readLen=readLen) #magic is RSA1(0x31415352) self.magic = UInt32Le(0x31415352, constant=True) self.keylen = UInt32Le(lambda: (sizeof(self.modulus) + sizeof(self.padding))) self.bitlen = UInt32Le(lambda: ((self.keylen.value - 8) * 8)) self.datalen = UInt32Le(lambda: ((self.bitlen.value / 8) - 1)) self.pubExp = UInt32Le() self.modulus = String( readLen=CallableValue(lambda: (self.keylen.value - 8))) self.padding = String("\x00" * 8, readLen=CallableValue(8))
def close(self): """ @summary: Send disconnect provider ultimatum """ self._transport.send((UInt8(self.writeMCSPDUHeader(DomainMCSPDU.DISCONNECT_PROVIDER_ULTIMATUM, 1)), per.writeEnumerates(0x80), String("\x00" * 6))) self._transport.close()
def __init__(self, readLen = None): CompositeType.__init__(self, readLen = readLen) self.serverRandom = String("\x00" * 32, readLen = CallableValue(32)) self.productInfo = ProductInformation() self.keyExchangeList = LicenseBinaryBlob(BinaryBlobType.BB_KEY_EXCHG_ALG_BLOB) self.serverCertificate = LicenseBinaryBlob(BinaryBlobType.BB_CERTIFICATE_BLOB) self.scopeList = ScopeList()
def writePadding(length): """ @summary: create string with null char * length @param length: length of padding @return: String with \x00 * length """ return String("\x00" * length)
def SlowPathInputDataFactory(): for c in [PointerEvent, ScancodeKeyEvent, UnicodeKeyEvent]: if self.messageType.value == c._INPUT_MESSAGE_TYPE_: return c() log.debug("unknown slow path input : %s" % hex(self.messageType.value)) return String()
def __init__(self, name="", options=0): CompositeType.__init__(self) #name of channel self.name = String(name[0:8] + "\x00" * (8 - len(name)), readLen=CallableValue(8)) #unknown self.options = UInt32Le()
def __init__(self): CompositeType.__init__(self) self.shareId = UInt32Le() self.lengthSourceDescriptor = UInt16Le( lambda: sizeof(self.sourceDescriptor)) self.sourceDescriptor = String("rdpy", readLen=self.lengthSourceDescriptor)
def __init__(self, blobType=BinaryBlobType.BB_ANY_BLOB, optional=False): CompositeType.__init__(self, optional=optional) self.wBlobType = UInt16Le( blobType, constant=True if blobType != BinaryBlobType.BB_ANY_BLOB else False) self.wBlobLen = UInt16Le(lambda: sizeof(self.blobData)) self.blobData = String(readLen=self.wBlobLen)
def sendClientChallengeResponse(self, platformChallenge): """ @summary: generate valid challenge response @param platformChallenge: {ServerPlatformChallenge} """ serverEncryptedChallenge = platformChallenge.encryptedPlatformChallenge.blobData.value #decrypt server challenge #it should be TEST word in unicode format serverChallenge = rc4.crypt(rc4.RC4Key(self._licenseKey), serverEncryptedChallenge) if serverChallenge != "T\x00E\x00S\x00T\x00\x00\x00": raise InvalidExpectedDataException("bad license server challenge") #generate hwid s = Stream() s.writeType((UInt32Le(2), String(self._hostname + self._username + "\x00" * 16))) hwid = s.getvalue()[:20] message = ClientPLatformChallengeResponse() message.encryptedPlatformChallengeResponse.blobData.value = serverEncryptedChallenge message.encryptedHWID.blobData.value = rc4.crypt( rc4.RC4Key(self._licenseKey), hwid) message.MACData.value = sec.macData(self._macSalt, serverChallenge + hwid) self._transport.sendFlagged(sec.SecurityFlag.SEC_LICENSE_PKT, LicPacket(message))
def writeOctetstring(value): """ @summary: Write string in BER representation @param value: string @return: BER octet string block """ return (writeUniversalTag(Tag.BER_TAG_OCTET_STRING, False), writeLength(len(value)), String(value))
def __init__(self): CompositeType.__init__(self) self.len = UInt8(lambda:sizeof(self) - 1) self.code = UInt8(MessageType.X224_TPDU_CONNECTION_REQUEST, constant = True) self.padding = (UInt16Be(), UInt16Be(), UInt8()) self.cookie = String(until = "\x0d\x0a", conditional = lambda:(self.len._is_readed and self.len.value > 14)) #read if there is enough data self.protocolNeg = Negotiation(optional = True)
def __init__(self): #in old version this packet is empty i don't know #and not specified CompositeType.__init__(self, optional=True) self.shareId = UInt32Le() self.lengthSourceDescriptor = UInt16Le( lambda: sizeof(self.sourceDescriptor)) self.sourceDescriptor = String("rdpy", readLen=self.lengthSourceDescriptor)
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000001, constant = True) self.NegotiateFlags = UInt32Le() self.DomainNameLen = UInt16Le() self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value) self.DomainNameBufferOffset = UInt32Le() self.WorkstationLen = UInt16Le() self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value) self.WorkstationBufferOffset = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.Payload = String()
def LicensingMessageFactory(): """ @summary: factory for message nego Use in read mode """ for c in [LicensingErrorMessage, ServerLicenseRequest, ClientNewLicenseRequest, ServerPlatformChallenge, ClientPLatformChallengeResponse]: if self.bMsgtype.value == c._MESSAGE_TYPE_: return c(readLen = self.wMsgSize - 4) log.debug("unknown license message : %s"%self.bMsgtype.value) return String(readLen = self.wMsgSize - 4)
def CapabilityFactory(): """ Closure for capability factory """ for c in [GeneralCapability, BitmapCapability, OrderCapability, BitmapCacheCapability, PointerCapability, InputCapability, BrushCapability, GlyphCapability, OffscreenBitmapCacheCapability, VirtualChannelCapability, SoundCapability, ControlCapability, WindowActivationCapability, FontCapability, ColorCacheCapability, ShareCapability, MultiFragmentUpdate]: if self.capabilitySetType.value == c._TYPE_ and (self.lengthCapability.value - 4) > 0: return c(readLen = self.lengthCapability - 4) log.debug("unknown Capability type : %s"%hex(self.capabilitySetType.value)) #read entire packet return String(readLen = self.lengthCapability - 4)
def UpdateDataFactory(): """ @summary: Create object in accordance self.updateType value """ for c in [BitmapUpdateDataPDU]: if self.updateType.value == c._UPDATE_TYPE_: return c() log.debug("unknown PDU update data type : %s" % hex(self.updateType.value)) return String()
def UpdateDataFactory(): """ @summary: Create correct object in accordance to self.updateHeader field """ for c in [FastPathBitmapUpdateDataPDU]: if (self.updateHeader.value & 0xf) == c._FASTPATH_UPDATE_TYPE_: return c() log.debug("unknown Fast Path PDU update data type : %s" % hex(self.updateHeader.value & 0xf)) return String()
def OrderFactory(): """ Closure for capability factory """ for c in [DstBltOrder]: if self.orderType.value == c._ORDER_TYPE_: return c(self.controlFlags) log.debug("unknown Order type : %s" % hex(self.orderType.value)) #read entire packet return String()
def EventFactory(): """ @summary: Closure for event factory """ for c in [UpdateEvent, ScreenEvent, InfoEvent, CloseEvent]: if self.type.value == c._TYPE_: return c(readLen = self.length) log.debug("unknown event type : %s"%hex(self.type.value)) #read entire packet return String(readLen = self.length)
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000002, constant = True) self.TargetNameLen = UInt16Le() self.TargetNameMaxLen = UInt16Le(lambda:self.TargetNameLen.value) self.TargetNameBufferOffset = UInt32Le() self.NegotiateFlags = UInt32Le() self.ServerChallenge = String(readLen = CallableValue(8)) self.Reserved = String("\x00" * 8, readLen = CallableValue(8)) self.TargetInfoLen = UInt16Le() self.TargetInfoMaxLen = UInt16Le(lambda:self.TargetInfoLen.value) self.TargetInfoBufferOffset = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.Payload = String()