Module: Msf::Exploit::Remote::RDP

Includes:

Tcp

Defined in:

lib/msf/core/exploit/rdp.rb

Overview

This module exposes methods for interacting with a remote RDP service

Defined Under Namespace

Classes: RDPConstants, RdpCommunicationError

Instance Attribute Summary

• #rdp_sock ⇒ Object protected

  Returns the value of attribute rdp_sock.

• #rdp_user_id ⇒ Object protected

  Returns the value of attribute rdp_user_id.

Attributes included from Tcp

#sock

Instance Method Summary

• #ber_data(*ds) ⇒ Object protected
• #ber_int(i) ⇒ Object protected
• #ber_octet_string(*ds) ⇒ Object protected
• #bin_to_hex(str_val) ⇒ Object
• #build_data_tpdu(data) ⇒ Object

  Builds x.224 Data (DT) TPDU - Section 13.7.

• #build_share_control_header(type, data) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471 Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1.

• #build_share_data_header(type, data) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31 Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2.

• #build_virtual_channel_pdu(flags, data) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b Virtual Channel PDU 2.2.6.1.

• #bytes_to_bignum(bytes_val, order = "little") ⇒ Object
• #conf_create_req(user_data_sets: 1, h221_key: "Duca") ⇒ Object protected
• #cs_cluster_data(flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3, session_id: 0) ⇒ Object protected
• #cs_core_data(version: 0x80004, width: 800, height: 600, keyboard: 1033, client_build: 2600, client_name: "rdesktop", keyboard_type: 4, keyboard_subtype: 0, keyboard_func_key: 12, serial_num: 0, client_product_id: 1, client_dig_product_id: "", selected_proto: 0) ⇒ Object protected
• #cs_network_data(channels) ⇒ Object protected
• #cs_security_data(encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT, ext_encryption_methods: 0) ⇒ Object protected
• #encode_domain_selector(max_chan_ids: 0, max_user_ids: 0, max_token_ids: 0, num_priorities: 1, min_throughput: 0, max_height: 1, max_mcspdu_size: 65535, protocol_ver: 2) ⇒ Object protected
• #initialize(info = {}) ⇒ Object

  Creates an instance of a RDP exploit module.

• #int_to_bytestring(int_val, num_chars = nil) ⇒ Object

  www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110.

• #oid(itut, rec, t, t124, ver, desc) ⇒ Object protected
• #pdu_attach_user_request ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\ Client MCS Attach User Request PDU - 2.2.1.6.

• #pdu_channel_join_request(user1, channel_id) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b Client MCS Channel Join Request PDU -2.2.1.8.

• #pdu_client_confirm_active ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48 Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1.

• #pdu_client_control_cooperate ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135 Control Cooperate - TC_CONTROL_PDU 2.2.1.15.

• #pdu_client_control_request ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35 Control Request - TC_CONTROL_PDU 2.2.1.16.

• #pdu_client_font_list ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9 Client Font List - TS_FONT_LIST_PDU - 2.2.1.18.

• #pdu_client_info(user_name, domain_name = "", ip_address = "") ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d TS_INFO_PACKET - 2.2.1.11.1.1.

• #pdu_client_input_event_sychronize ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396 Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1.

• #pdu_client_synchronize(target_user = 0) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992 Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1.

• #pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop") ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b.

• #pdu_erect_domain_request ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c Client MCS Erect Domain Request PDU - 2.2.1.5.

• #pdu_negotiation_request(user_name = "", requested_protocols = 0) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10 Client X.224 Connect Request PDU - 2.2.1.1.

• #pdu_new_license_request(client_random, user, host) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/c57e4890-9049-421e-9fe8-9a6f9519675a Client New License Request PDU - 2.2.2.2.

• #pdu_security_exchange(rcran, rsexp, rsmod, bitlen) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f Client Security Exchange PDU - 2.2.1.10.

• #per_data(*ds) ⇒ Object protected
• #per_object(*ds) ⇒ Object protected
• #rdp_build_pkt(data, channel_id = "\x03\xeb", client_info: false, license_info: false) ⇒ Object

  Build the X.224 packet, encrypt with Standard RDP Security as needed default channel_id = 0x03eb = 1003.

• #rdp_calculate_rc4_keys(client_random, server_random) ⇒ Object
• #rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL) ⇒ Boolean, RDPConstants

  Connect and detect security protocol.

• #rdp_connect ⇒ Object
• #rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil) ⇒ Object
• #rdp_disconnect ⇒ Object
• #rdp_dispatch_loop ⇒ Object
• #rdp_establish_session ⇒ Object

  Finish building session after all security is negotiated.

• #rdp_final_hash(k, client_random_bytes, server_random_bytes) ⇒ Object

  FinalHash(K) = MD5(K + ClientRandom + ServerRandom).

• #rdp_fingerprint ⇒ Boolean, Hash

  Connect and perform fingerprinting of the RDP service.

• #rdp_generate_license_keys(data) ⇒ Object
• #rdp_handle_license_error_alert(data) ⇒ Object
• #rdp_handle_license_request(data) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/e17772e9-9642-4bb6-a2bc-82875dd6da7c Server License Request - 2.2.2.1.

• #rdp_handle_packet(pkt) ⇒ Object protected
• #rdp_hmac(mac_salt_key, data_content) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94 mac_salt_key = “Wx13xc58x7fxebxa9x10*x1exddVx96x8b[d” data_content = “x12x00x17x00xefx03xeax03x02x00x00x01x04x00$x00x00x00” hmac = rdp_hmac(mac_salt_key, data_content) # == hexlified: “22d5aeb486994a0c785dc929a2855923”.

• #rdp_move_mouse(x = 1, y = 1) ⇒ Object
• #rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL) ⇒ Boolean

  Negotiate security protocol and begin session building.

• #rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdp_parse_connect_response(pkt) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c Parse Server MCS Connect Response PUD - 2.2.1.4.

• #rdp_parse_license_pdu(data) ⇒ Object
• #rdp_parse_negotiation_response(data) ⇒ String^?

  Parse RDP Negotiation Data - 2.2.1.2 Reference: docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483.

• #rdp_rc4_crypt(rc4obj, data) ⇒ Object
• #rdp_recv(length = -1,, timeout = 5) ⇒ Object
• #rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes) ⇒ Object

  docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom)).

• #rdp_salted_hash16(s_bytes, salt1, salt2) ⇒ Object
• #rdp_salted_hash48(s_bytes, i_byte, client_random, server_random) ⇒ Object
• #rdp_send(data) ⇒ Object
• #rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil) ⇒ Object
• #rdp_send_recv(data) ⇒ Object
• #rdp_terminate ⇒ Object
• #rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data) ⇒ Object protected
• #rsa_encrypt(bignum, rsexp, rsmod) ⇒ Object
• #swap_sock_plain_to_ssl ⇒ Object

  Create a new SSL session on the existing socket.

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#rdp_sock ⇒ Object (protected)

Returns the value of attribute rdp_sock

# File 'lib/msf/core/exploit/rdp.rb', line 1475

def rdp_sock
  @rdp_sock
end

#rdp_user_id ⇒ Object (protected)

Returns the value of attribute rdp_user_id

# File 'lib/msf/core/exploit/rdp.rb', line 1477

def rdp_user_id
  @rdp_user_id
end

Instance Method Details

#ber_data(*ds) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1366

def ber_data(*ds)
  data = ds.join('')

  result = [
    "\x82",
    [data.length].pack('S>'),
    data
  ].join('')

  result
end

#ber_int(i) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1378

def ber_int(i)
  d = ''
  if i < (2 ** 8)
    d = [i].pack('C')
  elsif i < (2 ** 16)
    d = [i].pack('S>')
  else
    d = [i].pack('L>')
  end

  "\x02" + [d.length].pack('C') + d
end

#ber_octet_string(*ds) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1357

def ber_octet_string(*ds)
  result = [
    "\x04",
    ber_data(ds)
  ].join('')

  result
end

#bin_to_hex(str_val) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 691

def bin_to_hex(str_val)
  str_val.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
end

#build_data_tpdu(data) ⇒ Object

Builds x.224 Data (DT) TPDU - Section 13.7

# File 'lib/msf/core/exploit/rdp.rb', line 749

def build_data_tpdu(data)
  tpkt_length = data.length + 7

  "\x03\x00" +                 # TPKT Header version 03, reserved 0
    [tpkt_length].pack("S>") + # TPKT length
    "\x02\xf0\x80" +           # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
    data
end

#build_share_control_header(type, data) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471 Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1

# File 'lib/msf/core/exploit/rdp.rb', line 985

def build_share_control_header(type, data)
  total_len = data.length + 6

  [total_len].pack("S<") + # totalLength - includes all headers
    [type].pack("S<") +    # pduType - flags 16 bit, unsigned
    "\xf1\x03" +           # PDUSource: 0x03f1 = 1009
    data
end

#build_share_data_header(type, data) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31 Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2

# File 'lib/msf/core/exploit/rdp.rb', line 996

def build_share_data_header(type, data)
  uncompressed_len = data.length + 4

  "\xea\x03\x01\x00" + # shareId: 66538
    "\x00" +     # pad1
    "\x01" +     # streamID: 1
    [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
    [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
    "\x00" +     # compressedType: 0
    "\x00\x00" + # compressedLength: 0
    data
end

#build_virtual_channel_pdu(flags, data) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b Virtual Channel PDU 2.2.6.1

# File 'lib/msf/core/exploit/rdp.rb', line 740

def build_virtual_channel_pdu(flags, data)
  data_len = data.length

  [data_len].pack("L<") + # length
    [flags].pack("L<") +  # flags
    data
end

#bytes_to_bignum(bytes_val, order = "little") ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 666

def bytes_to_bignum(bytes_val, order = "little")
  bytes = bin_to_hex(bytes_val)
  if order == "little"
    bytes = bytes.scan(/../).reverse.join('')
  end
  s = "0x" + bytes
  s.to_i(16)
end

#conf_create_req(user_data_sets: 1, h221_key: "Duca") ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1334

def conf_create_req(user_data_sets: 1, h221_key: "Duca")
  b2 = 0
  b2 |= 0x08 if user_data_sets > 0

  b5 = 0x40
  b5 |= 0x80 if user_data_sets > 0

  # TODO: add more flags here
  [
    "\x00",
    [b2].pack('C'),
    "\x00\x10\x00",
    [user_data_sets].pack('C'),
    [b5].pack('C'),
    "\x00",
    [h221_key.encode('ASCII')].pack('a*')
  ].join('')
end

#cs_cluster_data(flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3, session_id: 0) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1240

def cs_cluster_data(
  flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3,
  session_id: 0
)
  body = [flags, session_id].pack('<L<L')

  result = [
    [0xc004, body.length + 4].pack('<S<S'),
    body
  ].join('')

  result
end

#cs_core_data(version: 0x80004, width: 800, height: 600, keyboard: 1033, client_build: 2600, client_name: "rdesktop", keyboard_type: 4, keyboard_subtype: 0, keyboard_func_key: 12, serial_num: 0, client_product_id: 1, client_dig_product_id: "", selected_proto: 0) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1286

def cs_core_data(
  version: 0x80004,
  width: 800,
  height: 600,
  keyboard: 1033, # English
  client_build: 2600,
  client_name: "rdesktop",
  keyboard_type: 4, # IBMEhanced 101/102
  keyboard_subtype: 0,
  keyboard_func_key: 12,
  serial_num: 0,
  client_product_id: 1,
  client_dig_product_id: "",
  selected_proto: 0
  )

  client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
  client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')

  body = [
    [version, width, height].pack('<L<S<S'),
    "\x01\xca", # colour depth (8BPP)
    "\x03\xaa", # SASSequence
    [keyboard, client_build, client_name, keyboard_type].pack('<L<La32*'),
    [keyboard_type, keyboard_subtype, keyboard_func_key].pack('<L<L<L'),
    "\x00" * 64, # imeFileName
    "\x01\xca", # postBeta2ColorDepth (8BPP)
    [client_product_id, serial_num].pack('<S<L'),
    "\x18\x00", # highColorDepth: 24 bpp
    "\x07\x00", # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp )
    "\x01\x00", # earlyCapabilityFlags: 1 (RNS_UD_CS_SUPPORT_ERRINFO_PDU)
    [client_dig_product_id].pack('a64*'),
    "\x00", # connectionType: 0
    "\x00", # pad1octet
    # serverSelectedProtocol - After negotiating TLS or CredSSP this value must
    # match the selectedProtocol value from the server's Negotiate Connection
    # confirm PDU that was sent before encryption was started.
    [selected_proto].pack('L<')
  ].join('')

  result = [
    [0xc001, body.length + 4].pack('<S<S'),
    body
  ].join('')

  result
end

#cs_network_data(channels) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1268

def cs_network_data(channels)
  chan_data = channels.map{ |c|
    [c[0].encode('ASCII')].pack('a8*') + [c[1]].pack('L')
  }.join('')

  body = [
    [channels.length].pack('L'),
    chan_data
  ].join('')

  result = [
    [0xc003, body.length + 4].pack('<S<S'),
    body
  ].join('')

  result
end

#cs_security_data(encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT, ext_encryption_methods: 0) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1254

def cs_security_data(
  encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT,
  ext_encryption_methods: 0
)
  body = [encryption_methods, ext_encryption_methods].pack('<L<L')

  result = [
    [0xc002, body.length + 4].pack('<S<S'),
    body
  ].join('')

  result
end

#encode_domain_selector(max_chan_ids: 0, max_user_ids: 0, max_token_ids: 0, num_priorities: 1, min_throughput: 0, max_height: 1, max_mcspdu_size: 65535, protocol_ver: 2) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1185

def encode_domain_selector(
  max_chan_ids: 0,
  max_user_ids: 0,
  max_token_ids: 0,
  num_priorities: 1,
  min_throughput: 0,
  max_height: 1,
  max_mcspdu_size: 65535,
  protocol_ver: 2
)

  body = [
    ber_int(max_chan_ids),
    ber_int(max_user_ids),
    ber_int(max_token_ids),
    ber_int(num_priorities),
    ber_int(min_throughput),
    ber_int(max_height),
    ber_int(max_mcspdu_size),
    ber_int(protocol_ver)
  ].join('')

  result = [
    "\x30",
    [body.length].pack('C'),
    body
  ].join('')

  result
end

#initialize(info = {}) ⇒ Object

Creates an instance of a RDP exploit module.

# File 'lib/msf/core/exploit/rdp.rb', line 17

def initialize(info = {})
  super
  register_options(
    [
      OptString.new('RDP_USER', [ false, 'The username to report during connect, UNSET = random']),
      OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connect, UNSET = random', 'rdesktop']),
      OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connect']),
      OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connect', '192.168.0.100']),
      Opt::RPORT(3389)
    ], Msf::Exploit::Remote::RDP)
    register_advanced_options(
    [
      OptInt.new('RDP_TLS_SECURITY_LEVEL', [ true, 'Change default TLS security level. "0" (default) means everything is permitted. "1" rejects very weak parameters and "2" is even stricter.', 0 ])
    ], Msf::Exploit::Remote::RDP)
end

#int_to_bytestring(int_val, num_chars = nil) ⇒ Object

www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110

# File 'lib/msf/core/exploit/rdp.rb', line 676

def int_to_bytestring( int_val, num_chars = nil )
  unless num_chars
    bits_needed = Math.log(int_val) / Math.log(2)
    num_chars = ( bits_needed / 8.0 ).ceil
  end
  if pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[num_chars]
    [int_val].pack(pack_code)
  else
    a = (0..(num_chars)).map{ |i|
      (( int_val >> i*8 ) & 0xFF ).chr
    }.join
    a[0..-2] # seems legit lol
  end
end

#oid(itut, rec, t, t124, ver, desc) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1353

def oid(itut, rec, t, t124, ver, desc)
  [(itut << 8) | rec, t, t124, ver, desc].pack('C*')
end

#pdu_attach_user_request ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\ Client MCS Attach User Request PDU - 2.2.1.6

# File 'lib/msf/core/exploit/rdp.rb', line 867

def pdu_attach_user_request
  pdu = "\x28"  # T.125 AttachUserRequest

  build_data_tpdu(pdu)
end

#pdu_channel_join_request(user1, channel_id) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b Client MCS Channel Join Request PDU -2.2.1.8

# File 'lib/msf/core/exploit/rdp.rb', line 875

def pdu_channel_join_request(user1, channel_id)
  pdu =
    "\x38" + # T.125 ChannelJoinRequest
    [user1, channel_id].pack("nn")

  build_data_tpdu(pdu)
end

#pdu_client_confirm_active ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48 Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1

# File 'lib/msf/core/exploit/rdp.rb', line 1071

def pdu_client_confirm_active
  pdu =
    "\xea\x03\x01\x00" + # shareId: 66538
    "\xea\x03" + # originatorId
    "\x06\x00" + # lengthSourceDescriptor: 6
    "\x8e\x01" + # lengthCombinedCapabilities: 398
    "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
    "\x0e\x00" + # numberCapabilities: 14
    "\x00\x00" + # pad2Octets
    "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
    "\x18\x00" + # lengthCapability: 24
    "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x0d\x04\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00" + #
    "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
    "\x1c\x00" + # lengthCapability: 28
    "\x10\x00\x01\x00\x01\x00\x01\x00\x20\x03\x58\x02\x00\x00\x01\x00" + #
    "\x01\x00\x00\x00\x01\x00\x00\x00" + #
    "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
    "\x58\x00" + # lengthCapability: 88
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x47\x01\x2a\x00" + #
    "\x01\x01\x01\x01\x00\x00\x00\x00\x01\x01\x01\x01\x00\x01\x01\x00" + #
    "\x00\x00\x00\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00" + #
    "\xa1\x06\x00\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + #
    "\xe4\x04\x00\x00\x13\x00\x28\x00\x00\x00\x00\x03\x78\x00\x00\x00" + #
    "\x78\x00\x00\x00\x50\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
    "\x0a\x00" + # lengthCapability: 10
    "\x01\x00\x14\x00\x14\x00" + #
    "\x0a\x00" + # capabilitySetType: 10 - TS_COLORTABLE_CAPABILITYSET
    "\x08\x00" + # lengthCapability: 8
    "\x06\x00\x00\x00" + #
    "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
    "\x0c\x00" + # lengthCapability: 12
    "\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
    "\x0c\x00" + # lengthCapability: 12
    "\x00\x00\x00\x00\x02\x00\x02\x00" + #
    "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
    "\x08\x00" + # lengthCapability: 8
    "\x00\x00\x00\x00" + #
    "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
    "\x08\x00" + # lengthCapability: 8
    "\x01\x00\x00\x00" + #
    "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
    "\x58\x00" + # lengthCapability: 88
    "\x01\x00\x00\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + #
    "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00" + #
    "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
    "\x08\x00" + # lengthCapability: 8
    "\x01\x00\x00\x00" + #
    "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
    "\x08\x00" + # lengthCapability: 8
    "\x01\x00\x00\x00" + #
    "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
    "\x34\x00" + # lengthCapability: 52
    "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + #
    "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + #
    "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x02\x00\x00\x00"

  # type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
  build_share_control_header(0x13, pdu)
end

#pdu_client_control_cooperate ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135 Control Cooperate - TC_CONTROL_PDU 2.2.1.15

# File 'lib/msf/core/exploit/rdp.rb', line 1011

def pdu_client_control_cooperate
  pdu =
    "\x04\x00" +       # action: 4 - CTRLACTION_COOPERATE
    "\x00\x00" +       # grantId: 0
    "\x00\x00\x00\x00" # controlId: 0

  # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
  data_header = build_share_data_header(0x14, pdu)

  # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
  build_share_control_header(0x17, data_header)
end

#pdu_client_control_request ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35 Control Request - TC_CONTROL_PDU 2.2.1.16

# File 'lib/msf/core/exploit/rdp.rb', line 1026

def pdu_client_control_request
  pdu =
    "\x01\x00" +       # action: 1 - CTRLACTION_REQUEST_CONTROL
    "\x00\x00" +       # grantId: 0
    "\x00\x00\x00\x00" # controlId: 0

  # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
  data_header = build_share_data_header(0x14, pdu)

  # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
  build_share_control_header(0x17, data_header)
end

#pdu_client_font_list ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9 Client Font List - TS_FONT_LIST_PDU - 2.2.1.18

# File 'lib/msf/core/exploit/rdp.rb', line 1041

def pdu_client_font_list
  pdu =
    "\x00\x00" + # numberFonts: 0
    "\x00\x00" + # totalNumberFonts: 0
    "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
    "\x32\x00"   # entrySize: 50

  # pduType2 = 0x27 = 29 -  PDUTYPE2_FONTLIST
  data_header = build_share_data_header(0x27, pdu)

  # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
  build_share_control_header(0x17, data_header)
end

#pdu_client_info(user_name, domain_name = "", ip_address = "") ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d TS_INFO_PACKET - 2.2.1.11.1.1

# File 'lib/msf/core/exploit/rdp.rb', line 915

def pdu_client_info(user_name, domain_name = "", ip_address = "")
  # Max len for 4.0/6.0 servers is 44 bytes including terminator
  # Max len for all other versions is 512 including terminator
  # We're going to limit to 44 (21 chars + null -> unicode) here.
  # Blank username is ok, nil = random
  user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
  user_unicode = Rex::Text.to_unicode(user_name[0..20], 'utf-16le')
  uname_len = user_unicode.length

  # Domain can can be, and for rdesktop typically is, empty.
  # Max len for 4.0/5.0 servers is 52 including terminator
  # Max len for all other versions is 512 including terminator
  # We're going to limit to 52 (25 chars + null -> unicode) here.
  domain_unicode = Rex::Text.to_unicode(domain_name[0..24], 'utf-16le')
  domain_len = domain_unicode.length

  # This address value is primarily used to reduce the fields by which this
  # module can be fingerprinted. It doesn't show up in Windows logs.
  # clientAddress + null terminator
  ip_unicode = Rex::Text.to_unicode(ip_address, 'utf-16le') + "\x00\x00"
  ip_len = ip_unicode.length

  "\x00\x00\x00\x00" +    # CodePage
    "\x33\x01\x00\x00" +  # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
    [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
    [uname_len].pack("S<") +  # cbUserName (length value) - EXCLUDES null terminator
    "\x00\x00" +  # cbPassword (length value)
    "\x00\x00" +  # cbAlternateShell (length value)
    "\x00\x00" +  # cbWorkingDir (length value)
    [domain_unicode].pack("a*") + # Domain
    "\x00\x00" +                  # Domain null terminator, EXCLUDED from value of cbDomain
    [user_unicode].pack("a*") +   # UserName
    "\x00\x00" +  # UserName null terminator, EXCLUDED FROM value of cbUserName
    "\x00\x00" +  # Password - empty
    "\x00\x00" +  # AlternateShell - empty
    "\x00\x00" +  # WorkingDir - empty
    # TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
    "\x02\x00" +              # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
    [ip_len].pack("S<") +     # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
    [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
    "\x3c\x00" +              # cbClientDir (length value): 60
    # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
    "\x3c\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00" + #
    "\x54\x00\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00" + #
    "\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00" + #
    "\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + #
    # clientTimeZone - TS_TIME_ZONE struct - 172 bytes
    # These are the default values for rdesktop
    "\xa4\x01\x00\x00" + # Bias
    # StandardName - 'GTB,normaltid'
    "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x6e\x00\x6f\x00\x72\x00" + #
    "\x6d\x00\x61\x00\x6c\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x0a\x00\x00\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00" + # StandardDate - Oct 5
    "\x00\x00\x00\x00" + # StandardBias
    # DaylightName - 'GTB,sommartid'
    "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x73\x00\x6f\x00\x6d\x00" + #
    "\x6d\x00\x61\x00\x72\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
    "\x00\x00\x03\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate - Mar 3
    "\xc4\xff\xff\xff" + # DaylightBias
    "\x00\x00\x00\x00" + # clientSessionId
    "\x27\x00\x00\x00" + # performanceFlags
    "\x00\x00"           # cbAutoReconnectCookie
end

#pdu_client_input_event_sychronize ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396 Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1

# File 'lib/msf/core/exploit/rdp.rb', line 1142

def pdu_client_input_event_sychronize
  pdu =
    "\x01\x00" +         # numEvents: 1
    "\x00\x00" +         # pad2Octets
    "\x00\x00\x00\x00" + # eventTime
    "\x00\x00" +         # messageType: 0 - INPUT_EVENT_SYNC
    # TS_SYNC_EVENT 202.8.1.1.3.1.1.5
    "\x00\x00" +         # pad2Octets
    "\x00\x00\x00\x00"   # toggleFlags

  # pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
  data_header = build_share_data_header(0x1c, pdu)

  # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
  build_share_control_header(0x17, data_header)
end

#pdu_client_synchronize(target_user = 0) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992 Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1

# File 'lib/msf/core/exploit/rdp.rb', line 1057

def pdu_client_synchronize(target_user = 0)
  pdu =
    "\x01\x00" +              # messageType: 1 SYNCMSGTYPE_SYNC
    [target_user].pack("S<")  # targetUser, 16 bit, unsigned.

  # pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
  data_header = build_share_data_header(0x1f, pdu)

  # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
  build_share_control_header(0x17, data_header)
end

#pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop") ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b

# File 'lib/msf/core/exploit/rdp.rb', line 805

def pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop")
  # After negotiating TLS or NLA the connectInitial packet needs to include the
  # protocol selection that the server indicated in its Negotiation Response

  pdu = [
    "\x7f\x65",        # T.125 Connect-Initial (BER: Application 101)
    ber_data(
      "\x04\x01\x01",    # CallingDomainSelector: 1 (BER: OctetString)
      "\x04\x01\x01",    # CalledDomainSelector: 1 (BER: OctetString)
      "\x01\x01\xff",    # UpwaredFlag: True (BER: boolean)

      # TargetParamenters
      encode_domain_selector(
        max_chan_ids: 0x22,
        max_user_ids: 0x2
      ),
      # MinimumParameters
      encode_domain_selector(
        max_chan_ids: 0x1,
        max_user_ids: 0x1,
        max_token_ids: 0x1,
        max_mcspdu_size: 0x0420
      ),
      # MaximumParameters
      encode_domain_selector(
        max_chan_ids: 0xffff,
        max_user_ids: 0xfc17,
        max_token_ids: 0xffff
      ),
      # UserData
      ber_octet_string(
        # T.124 GCC Connection Data (ConnectData)- PER Encoding used
        per_object(oid(0, 0, 20, 124, 0, 1)),
        per_data(
          conf_create_req(),
          per_data(
            cs_core_data(client_name: host_name, selected_proto: selected_proto),
            cs_cluster_data(),
            cs_security_data(),
            cs_network_data(channels)
          )
        )
      )
    )
  ].join('')

  build_data_tpdu(pdu)
end

#pdu_erect_domain_request ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c Client MCS Erect Domain Request PDU - 2.2.1.5

# File 'lib/msf/core/exploit/rdp.rb', line 856

def pdu_erect_domain_request
  pdu =
    "\x04" +       # T.125 ErectDomainRequest
    "\x01\x00" +   # subHeight - length 1, value 0
    "\x01\x00"     # subInterval - length 1, value 0

  build_data_tpdu(pdu)
end

#pdu_negotiation_request(user_name = "", requested_protocols = 0) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10 Client X.224 Connect Request PDU - 2.2.1.1

# File 'lib/msf/core/exploit/rdp.rb', line 782

def pdu_negotiation_request(user_name = "", requested_protocols = 0)
  # Blank username is ok, nil = random
  user_name = Rex::Text.rand_text_alpha(12) if user_name.nil?
  tpkt_len = user_name.length + 38
  x224_len = user_name.length + 33

  "\x03\x00" +              # TPKT Header version 03, reserved 0
    [tpkt_len].pack("S>") + # TPKT length: 43
    [x224_len].pack("C") +  # X.224 LengthIndicator
    "\xe0" +        # X.224 Type: Connect Request
    "\x00\x00" +    # dst reference
    "\x00\x00" +    # src reference
    "\x00" +        # class and options
    # cookie - literal 'Cookie: mstshash='
    "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" +
    user_name +     # Identifier "username"
    "\x0d\x0a" +    # cookie terminator
    "\x01\x00" +    # Type: RDP Negotiation Request ( 0x01 )
    "\x08\x00" +    # Length
    [requested_protocols].pack('L<') # requestedProtocols
end

#pdu_new_license_request(client_random, user, host) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/c57e4890-9049-421e-9fe8-9a6f9519675a Client New License Request PDU - 2.2.2.2

# File 'lib/msf/core/exploit/rdp.rb', line 760

def pdu_new_license_request(client_random, user, host)
  length = 24 + client_random.length + 64 + user.length + 1 + host.length + 1

  [RDPConstants::LICENSE_NEW_LICENSE_REQ].pack("C") +
  "\x03" +                         # Version
  [length].pack("S<") +            # Length
  "\x01\x01\x00\x00\x00\x01\xff" + # KEY_EXCHANGE_ALG_RSA
  client_random[0..31] +
  "\x02\x00" +                     # Encrypted Premaster Secret RANDOM_BLOB
  [64].pack("S<") +
  "\x00" * 64 +                    # The client license premaster secret, we don't care about the license contents
  "\x0f\x00" +                     # USER_NAME_BLOB
  [user.length + 1].pack("S<") +
  user + "\x00" +
  "\x10\x00" +                     # CLIENT_MACHINE_NAME_BLOB
  [host.length + 1].pack("S<") +
  host + "\x00"

end

#pdu_security_exchange(rcran, rsexp, rsmod, bitlen) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f Client Security Exchange PDU - 2.2.1.10

# File 'lib/msf/core/exploit/rdp.rb', line 885

def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
  encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
  encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)

  bitlen += 8 # Pad with size of TS_SECURITY_PACKET header

  userdata_length = 8 + bitlen
  userdata_length_low = userdata_length & 0xFF
  userdata_length_high = userdata_length / 256
  flags = 0x80 | userdata_length_high

  pdu =
    "\x64" +            # T.125 sendDataRequest
    "\x00\x08" +        # intiator userId
    "\x03\xeb" +        # channelId = 1003
    "\x70" +            # dataPriority = high, segmentation = begin | end
    [flags].pack("C") +
    [userdata_length_low].pack("C") + # UserData length
    # TS_SECURITY_PACKET - 2.2.1.10.1
    "\x01\x00" +           # securityHeader flags
    "\x00\x00" +           # securityHeader flagsHi
    [bitlen].pack("L<") +  # TS_ length
    encrypted_rcran +      # encryptedClientRandom - 64 bytes
    "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)

  build_data_tpdu(pdu)
end

#per_data(*ds) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1228

def per_data(*ds)
  data = ds.join('')
  result = ''
  if data.length < 0x4000
    result = [data.length | 0x8000].pack('S>') + data
  else
    result = "\xA2" + [data.length].pack('S>') + data
  end

  result
end

#per_object(*ds) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1216

def per_object(*ds)
  body = ds.join('')

  result = [
    "\x00",
    [body.length].pack('C'),
    body
  ].join('')

  result
end

#rdp_build_pkt(data, channel_id = "\x03\xeb", client_info: false, license_info: false) ⇒ Object

Build the X.224 packet, encrypt with Standard RDP Security as needed default channel_id = 0x03eb = 1003

# File 'lib/msf/core/exploit/rdp.rb', line 702

def rdp_build_pkt(data, channel_id = "\x03\xeb", client_info: false, license_info: false)
  flags = 0
  flags |= 0x08 if @rdp_sec     # Set SEC_ENCRYPT
  flags |= 0x40 if client_info  # Set SEC_INFO_PKT
  flags |= 0x80 if license_info # Set SEC_LICENSE_PKT

  pdu = ""

  # TS_SECURITY_HEADER - 2.2.8.1.1.2.1
  # Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs
  if client_info || @rdp_sec
    pdu << [flags].pack("S<")  # flags  "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
    pdu << "\x00\x00"          # flagsHi
  end

  if @rdp_sec
    # Encrypt the payload with RDP Standard Encryption
    pdu << rdp_hmac(@hmackey, data)[0..7]
    pdu << rdp_rc4_crypt(@rc4enckey, data)
  else
    pdu << data
  end

  user_data_len = pdu.length
  udl_with_flag = 0x8000 | user_data_len

  pkt =  "\x64"      # sendDataRequest
  pkt << "\x00\x08"  # intiator userId .. TODO: for a functional client this isn't static
  pkt << channel_id  # channelId
  pkt << "\x70"      # dataPriority
  pkt << [udl_with_flag].pack("S>")
  pkt << pdu

  build_data_tpdu(pkt)
end

#rdp_calculate_rc4_keys(client_random, server_random) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 635

def rdp_calculate_rc4_keys(client_random, server_random)
  # g = First192Bits(ClientRandom) + First192Bits(ServerRandom)
  g = client_random[0..23] + server_random[0..23]

  # PreMasterHash(I) = SaltedHash(g, I)
  # MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343)
  master_secret = rdp_salted_hash48(g, "A", client_random, server_random)

  # MasterHash(I) = SaltedHash(MasterSecret, I)
  # SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A)
  sessionKeyBlob = rdp_salted_hash48(master_secret, "X", client_random, server_random)

  # InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
  initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)

  # InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))
  initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)

  mac_key = sessionKeyBlob[0..15]

  return initialClientEncryptKey128, initialClientDecryptKey128, mac_key, sessionKeyBlob
end

#rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL) ⇒ Boolean, RDPConstants

Connect and detect security protocol

Note: NLA is detected but not supported yet

Returns:

• (Boolean) —

  Is service RDP

• (RDPConstants) —

  Protocol supported

# File 'lib/msf/core/exploit/rdp.rb', line 253

def rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL)
  if datastore['RDP_USER']
    @user_name = datastore['RDP_USER']
  else
    @user_name = Rex::Text.rand_text_alpha(7)
  end

  if datastore['RDP_DOMAIN']
    @domain = datastore['RDP_DOMAIN']
  else
    @domain = Rex::Text.rand_text_alpha(7)
  end

  if datastore['RDP_CLIENT_NAME']
    @computer_name = datastore['RDP_CLIENT_NAME']
  else
    @computer_name = Rex::Text.rand_text_alpha(15)
  end

  @ip_address = datastore['RDP_CLIENT_IP']

  # code to check if RDP is open or not
  vprint_status("Verifying RDP protocol...")

  vprint_status("Attempting to connect using TLS security")
  res = rdp_send_recv(pdu_negotiation_request(@user_name, req_proto))

  # return true if the response is a X.224 Connect Confirm
  # We can't use a check for RDP Negotiation Response because WinXP excludes it
  if res
    result, err_msg = rdp_parse_negotiation_response(res)
    return true, result if result

    # No current support for NLA, nothing to do here
    return true, RDPConstants::PROTOCOL_HYBRID if err_msg == 'HYBRID_REQUIRED_BY_SERVER'

    if err_msg == "Negotiation Response packet too short."
      vprint_status("Attempt to connect with TLS failed but looks like the target is Windows XP")
    else
      vprint_status("Attempt to connect with TLS failed with error: #{err_msg}")
    end

    if ["SSL_NOT_ALLOWED_BY_SERVER", "Negotiation Response packet too short."].include? err_msg
      # This happens if the server is configured to ONLY permit RDP Security
      vprint_status("Attempting to connect using Standard RDP security")
      rdp_disconnect
      rdp_connect
      res = rdp_send_recv(pdu_negotiation_request(@user_name, RDPConstants::PROTOCOL_RDP))

      if res
        result, err_msg = rdp_parse_negotiation_response(res)
        return true, result if result

        # Windows XP doesn't return the standard Negotiation Response packet
        # but we at least know this was RDP since the packet contained a
        # Connect-Confirm response (0xd0).
        if err_msg == "Negotiation Response packet too short."
          return true, RDPConstants::PROTOCOL_RDP
        end

        vprint_status("Attempt to connect with Standard RDP failed with error #{err_msg}")
      end
    end
  end

  return false, 0
end

#rdp_connect ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 143

def rdp_connect
  self.rdp_sock = connect(false)
  self.rdp_sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
end

#rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 219

def rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil)
  data_length ||= data.length

  pdu = [
    [25 << 2].pack('C'), # MCS send data request structure, choice 25
    [self.rdp_user_id, chan_id].pack('S>S>'), # MCS send data request structure, choice 25
    "\x70", # Wut (security header)
    per_data(
      [data_length].pack('<L'),
      [flags].pack('<L'),
      data
    )
  ].join('')

  build_data_tpdu(pdu)
end

#rdp_disconnect ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 148

def rdp_disconnect
  disconnect(self.rdp_sock)
  self.rdp_sock = nil
end

#rdp_dispatch_loop ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 213

def rdp_dispatch_loop
  while rdp_sock do
    rdp_handle_packet(rdp_recv)
  end
end

#rdp_establish_session ⇒ Object

Finish building session after all security is negotiated

# File 'lib/msf/core/exploit/rdp.rb', line 443

def rdp_establish_session
  vprint_status("Sending client info PDU")
  res = rdp_send_recv(rdp_build_pkt(pdu_client_info(@user_name, @domain, @ip_address),
                                    "\x03\xeb", client_info: true))
  vprint_status("Received License packet (#{res.length} bytes)")
  rdp_parse_license_pdu(res)

  # Windows XP sometimes sends a very large license packet. This is likely
  # some form of license error. When it does this it doesn't send a Server
  # Demand packet. If we wait on one we will time out here and error. We
  # can still successfully check for vulnerability anyway.
  if res.length <= 34
    vprint_status("Waiting for Server Demand packet")
    _res = rdp_recv
    vprint_status("Received Server Demand packet")
  end

  vprint_status("Sending client confirm active PDU")
  rdp_send(rdp_build_pkt(pdu_client_confirm_active))

  vprint_status("Sending client synchronize PDU")
  vprint_status("Sending client control cooperate PDU")
  # Unsure why we're using 1009 here but it works.
  synch = rdp_build_pkt(pdu_client_synchronize(1009))
  coop = rdp_build_pkt(pdu_client_control_cooperate)
  rdp_send(synch + coop)

  vprint_status("Sending client control request control PDU")
  rdp_send(rdp_build_pkt(pdu_client_control_request))

  vprint_status("Sending client input sychronize PDU")
  rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize))

  vprint_status("Sending client font list PDU")
  rdp_send(rdp_build_pkt(pdu_client_font_list))
end

#rdp_final_hash(k, client_random_bytes, server_random_bytes) ⇒ Object

FinalHash(K) = MD5(K + ClientRandom + ServerRandom)

# File 'lib/msf/core/exploit/rdp.rb', line 625

def rdp_final_hash(k, client_random_bytes, server_random_bytes)
  md5 = Digest::MD5.new

  md5 << k
  md5 << client_random_bytes
  md5 << server_random_bytes

  [md5.hexdigest].pack("H*")
end

#rdp_fingerprint ⇒ Boolean, Hash

Connect and perform fingerprinting of the RDP service

Note: NLA is required to detect the product_version

Returns:

• (Boolean) —

  Is service RDP

• (Hash) —

  Version information

# File 'lib/msf/core/exploit/rdp.rb', line 177

def rdp_fingerprint
  peer_info = {}
  # warning: if rdp_check_protocol starts handling NLA, this will need to be updated
  is_rdp, server_selected_proto = rdp_check_protocol(RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX)
  return false, nil unless is_rdp
  return true, peer_info unless [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto

  swap_sock_plain_to_ssl
  ntlm_negotiate_blob = ''  # see: https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/
  ntlm_negotiate_blob << "\x30\x37\xa0\x03\x02\x01\x60\xa1\x30\x30\x2e\x30\x2c\xa0\x2a\x04\x28"
  ntlm_negotiate_blob << "\x4e\x54\x4c\x4d\x53\x53\x50\x00"  #  Identifier - NTLMSSP
  ntlm_negotiate_blob << "\x01\x00\x00\x00"                  #  Type: NTLMSSP Negotiate - 01
  ntlm_negotiate_blob << "\xb7\x82\x08\xe2"                  #  Flags (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
  ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameLen
  ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameMaxLen
  ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  DomainNameBufferOffset
  ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationLen
  ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationMaxLen
  ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  WorkstationBufferOffset
  ntlm_negotiate_blob << "\x0a"                              #  ProductMajorVersion = 10
  ntlm_negotiate_blob << "\x00"                              #  ProductMinorVersion = 0
  ntlm_negotiate_blob << "\x63\x45"                          #  ProductBuild = 0x4563 = 17763
  ntlm_negotiate_blob << "\x00\x00\x00"                      #  Reserved
  ntlm_negotiate_blob << "\x0f"                              #  NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
  resp = rdp_send_recv(ntlm_negotiate_blob)

  ntlmssp_start = resp.index('NTLMSSP')
  if ntlmssp_start
    ntlmssp = NTLM_MESSAGE::parse(resp[ntlmssp_start..-1])
    version = ntlmssp.padding.bytes
    peer_info[:product_version] = "#{version[0]}.#{version[1]}.#{version[2] | (version[3] << 8)}"
  end

  return is_rdp, peer_info
end

#rdp_generate_license_keys(data) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 372

def rdp_generate_license_keys(data)
  client_random = ''
  32.times { client_random << rand(0..255) }
  premaster_secret = ''
  32.times { premaster_secret << rand(0..255) }
  server_random = data[0..31]

  master_secret = rdp_salted_hash48(premaster_secret, "A", client_random, server_random)
  key_block = rdp_salted_hash48(master_secret, "A", client_random, server_random)

  license_sign_key = key_block[0..15]
  license_key = rdp_salted_hash16(key_block[16..31], client_random, server_random)

  return client_random, license_key, license_sign_key
end

#rdp_handle_license_error_alert(data) ⇒ Object

Raises:

• (RdpCommunicationError)

# File 'lib/msf/core/exploit/rdp.rb', line 404

def rdp_handle_license_error_alert(data)
  error_code, state_transition, error_info = data[0..11].unpack("VVV")
  vprint_status("License error/alert code 0x#{error_code.to_s(16)} (#{RDPConstants::LICENSE_ERRS[error_code]})")
  # Ensure that we were issued a license by the server
  raise RdpCommunicationError if error_code != RDPConstants::LICENSE_ERR_LICENSE_ISSUED
end

#rdp_handle_license_request(data) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/e17772e9-9642-4bb6-a2bc-82875dd6da7c Server License Request - 2.2.2.1

# File 'lib/msf/core/exploit/rdp.rb', line 390

def rdp_handle_license_request(data)
  # Note: license_key is currently unused
  client_random, license_key, license_sign_key = rdp_generate_license_keys(data)

  # We're not really decrypting the license from the server, but it should be good enough
  vprint_status("Sending new license request PDU")
  new_license_request = pdu_new_license_request(client_random, @user_name, @computer_name)
  pkt = rdp_build_pkt(new_license_request, license_info: true)

  # Expect that we are issued a license here
  res = rdp_send_recv(pkt)
  rdp_parse_license_pdu(res)
end

#rdp_handle_packet(pkt) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1391

def rdp_handle_packet(pkt)
  if pkt && pkt[0] == "\x03"
    if pkt[4..6] == "\x02\xf0\x80"
      if pkt[7] == "\x68"
        chan_user_id = pkt[8..9].unpack('S>')[0]
        chan_id = pkt[10..11].unpack('S>')[0]
        flags = pkt[18..21].unpack('<L')[0]
        data = pkt[22..pkt.length]
        rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
      end
    end
  end
end

#rdp_hmac(mac_salt_key, data_content) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94 mac_salt_key = “Wx13xc58x7fxebxa9x10*x1exddVx96x8b[d” data_content = “x12x00x17x00xefx03xeax03x02x00x00x01x04x00$x00x00x00” hmac = rdp_hmac(mac_salt_key, data_content) # == hexlified: “22d5aeb486994a0c785dc929a2855923”

# File 'lib/msf/core/exploit/rdp.rb', line 572

def rdp_hmac(mac_salt_key, data_content)
  sha1 = Digest::SHA1.new
  md5 = Digest::MD5.new

  pad1 = "\x36" * 40
  pad2 = "\x5c" * 48

  sha1 << mac_salt_key
  sha1 << pad1
  sha1 << [data_content.length].pack('<L')
  sha1 << data_content

  md5 << mac_salt_key
  md5 << pad2
  md5 << [sha1.hexdigest].pack("H*")

  [md5.hexdigest].pack("H*")
end

#rdp_move_mouse(x = 1, y = 1) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 480

def rdp_move_mouse(x = 1, y = 1)
  mouse_move_blob = ""
  mouse_move_blob << "\x04\x80\x0a"    # copypasta FAST PATH stuff from xfreerdp
  mouse_move_blob << "\x20"            # TS_FP_INPUT_EVENT::eventHeader = 0x20 (FASTPATH_INPUT_EVENT_MOUSE)
  mouse_move_blob << "\x00\x08"        # TS_FP_POINTER_EVENT::pointerFlags  = 0x0800 (PTRFLAGS_MOVE)
  mouse_move_blob << [x, y].pack('vv') # TS_FP_POINTER_EVENT::xPos, TS_FP_POINTER_EVENT::yPos
  rdp_send(mouse_move_blob)
end

#rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL) ⇒ Boolean

Negotiate security protocol and begin session building

Returns:

• (Boolean) —

  success

# File 'lib/msf/core/exploit/rdp.rb', line 324

def rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL)
  if req_proto == RDPConstants::PROTOCOL_SSL
    swap_sock_plain_to_ssl
    res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
  elsif req_proto == RDPConstants::PROTOCOL_RDP
    res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
    rsmod, rsexp, _rsran, server_rand, bitlen = rdp_parse_connect_response(res)
  elsif [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(req_proto)
    vprint_status("NLA Security protocol unsupported at this time.")
    return false
  else
    vprint_error("Unknown protocol requested (#{req_proto}).")
    return false
  end

  # erect domain and attach user
  vprint_status("Sending erect domain request")
  rdp_send(pdu_erect_domain_request)
  res = rdp_send_recv(pdu_attach_user_request)

  self.rdp_user_id = res[9, 2].unpack("n").first

  # send channel requests
  [1009, 1003, 1004, 1005, 1006, 1007, 1008].each do |chan|
    rdp_send_recv(pdu_channel_join_request(self.rdp_user_id, chan))
  end

  if req_proto == RDPConstants::PROTOCOL_RDP
    @rdp_sec = true

    # 5.3.4 Client Random Value
    client_rand = ''
    32.times { client_rand << rand(0..255) }
    rcran = bytes_to_bignum(client_rand)

    vprint_status("Sending security exchange PDU")
    rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))

    # We aren't decrypting anything at this point. Leave the variables here
    # to make it easier to understand in the future.
    rc4encstart, _rc4decstart, @hmackey, _sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)

    @rc4enckey = RC4.new(rc4encstart)
  end

  return true
end

#rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1405

def rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
  ctype = data[0..1].unpack('S')[0]

  if ctype == RDPConstants::RDPDR_CTYP_CORE
    opcode = data[2..3].unpack('S')[0]
    if opcode == RDPConstants::PAKID_CORE_SERVER_ANNOUNCE
      rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
    elsif opcode == RDPConstants::PAKID_CORE_SERVER_CAPABILITY
      rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
    elsif opcode == RDPConstants::PAKID_CORE_CLIENTID_CONFIRM
      rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
    end
  end
end

#rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1434

def rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
  vprint_status("Handling CLIENT ID CONFIRM ...")
  rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
end

#rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1420

def rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
  vprint_status("Handling SERVER ANNOUNCE ...")
  rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
  rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
end

#rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1426

def rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
  vprint_status("Handling SERVER CAPABILITY ...")
  # change opcode 1 byte to match server capabilities
  reply = [data[0..2], "\x43", data[4..data.length]].join('')

  rdp_send_channel(chan_user_id, chan_id, reply)
end

#rdp_parse_connect_response(pkt) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c Parse Server MCS Connect Response PUD - 2.2.1.4

# File 'lib/msf/core/exploit/rdp.rb', line 523

def rdp_parse_connect_response(pkt)
  ptr = 0
  rdp_pkt = pkt[0x49..pkt.length]

  while ptr < rdp_pkt.length
    header_type = rdp_pkt[ptr..ptr + 1]
    header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]

    if header_type == "\x02\x0c"

      server_random = rdp_pkt[ptr + 20..ptr + 51]
      public_exponent = rdp_pkt[ptr + 84..ptr + 87]

      rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
      if rsa_magic != "RSA1"
        print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
        raise RdpCommunicationError
      end

      bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
      modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
    end

    ptr += header_length
  end

  # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}")
  # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
  # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}")

  rsmod = bytes_to_bignum(modulus)
  rsexp = bytes_to_bignum(public_exponent)
  rsran = bytes_to_bignum(server_random)

  # vprint_status("MODULUS  = #{bin_to_hex(modulus)} - #{rsmod.to_s}")
  # vprint_status("EXPONENT = #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
  # vprint_status("SVRANDOM = #{bin_to_hex(server_random)} - #{rsran.to_s}")

  return rsmod, rsexp, rsran, server_random, bitlen
end

#rdp_parse_license_pdu(data) ⇒ Object

Raises:

• (RdpCommunicationError)

# File 'lib/msf/core/exploit/rdp.rb', line 411

def rdp_parse_license_pdu(data)
  raise RdpCommunicationError if data.length < 20
  rdp_version = data[0].unpack("C")[0]
  raise RdpCommunicationError if rdp_version != 3
  length = data[2..3].unpack("n")[0]
  if data.length < length
    vprint_error("Got #{data.length} bytes, expected #{length}")
    raise RdpCommunicationError
  end

  data_len = data[13].unpack("C")[0]
  tag_offset = 18
  tag_offset += 1 if (data_len & 0x80 == 0x80) # 2 byte length

  tag = data[tag_offset].unpack("C")[0]
  vprint_status("Got license packet type 0x#{tag.to_s(16)} (#{RDPConstants::LICENSE_TAGS[tag]})")

  case tag
    when RDPConstants::LICENSE_REQUEST
      rdp_handle_license_request(data[tag_offset + 4..-1])
    when RDPConstants::LICENSE_PLATFORM_CHALLENGE
    when RDPConstants::LICENSE_NEW_LICENSE
    when RDPConstants::LICENSE_UPGRADE_LICENSE
    when RDPConstants::LICENSE_LICENSE_INFO
    when RDPConstants::LICENSE_NEW_LICENSE_REQ
    when RDPConstants::LICENSE_PLATFORM_CHAL_RESP
    when RDPConstants::LICENSE_ERROR_ALERT
      rdp_handle_license_error_alert(data[tag_offset + 4..-1])
  end
end

#rdp_parse_negotiation_response(data) ⇒ String^?

Parse RDP Negotiation Data - 2.2.1.2 Reference: docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483

Returns:

• (String, nil) —

  String representation of the Selected Protocol or nil on failure

• (String) —

  Error message

# File 'lib/msf/core/exploit/rdp.rb', line 497

def rdp_parse_negotiation_response(data)
  return false, "Response is not an RDP Negotiation Response packet." unless data.match("\x03\x00\x00..\xd0")
  return false, "Negotiation Response packet too short." if data.length < 19

  response_code = data[11].unpack("C")[0]

  if response_code == 2  # TYPE_RDP_NEG_RSP
    # RDP Negotiation Response - 2.2.1.2.1
    server_selected_proto = data[15..18].unpack("L<")[0]

    proto_label = RDPConstants::RDP_NEG_PROTOCOL[server_selected_proto]
    return server_selected_proto, nil if proto_label

    return nil, "Unknown protocol in Negotiation Response: #{server_selected_proto}"

  elsif response_code == 3  # TYPE_RDP_NEG_FAILURE
    # RDP Negotiation Failure - 2.2.1.2.2
    failure_code = data[15..18].unpack("L<")[0]
    return nil, RDPConstants::RDP_NEG_FAILURE[failure_code]
  else
    return nil, "Unknown Negotiation Response code: #{response_code}"
  end
end

#rdp_rc4_crypt(rc4obj, data) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 662

def rdp_rc4_crypt(rc4obj, data)
  rc4obj.encrypt(data)
end

#rdp_recv(length = -1,, timeout = 5) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 157

def rdp_recv(length = -1, timeout = 5)
  res = self.rdp_sock.get_once(length, timeout)
  raise RdpCommunicationError unless res # nil due to a timeout

  res
rescue EOFError
  raise RdpCommunicationError
end

#rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes) ⇒ Object

docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f

SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))

# File 'lib/msf/core/exploit/rdp.rb', line 603

def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
  sha1 = Digest::SHA1.new
  md5 = Digest::MD5.new

  sha1 << i_bytes
  sha1 << s_bytes
  sha1 << client_random_bytes
  sha1 << server_random_bytes

  md5 << s_bytes
  md5 << [sha1.hexdigest].pack("H*")

  [md5.hexdigest].pack("H*")
end

#rdp_salted_hash16(s_bytes, salt1, salt2) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 591

def rdp_salted_hash16(s_bytes, salt1, salt2)
  md5 = Digest::MD5.new

  md5 << s_bytes[0..15]
  md5 << salt1[0..31]
  md5 << salt2[0..31]

  [md5.hexdigest].pack("H*")
end

#rdp_salted_hash48(s_bytes, i_byte, client_random, server_random) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 618

def rdp_salted_hash48(s_bytes, i_byte, client_random, server_random)
  rdp_salted_hash(s_bytes, i_byte, client_random, server_random) + \
    rdp_salted_hash(s_bytes, (i_byte.ord + 1).chr * 2, client_random, server_random) + \
    rdp_salted_hash(s_bytes, (i_byte.ord + 2).chr * 3, client_random, server_random)
end

#rdp_send(data) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 153

def rdp_send(data)
  self.rdp_sock.put(data)
end

#rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 236

def rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil)
  tpkt = rdp_create_channel_msg(chan_user_id, chan_id, data, flags, data_length)
  rdp_send(tpkt)
end

#rdp_send_recv(data) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 166

def rdp_send_recv(data)
  rdp_send(data)
  rdp_recv
end

#rdp_terminate ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 241

def rdp_terminate
  body = "\x21\x80" # user requested disconnect provider ultimatum

  rdp_send(build_data_tpdu(body))
end

#rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1449

def rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
  reply = [
    RDPConstants::RDPDR_CTYP_CORE,
    RDPConstants::PAKID_CORE_CLIENTID_CONFIRM,
    0x1, # Version Major
    0xc, # Version Minor
    0x2, # client ID (TODO: configure this? read it from the packet?
  ].pack('SSSSL')

  rdp_send_channel(chan_user_id, chan_id, reply)
end

#rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1439

def rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
  reply = [
    RDPConstants::RDPDR_CTYP_CORE,
    RDPConstants::PAKID_CORE_DEVICELIST_ANNOUNCE,
    0x0, # Device count
  ].pack('SSL')

  rdp_send_channel(chan_user_id, chan_id, reply)
end

#rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data) ⇒ Object (protected)

# File 'lib/msf/core/exploit/rdp.rb', line 1461

def rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
  computer_name = Rex::Text.to_unicode("#{@computer_name}\x00", 'utf-16le')
  reply = [
    RDPConstants::RDPDR_CTYP_CORE,
    RDPConstants::PAKID_CORE_CLIENT_NAME,
    0x1, # Unicode flag
    0x0, # Code Page
    computer_name.length,
    computer_name,
  ].pack('SSLLLa*')

  rdp_send_channel(chan_user_id, chan_id, reply)
end

#rsa_encrypt(bignum, rsexp, rsmod) ⇒ Object

# File 'lib/msf/core/exploit/rdp.rb', line 658

def rsa_encrypt(bignum, rsexp, rsmod)
  (bignum ** rsexp) % rsmod
end

#swap_sock_plain_to_ssl ⇒ Object

Create a new SSL session on the existing socket. Stolen from exploit/smtp_deliver.rb

# File 'lib/msf/core/exploit/rdp.rb', line 1165

def swap_sock_plain_to_ssl
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.min_version = OpenSSL::SSL::TLS1_VERSION
  ctx.security_level = datastore['RDP_TLS_SECURITY_LEVEL']
  ssl = OpenSSL::SSL::SSLSocket.new(self.rdp_sock, ctx)

  begin
    ssl.connect
  rescue Errno::ECONNRESET
    vprint_error("Retry with advanced option RDP_TLS_SECURITY_LEVEL=0")
    raise
  end

  self.rdp_sock.extend(Rex::Socket::SslTcp)
  self.rdp_sock.sslsock = ssl
  self.rdp_sock.sslctx  = ctx
end