def __init__(self, extendedInfoConditional):
CompositeType.__init__(self)
#code page
self.codePage = UInt32Le()
#support flag
self.flag = UInt32Le(InfoFlag.INFO_MOUSE | InfoFlag.INFO_UNICODE
| InfoFlag.INFO_LOGONNOTIFY
| InfoFlag.INFO_LOGONERRORS
| InfoFlag.INFO_DISABLECTRLALTDEL)
self.cbDomain = UInt16Le(lambda: sizeof(self.domain) - 2)
self.cbUserName = UInt16Le(lambda: sizeof(self.userName) - 2)
self.cbPassword = UInt16Le(lambda: sizeof(self.password) - 2)
self.cbAlternateShell = UInt16Le(
lambda: sizeof(self.alternateShell) - 2)
self.cbWorkingDir = UInt16Le(lambda: sizeof(self.workingDir) - 2)
#microsoft domain
self.domain = String(
readLen=CallableValue(lambda: self.cbDomain.value + 2),
unicode=True)
self.userName = String(
readLen=CallableValue(lambda: self.cbUserName.value + 2),
unicode=True)
self.password = String(
readLen=CallableValue(lambda: self.cbPassword.value + 2),
unicode=True)
#shell execute at start of session
self.alternateShell = String(
readLen=CallableValue(lambda: self.cbAlternateShell.value + 2),
unicode=True)
#working directory for session
self.workingDir = String(
readLen=CallableValue(lambda: self.cbWorkingDir.value + 2),
unicode=True)
self.extendedInfo = RDPExtendedInfo(
conditional=extendedInfoConditional)
def readEncryptedPayload(self, s, saltedMacGeneration):
"""
@summary: decrypt basic RDP security payload
@param s: {Stream} encrypted stream
@param saltedMacGeneration: {bool} use salted mac generation
@return: {Stream} decrypted
"""
#if update is needed
if self._nbDecryptedPacket == 4096:
log.debug("update decrypt key")
self._currentDecrytKey = updateKey( self._initialDecrytKey, self._currentDecrytKey,
self.getGCCServerSettings().SC_SECURITY.encryptionMethod.value)
self._decryptRc4 = rc4.RC4Key(self._currentDecrytKey)
self._nbDecryptedPacket = 0
signature = String(readLen = CallableValue(8))
encryptedPayload = String()
s.readType((signature, encryptedPayload))
decrypted = rc4.crypt(self._decryptRc4, encryptedPayload.value)
#ckeck signature
if not saltedMacGeneration and macData(self._macKey, decrypted)[:8] != signature.value:
raise InvalidExpectedDataException("bad signature")
if saltedMacGeneration and macSaltedData(self._macKey, decrypted, self._nbDecryptedPacket)[:8] != signature.value:
raise InvalidExpectedDataException("bad signature")
#count
self._nbDecryptedPacket += 1
return Stream(decrypted)
def writeEncryptedPayload(self, data, saltedMacGeneration):
"""
@summary: sign and crypt data
@param data: {Type} raw stream
@param saltedMacGeneration: {bool} use salted mac generation
@return: {Tuple} (signature, encryptedData)
"""
if self._nbEncryptedPacket == 4096:
log.debug("update encrypt key")
self._currentEncryptKey = updateKey(
self._initialEncryptKey, self._currentEncryptKey,
self.getGCCServerSettings().SC_SECURITY.encryptionMethod.value)
self._encryptRc4 = rc4.RC4Key(self._currentEncryptKey)
self._nbEncryptedPacket = 0
self._nbEncryptedPacket += 1
s = Stream()
s.writeType(data)
if saltedMacGeneration:
return (String(
macSaltedData(self._macKey, s.getvalue(),
self._nbEncryptedPacket - 1)[:8]),
String(rc4.crypt(self._encryptRc4, s.getvalue())))
else:
return (String(macData(self._macKey, s.getvalue())[:8]),
String(rc4.crypt(self._encryptRc4, s.getvalue())))
def __init__(self, readLen=None):
CompositeType.__init__(self, readLen=readLen)
self.rdpVersion = UInt32Le(Version.RDP_VERSION_5_PLUS)
self.desktopWidth = UInt16Le(1280)
self.desktopHeight = UInt16Le(800)
self.colorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP)
self.sasSequence = UInt16Le(Sequence.RNS_UD_SAS_DEL)
self.kbdLayout = UInt32Le(KeyboardLayout.US)
self.clientBuild = UInt32Le(3790)
self.clientName = String("rdpy" + "\x00" * 11,
readLen=UInt8(32),
unicode=True)
self.keyboardType = UInt32Le(KeyboardType.IBM_101_102_KEYS)
self.keyboardSubType = UInt32Le(0)
self.keyboardFnKeys = UInt32Le(12)
self.imeFileName = String("\x00" * 64, readLen=UInt8(64))
self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP)
self.clientProductId = UInt16Le(1)
self.serialNumber = UInt32Le(0)
self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP)
self.supportedColorDepths = UInt16Le(Support.RNS_UD_15BPP_SUPPORT
| Support.RNS_UD_16BPP_SUPPORT
| Support.RNS_UD_24BPP_SUPPORT
| Support.RNS_UD_32BPP_SUPPORT)
self.earlyCapabilityFlags = UInt16Le(
CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU)
self.clientDigProductId = String("\x00" * 64, readLen=UInt8(64))
self.connectionType = UInt8()
self.pad1octet = UInt8()
self.serverSelectedProtocol = UInt32Le()
def __init__(self):
CompositeType.__init__(self)
self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True)
self.MessageType = UInt32Le(0x00000003, constant = True)
self.LmChallengeResponseLen = UInt16Le()
self.LmChallengeResponseMaxLen = UInt16Le(lambda:self.LmChallengeResponseLen.value)
self.LmChallengeResponseBufferOffset = UInt32Le()
self.NtChallengeResponseLen = UInt16Le()
self.NtChallengeResponseMaxLen = UInt16Le(lambda:self.NtChallengeResponseLen.value)
self.NtChallengeResponseBufferOffset = UInt32Le()
self.DomainNameLen = UInt16Le()
self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value)
self.DomainNameBufferOffset = UInt32Le()
self.UserNameLen = UInt16Le()
self.UserNameMaxLen = UInt16Le(lambda:self.UserNameLen.value)
self.UserNameBufferOffset = UInt32Le()
self.WorkstationLen = UInt16Le()
self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value)
self.WorkstationBufferOffset = UInt32Le()
self.EncryptedRandomSessionLen = UInt16Le()
self.EncryptedRandomSessionMaxLen = UInt16Le(lambda:self.EncryptedRandomSessionLen.value)
self.EncryptedRandomSessionBufferOffset = UInt32Le()
self.NegotiateFlags = UInt32Le()
self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION))
self.MIC = String("\x00" * 16, readLen = CallableValue(16))
self.Payload = String()
def __init__(self, listener):
"""
@param listener: listener use to inform new orders
"""
RawLayer.__init__(self)
#set client listener
self._clientListener = listener
#useful for RFB protocol
self._callbackBody = None
#protocol version negotiated
self._version = String(ProtocolVersion.RFB003008)
#number security launch by server
self._securityLevel = UInt8(SecurityType.INVALID)
#shared FrameBuffer client init message
self._sharedFlag = UInt8(False)
#server init message
#which contain FrameBuffer dim and pixel format
self._serverInit = ServerInit()
#client pixel format
self._pixelFormat = PixelFormat()
#server name
self._serverName = String()
#nb rectangle
self._nbRect = 0
#current rectangle header
self._currentRect = Rectangle()
#for vnc security type
self._password = '******' * 8
def __init__(self):
CompositeType.__init__(self)
self.dwVersion = UInt32Le()
self.cbCompanyName = UInt32Le(lambda:sizeof(self.pbCompanyName))
#may contain "Microsoft Corporation" from server microsoft
self.pbCompanyName = String("Microsoft Corporation", readLen = self.cbCompanyName, unicode = True)
self.cbProductId = UInt32Le(lambda:sizeof(self.pbProductId))
#may contain "A02" from microsoft license server
self.pbProductId = String("A02", readLen = self.cbProductId, unicode = True)
def __init__(self, readLen=None):
CompositeType.__init__(self, readLen=readLen)
self.lenUsername = UInt16Le(lambda: sizeof(self.username))
self.username = String(readLen=self.lenUsername)
self.lenPassword = UInt16Le(lambda: sizeof(self.password))
self.password = String(readLen=self.lenPassword)
self.lenDomain = UInt16Le(lambda: sizeof(self.domain))
self.domain = String(readLen=self.lenDomain)
self.lenHostname = UInt16Le(lambda: sizeof(self.hostname))
self.hostname = String(readLen=self.lenHostname)
def __init__(self, conditional):
CompositeType.__init__(self, conditional = conditional)
self.clientAddressFamily = UInt16Le(AfInet.AF_INET)
self.cbClientAddress = UInt16Le(lambda:sizeof(self.clientAddress))
self.clientAddress = String(readLen = self.cbClientAddress, unicode = True)
self.cbClientDir = UInt16Le(lambda:sizeof(self.clientDir))
self.clientDir = String(readLen = self.cbClientDir, unicode = True)
#TODO make tiomezone
self.clientTimeZone = String("\x00" * 172)
self.clientSessionId = UInt32Le()
self.performanceFlags = UInt32Le()
def __init__(self):
CompositeType.__init__(self)
self.dwSigAlgId = UInt32Le(0x00000001, constant=True)
self.dwKeyAlgId = UInt32Le(0x00000001, constant=True)
self.wPublicKeyBlobType = UInt16Le(0x0006, constant=True)
self.wPublicKeyBlobLen = UInt16Le(lambda: sizeof(self.PublicKeyBlob))
self.PublicKeyBlob = RSAPublicKey(readLen=self.wPublicKeyBlobLen)
self.wSignatureBlobType = UInt16Le(0x0008, constant=True)
self.wSignatureBlobLen = UInt16Le(lambda:
(sizeof(self.SignatureBlob) - 8))
self.SignatureBlob = String(readLen=self.wSignatureBlobLen)
self.padding = String(b"\x00" * 8, readLen=UInt8(8))
def __init__(self, readLen):
CompositeType.__init__(self, readLen=readLen)
#magic is RSA1(0x31415352)
self.magic = UInt32Le(0x31415352, constant=True)
self.keylen = UInt32Le(lambda:
(sizeof(self.modulus) + sizeof(self.padding)))
self.bitlen = UInt32Le(lambda: ((self.keylen.value - 8) * 8))
self.datalen = UInt32Le(lambda: ((self.bitlen.value / 8) - 1))
self.pubExp = UInt32Le()
self.modulus = String(
readLen=CallableValue(lambda: (self.keylen.value - 8)))
self.padding = String("\x00" * 8, readLen=CallableValue(8))
def close(self):
"""
@summary: Send disconnect provider ultimatum
"""
self._transport.send((UInt8(self.writeMCSPDUHeader(DomainMCSPDU.DISCONNECT_PROVIDER_ULTIMATUM, 1)),
per.writeEnumerates(0x80), String("\x00" * 6)))
self._transport.close()
def __init__(self, readLen = None):
CompositeType.__init__(self, readLen = readLen)
self.serverRandom = String("\x00" * 32, readLen = CallableValue(32))
self.productInfo = ProductInformation()
self.keyExchangeList = LicenseBinaryBlob(BinaryBlobType.BB_KEY_EXCHG_ALG_BLOB)
self.serverCertificate = LicenseBinaryBlob(BinaryBlobType.BB_CERTIFICATE_BLOB)
self.scopeList = ScopeList()
def writePadding(length):
"""
@summary: create string with null char * length
@param length: length of padding
@return: String with \x00 * length
"""
return String("\x00" * length)
def SlowPathInputDataFactory():
for c in [PointerEvent, ScancodeKeyEvent, UnicodeKeyEvent]:
if self.messageType.value == c._INPUT_MESSAGE_TYPE_:
return c()
log.debug("unknown slow path input : %s" %
hex(self.messageType.value))
return String()
def __init__(self, name="", options=0):
CompositeType.__init__(self)
#name of channel
self.name = String(name[0:8] + "\x00" * (8 - len(name)),
readLen=CallableValue(8))
#unknown
self.options = UInt32Le()
def __init__(self):
CompositeType.__init__(self)
self.shareId = UInt32Le()
self.lengthSourceDescriptor = UInt16Le(
lambda: sizeof(self.sourceDescriptor))
self.sourceDescriptor = String("rdpy",
readLen=self.lengthSourceDescriptor)
def __init__(self, blobType=BinaryBlobType.BB_ANY_BLOB, optional=False):
CompositeType.__init__(self, optional=optional)
self.wBlobType = UInt16Le(
blobType,
constant=True if blobType != BinaryBlobType.BB_ANY_BLOB else False)
self.wBlobLen = UInt16Le(lambda: sizeof(self.blobData))
self.blobData = String(readLen=self.wBlobLen)
def sendClientChallengeResponse(self, platformChallenge):
"""
@summary: generate valid challenge response
@param platformChallenge: {ServerPlatformChallenge}
"""
serverEncryptedChallenge = platformChallenge.encryptedPlatformChallenge.blobData.value
#decrypt server challenge
#it should be TEST word in unicode format
serverChallenge = rc4.crypt(rc4.RC4Key(self._licenseKey),
serverEncryptedChallenge)
if serverChallenge != "T\x00E\x00S\x00T\x00\x00\x00":
raise InvalidExpectedDataException("bad license server challenge")
#generate hwid
s = Stream()
s.writeType((UInt32Le(2),
String(self._hostname + self._username + "\x00" * 16)))
hwid = s.getvalue()[:20]
message = ClientPLatformChallengeResponse()
message.encryptedPlatformChallengeResponse.blobData.value = serverEncryptedChallenge
message.encryptedHWID.blobData.value = rc4.crypt(
rc4.RC4Key(self._licenseKey), hwid)
message.MACData.value = sec.macData(self._macSalt,
serverChallenge + hwid)
self._transport.sendFlagged(sec.SecurityFlag.SEC_LICENSE_PKT,
LicPacket(message))
def writeOctetstring(value):
"""
@summary: Write string in BER representation
@param value: string
@return: BER octet string block
"""
return (writeUniversalTag(Tag.BER_TAG_OCTET_STRING,
False), writeLength(len(value)), String(value))
def __init__(self):
CompositeType.__init__(self)
self.len = UInt8(lambda:sizeof(self) - 1)
self.code = UInt8(MessageType.X224_TPDU_CONNECTION_REQUEST, constant = True)
self.padding = (UInt16Be(), UInt16Be(), UInt8())
self.cookie = String(until = "\x0d\x0a", conditional = lambda:(self.len._is_readed and self.len.value > 14))
#read if there is enough data
self.protocolNeg = Negotiation(optional = True)
def __init__(self):
#in old version this packet is empty i don't know
#and not specified
CompositeType.__init__(self, optional=True)
self.shareId = UInt32Le()
self.lengthSourceDescriptor = UInt16Le(
lambda: sizeof(self.sourceDescriptor))
self.sourceDescriptor = String("rdpy",
readLen=self.lengthSourceDescriptor)
def __init__(self):
CompositeType.__init__(self)
self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True)
self.MessageType = UInt32Le(0x00000001, constant = True)
self.NegotiateFlags = UInt32Le()
self.DomainNameLen = UInt16Le()
self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value)
self.DomainNameBufferOffset = UInt32Le()
self.WorkstationLen = UInt16Le()
self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value)
self.WorkstationBufferOffset = UInt32Le()
self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION))
self.Payload = String()
def LicensingMessageFactory():
"""
@summary: factory for message nego
Use in read mode
"""
for c in [LicensingErrorMessage, ServerLicenseRequest, ClientNewLicenseRequest, ServerPlatformChallenge, ClientPLatformChallengeResponse]:
if self.bMsgtype.value == c._MESSAGE_TYPE_:
return c(readLen = self.wMsgSize - 4)
log.debug("unknown license message : %s"%self.bMsgtype.value)
return String(readLen = self.wMsgSize - 4)
def CapabilityFactory():
"""
Closure for capability factory
"""
for c in [GeneralCapability, BitmapCapability, OrderCapability, BitmapCacheCapability, PointerCapability, InputCapability, BrushCapability, GlyphCapability, OffscreenBitmapCacheCapability, VirtualChannelCapability, SoundCapability, ControlCapability, WindowActivationCapability, FontCapability, ColorCacheCapability, ShareCapability, MultiFragmentUpdate]:
if self.capabilitySetType.value == c._TYPE_ and (self.lengthCapability.value - 4) > 0:
return c(readLen = self.lengthCapability - 4)
log.debug("unknown Capability type : %s"%hex(self.capabilitySetType.value))
#read entire packet
return String(readLen = self.lengthCapability - 4)
def UpdateDataFactory():
"""
@summary: Create object in accordance self.updateType value
"""
for c in [BitmapUpdateDataPDU]:
if self.updateType.value == c._UPDATE_TYPE_:
return c()
log.debug("unknown PDU update data type : %s" %
hex(self.updateType.value))
return String()
def UpdateDataFactory():
"""
@summary: Create correct object in accordance to self.updateHeader field
"""
for c in [FastPathBitmapUpdateDataPDU]:
if (self.updateHeader.value & 0xf) == c._FASTPATH_UPDATE_TYPE_:
return c()
log.debug("unknown Fast Path PDU update data type : %s" %
hex(self.updateHeader.value & 0xf))
return String()
def OrderFactory():
"""
Closure for capability factory
"""
for c in [DstBltOrder]:
if self.orderType.value == c._ORDER_TYPE_:
return c(self.controlFlags)
log.debug("unknown Order type : %s" % hex(self.orderType.value))
#read entire packet
return String()
def EventFactory():
"""
@summary: Closure for event factory
"""
for c in [UpdateEvent, ScreenEvent, InfoEvent, CloseEvent]:
if self.type.value == c._TYPE_:
return c(readLen = self.length)
log.debug("unknown event type : %s"%hex(self.type.value))
#read entire packet
return String(readLen = self.length)
def __init__(self):
CompositeType.__init__(self)
self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True)
self.MessageType = UInt32Le(0x00000002, constant = True)
self.TargetNameLen = UInt16Le()
self.TargetNameMaxLen = UInt16Le(lambda:self.TargetNameLen.value)
self.TargetNameBufferOffset = UInt32Le()
self.NegotiateFlags = UInt32Le()
self.ServerChallenge = String(readLen = CallableValue(8))
self.Reserved = String("\x00" * 8, readLen = CallableValue(8))
self.TargetInfoLen = UInt16Le()
self.TargetInfoMaxLen = UInt16Le(lambda:self.TargetInfoLen.value)
self.TargetInfoBufferOffset = UInt32Le()
self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION))
self.Payload = String()