def __init__(self, extendedInfoConditional): CompositeType.__init__(self) #code page self.codePage = UInt32Le() #support flag self.flag = UInt32Le(InfoFlag.INFO_MOUSE | InfoFlag.INFO_UNICODE | InfoFlag.INFO_LOGONNOTIFY | InfoFlag.INFO_LOGONERRORS | InfoFlag.INFO_DISABLECTRLALTDEL) self.cbDomain = UInt16Le(lambda: sizeof(self.domain) - 2) self.cbUserName = UInt16Le(lambda: sizeof(self.userName) - 2) self.cbPassword = UInt16Le(lambda: sizeof(self.password) - 2) self.cbAlternateShell = UInt16Le( lambda: sizeof(self.alternateShell) - 2) self.cbWorkingDir = UInt16Le(lambda: sizeof(self.workingDir) - 2) #microsoft domain self.domain = String( readLen=CallableValue(lambda: self.cbDomain.value + 2), unicode=True) self.userName = String( readLen=CallableValue(lambda: self.cbUserName.value + 2), unicode=True) self.password = String( readLen=CallableValue(lambda: self.cbPassword.value + 2), unicode=True) #shell execute at start of session self.alternateShell = String( readLen=CallableValue(lambda: self.cbAlternateShell.value + 2), unicode=True) #working directory for session self.workingDir = String( readLen=CallableValue(lambda: self.cbWorkingDir.value + 2), unicode=True) self.extendedInfo = RDPExtendedInfo( conditional=extendedInfoConditional)
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000003, constant = True) self.LmChallengeResponseLen = UInt16Le() self.LmChallengeResponseMaxLen = UInt16Le(lambda:self.LmChallengeResponseLen.value) self.LmChallengeResponseBufferOffset = UInt32Le() self.NtChallengeResponseLen = UInt16Le() self.NtChallengeResponseMaxLen = UInt16Le(lambda:self.NtChallengeResponseLen.value) self.NtChallengeResponseBufferOffset = UInt32Le() self.DomainNameLen = UInt16Le() self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value) self.DomainNameBufferOffset = UInt32Le() self.UserNameLen = UInt16Le() self.UserNameMaxLen = UInt16Le(lambda:self.UserNameLen.value) self.UserNameBufferOffset = UInt32Le() self.WorkstationLen = UInt16Le() self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value) self.WorkstationBufferOffset = UInt32Le() self.EncryptedRandomSessionLen = UInt16Le() self.EncryptedRandomSessionMaxLen = UInt16Le(lambda:self.EncryptedRandomSessionLen.value) self.EncryptedRandomSessionBufferOffset = UInt32Le() self.NegotiateFlags = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.MIC = String("\x00" * 16, readLen = CallableValue(16)) self.Payload = String()
def __init__(self, readLen): CompositeType.__init__(self, readLen=readLen) #magic is RSA1(0x31415352) self.magic = UInt32Le(0x31415352, constant=True) self.keylen = UInt32Le(lambda: (sizeof(self.modulus) + sizeof(self.padding))) self.bitlen = UInt32Le(lambda: ((self.keylen.value - 8) * 8)) self.datalen = UInt32Le(lambda: ((self.bitlen.value / 8) - 1)) self.pubExp = UInt32Le() self.modulus = String( readLen=CallableValue(lambda: (self.keylen.value - 8))) self.padding = String("\x00" * 8, readLen=CallableValue(8))
def __init__(self): CompositeType.__init__(self) self.dwSigAlgId = UInt32Le(0x00000001, constant=True) self.dwKeyAlgId = UInt32Le(0x00000001, constant=True) self.wPublicKeyBlobType = UInt16Le(0x0006, constant=True) self.wPublicKeyBlobLen = UInt16Le(lambda: sizeof(self.PublicKeyBlob)) self.PublicKeyBlob = RSAPublicKey(readLen=self.wPublicKeyBlobLen) self.wSignatureBlobType = UInt16Le(0x0008, constant=True) self.wSignatureBlobLen = UInt16Le( lambda: (sizeof(self.SignatureBlob) + sizeof(self.padding))) self.SignatureBlob = String(readLen=CallableValue( lambda: (self.wSignatureBlobLen.value - sizeof(self.padding)))) self.padding = String(b"\x00" * 8, readLen=CallableValue(8))
def __init__(self, name="", options=0): CompositeType.__init__(self) #name of channel self.name = String(name[0:8] + "\x00" * (8 - len(name)), readLen=CallableValue(8)) #unknown self.options = UInt32Le()
def readEncryptedPayload(self, s, saltedMacGeneration): """ @summary: decrypt basic RDP security payload @param s: {Stream} encrypted stream @param saltedMacGeneration: {bool} use salted mac generation @return: {Stream} decrypted """ #if update is needed if self._nbDecryptedPacket == 4096: log.debug("update decrypt key") self._currentDecrytKey = updateKey( self._initialDecrytKey, self._currentDecrytKey, self.getGCCServerSettings().SC_SECURITY.encryptionMethod.value) self._decryptRc4 = rc4.RC4Key(self._currentDecrytKey) self._nbDecryptedPacket = 0 signature = String(readLen = CallableValue(8)) encryptedPayload = String() s.readType((signature, encryptedPayload)) decrypted = rc4.crypt(self._decryptRc4, encryptedPayload.value) #ckeck signature if not saltedMacGeneration and macData(self._macKey, decrypted)[:8] != signature.value: raise InvalidExpectedDataException("bad signature") if saltedMacGeneration and macSaltedData(self._macKey, decrypted, self._nbDecryptedPacket)[:8] != signature.value: raise InvalidExpectedDataException("bad signature") #count self._nbDecryptedPacket += 1 return Stream(decrypted)
def readConferenceCreateRequest(s): """ @summary: Read a response from client GCC create request @param s: Stream @param client settings (Settings) """ per.readChoice(s) per.readObjectIdentifier(s, t124_02_98_oid) per.readLength(s) per.readChoice(s) per.readSelection(s) per.readNumericString(s, 1) per.readPadding(s, 1) if per.readNumberOfSet(s) != 1: raise InvalidExpectedDataException( "Invalid number of set in readConferenceCreateRequest") if per.readChoice(s) != 0xc0: raise InvalidExpectedDataException( "Invalid choice in readConferenceCreateRequest") per.readOctetStream(s, h221_cs_key, 4) length = per.readLength(s) clientSettings = Settings(readLen=CallableValue(length)) s.readType(clientSettings) return clientSettings
def __init__(self, readLen = None): CompositeType.__init__(self, readLen = readLen) self.serverRandom = String("\x00" * 32, readLen = CallableValue(32)) self.productInfo = ProductInformation() self.keyExchangeList = LicenseBinaryBlob(BinaryBlobType.BB_KEY_EXCHG_ALG_BLOB) self.serverCertificate = LicenseBinaryBlob(BinaryBlobType.BB_CERTIFICATE_BLOB) self.scopeList = ScopeList()
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.glyphCache = ArrayType(CacheEntry, init=[CacheEntry() for _ in range(0, 10)], readLen=CallableValue(10)) self.fragCache = UInt32Le() #all fonts are sent with bitmap format (very expensive) self.glyphSupportLevel = UInt16Le(GlyphSupport.GLYPH_SUPPORT_NONE) self.pad2octets = UInt16Le()
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000002, constant = True) self.TargetNameLen = UInt16Le() self.TargetNameMaxLen = UInt16Le(lambda:self.TargetNameLen.value) self.TargetNameBufferOffset = UInt32Le() self.NegotiateFlags = UInt32Le() self.ServerChallenge = String(readLen = CallableValue(8)) self.Reserved = String("\x00" * 8, readLen = CallableValue(8)) self.TargetInfoLen = UInt16Le() self.TargetInfoMaxLen = UInt16Le(lambda:self.TargetInfoLen.value) self.TargetInfoBufferOffset = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.Payload = String()
def __init__(self, readLen = None): CompositeType.__init__(self, readLen = readLen) #RSA and must be only RSA self.preferredKeyExchangeAlg = UInt32Le(0x00000001, constant = True) #pure microsoft client ;-) #http://msdn.microsoft.com/en-us/library/1040af38-c733-4fb3-acd1-8db8cc979eda#id10 self.platformId = UInt32Le(0x04000000 | 0x00010000) self.clientRandom = String("\x00" * 32, readLen = CallableValue(32)) self.encryptedPreMasterSecret = LicenseBinaryBlob(BinaryBlobType.BB_RANDOM_BLOB) self.ClientUserName = LicenseBinaryBlob(BinaryBlobType.BB_CLIENT_USER_NAME_BLOB) self.ClientMachineName = LicenseBinaryBlob(BinaryBlobType.BB_CLIENT_MACHINE_NAME_BLOB)
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.terminalDescriptor = String("\x00" * 16, readLen=CallableValue(16)) self.pad4octetsA = UInt32Le(0) self.desktopSaveXGranularity = UInt16Le(1) self.desktopSaveYGranularity = UInt16Le(20) self.pad2octetsA = UInt16Le(0) self.maximumOrderLevel = UInt16Le(1) self.numberFonts = UInt16Le() self.orderFlags = UInt16Le(OrderFlag.NEGOTIATEORDERSUPPORT) self.orderSupport = ArrayType(UInt8, init=[UInt8(0) for _ in range(0, 32)], readLen=CallableValue(32)) self.textFlags = UInt16Le() self.orderSupportExFlags = UInt16Le() self.pad4octetsB = UInt32Le() self.desktopSaveSize = UInt32Le(480 * 480) self.pad2octetsC = UInt16Le() self.pad2octetsD = UInt16Le() self.textANSICodePage = UInt16Le(0) self.pad2octetsE = UInt16Le()
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.inputFlags = UInt16Le() self.pad2octetsA = UInt16Le() #same value as gcc.ClientCoreSettings.kbdLayout self.keyboardLayout = UInt32Le() #same value as gcc.ClientCoreSettings.keyboardType self.keyboardType = UInt32Le() #same value as gcc.ClientCoreSettings.keyboardSubType self.keyboardSubType = UInt32Le() #same value as gcc.ClientCoreSettings.keyboardFnKeys self.keyboardFunctionKey = UInt32Le() #same value as gcc.ClientCoreSettingrrs.imeFileName self.imeFileName = String("\x00" * 64, readLen=CallableValue(64))
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.rdpVersion = UInt32Le(Version.RDP_VERSION_5_PLUS) self.desktopWidth = UInt16Le(1280) self.desktopHeight = UInt16Le(800) self.colorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP) self.sasSequence = UInt16Le(Sequence.RNS_UD_SAS_DEL) self.kbdLayout = UInt32Le(KeyboardLayout.US) self.clientBuild = UInt32Le(3790) self.clientName = String("rdpy" + "\x00" * 11, readLen=CallableValue(32), unicode=True) self.keyboardType = UInt32Le(KeyboardType.IBM_101_102_KEYS) self.keyboardSubType = UInt32Le(0) self.keyboardFnKeys = UInt32Le(12) self.imeFileName = String("\x00" * 64, readLen=CallableValue(64), optional=True) self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP, optional=True) self.clientProductId = UInt16Le(1, optional=True) self.serialNumber = UInt32Le(0, optional=True) self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP, optional=True) self.supportedColorDepths = UInt16Le( Support.RNS_UD_15BPP_SUPPORT | Support.RNS_UD_16BPP_SUPPORT | Support.RNS_UD_24BPP_SUPPORT | Support.RNS_UD_32BPP_SUPPORT, optional=True) self.earlyCapabilityFlags = UInt16Le( CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU, optional=True) self.clientDigProductId = String("\x00" * 64, readLen=CallableValue(64), optional=True) self.connectionType = UInt8(optional=True) self.pad1octet = UInt8(optional=True) self.serverSelectedProtocol = UInt32Le(optional=True)
def __init__(self): CompositeType.__init__(self) self.Signature = String("NTLMSSP\x00", readLen = CallableValue(8), constant = True) self.MessageType = UInt32Le(0x00000001, constant = True) self.NegotiateFlags = UInt32Le() self.DomainNameLen = UInt16Le() self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value) self.DomainNameBufferOffset = UInt32Le() self.WorkstationLen = UInt16Le() self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value) self.WorkstationBufferOffset = UInt32Le() self.Version = Version(conditional = lambda:(self.NegotiateFlags.value & Negotiate.NTLMSSP_NEGOTIATE_VERSION)) self.Payload = String()
def readConferenceCreateResponse(s): """ @summary: Read response from server and return server settings read from this response @param s: Stream @return: ServerSettings """ per.readChoice(s) per.readObjectIdentifier(s, t124_02_98_oid) per.readLength(s) per.readChoice(s) per.readInteger16(s, 1001) per.readInteger(s) per.readEnumerates(s) per.readNumberOfSet(s) per.readChoice(s) if not per.readOctetStream(s, h221_sc_key, 4): raise InvalidExpectedDataException("cannot read h221_sc_key") length = per.readLength(s) serverSettings = Settings(readLen=CallableValue(length)) s.readType(serverSettings) return serverSettings
def __init__(self): CompositeType.__init__(self) self.length = UInt32Le(lambda:(sizeof(self) - 4)) self.encryptedClientRandom = String(readLen = CallableValue(lambda:(self.length.value - 8))) self.padding = String("\x00" * 8, readLen = CallableValue(8))
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.connectFlags = UInt32Le() self.encryptedPlatformChallenge = LicenseBinaryBlob( BinaryBlobType.BB_ANY_BLOB) self.MACData = String(readLen=CallableValue(16))
def __init__(self, readLen=None): CompositeType.__init__(self, readLen=readLen) self.encryptedPlatformChallengeResponse = LicenseBinaryBlob( BinaryBlobType.BB_DATA_BLOB) self.encryptedHWID = LicenseBinaryBlob(BinaryBlobType.BB_DATA_BLOB) self.MACData = String(readLen=CallableValue(16))
def __init__(self): CompositeType.__init__(self) self.NumCertBlobs = UInt32Le() self.CertBlobArray = ArrayType(CertBlob, readLen=self.NumCertBlobs) self.padding = String( readLen=CallableValue(lambda: (8 + 4 * self.NumCertBlobs.value)))
def __init__(self): CompositeType.__init__(self) self.Version = UInt32Le(0x00000001, constant=True) self.Checksum = String(readLen=CallableValue(8)) self.SeqNum = UInt32Le()