metasploit-gs/lib/msf/core/exploit/remote/rdp.rb

# -*- coding: binary -*-

module Msf

###
#
# This module exposes methods for interacting with a remote RDP service
#
###
module Exploit::Remote::RDP
  require 'rc4'
  include Msf::Exploit::Remote::Tcp

  #
  # Creates an instance of a RDP exploit module.
  #
  def initialize(info = {})
    super
    register_options(
      [
        OptString.new('RDP_USER', [ false, 'The username to report during connect, UNSET = random']),
        OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connect, UNSET = random', 'rdesktop']),
        OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connect']),
        OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connect', '192.168.0.100']),
        Opt::RPORT(3389)
      ], Msf::Exploit::Remote::RDP)
      register_advanced_options(
      [
        OptInt.new('RDP_TLS_SECURITY_LEVEL', [ true, 'Change default TLS security level. "0" (default) means everything is permitted. "1" rejects very weak parameters and "2" is even stricter.', 0 ])
      ], Msf::Exploit::Remote::RDP)
  end


  # used to abruptly abort scanner for a given host
  class RdpCommunicationError < StandardError
  end

  #
  # Constants
  #
  class RDPConstants
    SSL_REQUIRED_BY_SERVER = 1
    SSL_NOT_ALLOWED_BY_SERVER = 2
    SSL_CERT_NOT_ON_SERVER = 3
    INCONSISTENT_FLAGS = 4
    HYBRID_REQUIRED_BY_SERVER = 5
    SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER = 6

    PROTOCOL_RDP = 0
    PROTOCOL_SSL = 1
    PROTOCOL_HYBRID = 2
    PROTOCOL_RDSTLS = 4
    PROTOCOL_HYBRID_EX = 8

    RDP_NEG_PROTOCOL = {
      0 => "PROTOCOL_RDP",
      1 => "PROTOCOL_SSL",
      2 => "PROTOCOL_HYBRID",
      4 => "PROTOCOL_RDSTLS",
      8 => "PROTOCOL_HYBRID_EX"
    }

    RDP_NEG_FAILURE = {
      1 => "SSL_REQUIRED_BY_SERVER",
      2 => "SSL_NOT_ALLOWED_BY_SERVER",
      3 => "SSL_CERT_NOT_ON_SERVER",
      4 => "INCONSISTENT_FLAGS",
      5 => "HYBRID_REQUIRED_BY_SERVER",
      6 => "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER"
    }

    REDIRECTION_SUPPORTED = 0x1
    REDIRECTION_VERSION3  = 0x2 << 2
    REDIRECTION_VERSION4  = 0x3 << 2
    REDIRECTION_VERSION5  = 0x4 << 2

    ENCRYPTION_40BIT  = 0x01
    ENCRYPTION_128BIT = 0x02
    ENCRYPTION_56BIT  = 0x08
    ENCRYPTION_FIPS   = 0x10

    LICENSE_REQUEST            = 0x01
    LICENSE_PLATFORM_CHALLENGE = 0x02
    LICENSE_NEW_LICENSE        = 0x03
    LICENSE_UPGRADE_LICENSE    = 0x04
    LICENSE_LICENSE_INFO       = 0x12
    LICENSE_NEW_LICENSE_REQ    = 0x13
    LICENSE_PLATFORM_CHAL_RESP = 0x15
    LICENSE_ERROR_ALERT        = 0xff

    LICENSE_TAGS = {
      0x01 => "LICENSE_REQUEST",
      0x02 => "LICENSE_PLATFORM_CHALLENGE",
      0x03 => "LICENSE_NEW_LICENSE",
      0x04 => "LICENSE_UPGRADE_LICENSE",
      0x12 => "LICENSE_LICENSE_INFO",
      0x13 => "LICENSE_NEW_LICENSE_REQ",
      0x15 => "LICENSE_PLATFORM_CHAL_RESP",
      0xff => "LICENSE_ERROR_ALERT"
    }

    LICENSE_ERR_INVALID_SCOPE     = 0x04
    LICENSE_ERR_NO_LICENSE_SERVER = 0x06
    LICENSE_ERR_LICENSE_ISSUED    = 0x07
    LICENSE_ERR_INVALID_CLIENT    = 0x08
    LICENSE_ERR_INVALID_PRODUCTID = 0x0b
    LICENSE_ERR_INVALID_MSG_LEN   = 0x0c

    LICENSE_ERRS = {
      0x04 => "INVALID_SCOPE",
      0x06 => "NO_LICENSE_SERVER",
      0x07 => "LICENSE_ISSUED",
      0x08 => "INVALID_CLIENT",
      0x0b => "INVALID_PRODUCTID",
      0x0c => "INVALID_MSG_LEN"
    }

    CHAN_INITIALIZED               = 0x80000000
    CHAN_ENCRYPT_RDP               = 0x40000000
    CHAN_ENCRYPT_SC                = 0x20000000
    CHAN_ENCRYPT_CS                = 0x10000000
    CHAN_PRI_HIGH                  = 0x08000000
    CHAN_PRI_MED                   = 0x04000000
    CHAN_PRI_LOW                   = 0x02000000
    CHAN_COMPRESS_RDP              = 0x00800000
    CHAN_COMPRESS                  = 0x00400000
    CHAN_SHOW_PROTOCOL             = 0x00200000
    CHAN_REMOTE_CONTROL_PERSISTENT = 0x00100000

    CHAN_FLAG_FIRST         = 0x01
    CHAN_FLAG_LAST          = 0x02
    CHAN_FLAG_SHOW_PROTOCOL = 0x10

    RDPDR_CTYP_CORE = 0x4472

    PAKID_CORE_SERVER_ANNOUNCE     = 0x496e
    PAKID_CORE_SERVER_CAPABILITY   = 0x5350
    PAKID_CORE_CLIENTID_CONFIRM    = 0x4343
    PAKID_CORE_CLIENT_NAME         = 0x434e
    PAKID_CORE_DEVICELIST_ANNOUNCE = 0x4441
  end

  def rdp_connect
    self.rdp_sock = connect(false)
    self.rdp_sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
  end

  def rdp_disconnect
    disconnect(self.rdp_sock)
    self.rdp_sock = nil
  end

  def rdp_send(data)
    self.rdp_sock.put(data)
  end

  def rdp_recv(length = -1, timeout = 5)
    res = self.rdp_sock.get_once(length, timeout)
    raise RdpCommunicationError unless res # nil due to a timeout

    res
  rescue EOFError
    raise RdpCommunicationError
  end

  def rdp_send_recv(data)
    rdp_send(data)
    rdp_recv
  end

  # Connect and perform fingerprinting of the RDP service
  #
  # Note: NLA is required to detect the product_version
  #
  # @return [Boolean] Is service RDP
  # @return [Hash] Version information
  def rdp_fingerprint
    peer_info = {}
    # warning: if rdp_check_protocol starts handling NLA, this will need to be updated
    is_rdp, server_selected_proto = rdp_check_protocol(RDPConstants::PROTOCOL_SSL | RDPConstants::PROTOCOL_HYBRID | RDPConstants::PROTOCOL_HYBRID_EX)
    return false, nil unless is_rdp
    return true, peer_info unless [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto

    swap_sock_plain_to_ssl
    ntlm_negotiate_blob = ''  # see: https://fadedlab.wordpress.com/2019/06/13/using-nmap-to-extract-windows-info-from-rdp/
    ntlm_negotiate_blob << "\x30\x37\xa0\x03\x02\x01\x60\xa1\x30\x30\x2e\x30\x2c\xa0\x2a\x04\x28"
    ntlm_negotiate_blob << "\x4e\x54\x4c\x4d\x53\x53\x50\x00"  #  Identifier - NTLMSSP
    ntlm_negotiate_blob << "\x01\x00\x00\x00"                  #  Type: NTLMSSP Negotiate - 01
    ntlm_negotiate_blob << "\xb7\x82\x08\xe2"                  #  Flags (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
    ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameLen
    ntlm_negotiate_blob << "\x00\x00"                          #  DomainNameMaxLen
    ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  DomainNameBufferOffset
    ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationLen
    ntlm_negotiate_blob << "\x00\x00"                          #  WorkstationMaxLen
    ntlm_negotiate_blob << "\x00\x00\x00\x00"                  #  WorkstationBufferOffset
    ntlm_negotiate_blob << "\x0a"                              #  ProductMajorVersion = 10
    ntlm_negotiate_blob << "\x00"                              #  ProductMinorVersion = 0
    ntlm_negotiate_blob << "\x63\x45"                          #  ProductBuild = 0x4563 = 17763
    ntlm_negotiate_blob << "\x00\x00\x00"                      #  Reserved
    ntlm_negotiate_blob << "\x0f"                              #  NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
    resp = rdp_send_recv(ntlm_negotiate_blob)

    ntlmssp_start = resp.index('NTLMSSP')
    if ntlmssp_start
      message = Net::NTLM::Message.parse(resp[ntlmssp_start..-1])
      version = message.os_version.bytes
      ti = Net::NTLM::TargetInfo.new(message.target_info)

      peer_info[:nb_name] = ti.av_pairs[Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME]
      peer_info[:nb_domain] = ti.av_pairs[Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME ]
      peer_info[:dns_server] = ti.av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]
      peer_info[:dns_domain] = ti.av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME]
      peer_info[:product_version] = "#{version[0]}.#{version[1]}.#{version[2] | (version[3] << 8)}"
    end

    return is_rdp, peer_info
  end

  def rdp_dispatch_loop
    while rdp_sock do
      rdp_handle_packet(rdp_recv)
    end
  end

  def rdp_create_channel_msg(chan_user_id, chan_id, data, flags = 3, data_length = nil)
    data_length ||= data.length

    pdu = [
      [25 << 2].pack('C'), # MCS send data request structure, choice 25
      [self.rdp_user_id, chan_id].pack('S>S>'), # MCS send data request structure, choice 25
      "\x70", # Wut (security header)
      per_data(
        [data_length].pack('L<'),
        [flags].pack('L<'),
        data
      )
    ].join('')

    build_data_tpdu(pdu)
  end

  def rdp_send_channel(chan_user_id, chan_id, data, flags = 3, data_length = nil)
    tpkt = rdp_create_channel_msg(chan_user_id, chan_id, data, flags, data_length)
    rdp_send(tpkt)
  end

  def rdp_terminate
    body = "\x21\x80" # user requested disconnect provider ultimatum

    rdp_send(build_data_tpdu(body))
  end

  # Connect and detect security protocol
  #
  # Note: NLA is detected but not supported yet
  #
  # @return [Boolean] Is service RDP
  # @return [RDPConstants] Protocol supported
  def rdp_check_protocol(req_proto = RDPConstants::PROTOCOL_SSL)
    if datastore['RDP_USER']
      @user_name = datastore['RDP_USER']
    else
      @user_name = Rex::Text.rand_text_alpha(7)
    end

    if datastore['RDP_DOMAIN']
      @domain = datastore['RDP_DOMAIN']
    else
      @domain = Rex::Text.rand_text_alpha(7)
    end

    if datastore['RDP_CLIENT_NAME']
      @computer_name = datastore['RDP_CLIENT_NAME']
    else
      @computer_name = Rex::Text.rand_text_alpha(15)
    end

    @ip_address = datastore['RDP_CLIENT_IP']

    # code to check if RDP is open or not
    vprint_status("Verifying RDP protocol...")

    vprint_status("Attempting to connect using TLS security")
    res = rdp_send_recv(pdu_negotiation_request(@user_name, req_proto))

    # return true if the response is a X.224 Connect Confirm
    # We can't use a check for RDP Negotiation Response because WinXP excludes it
    if res
      result, err_msg = rdp_parse_negotiation_response(res)
      return true, result if result

      # No current support for NLA, nothing to do here
      return true, RDPConstants::PROTOCOL_HYBRID if err_msg == 'HYBRID_REQUIRED_BY_SERVER'

      if err_msg == "Negotiation Response packet too short."
        vprint_status("Attempt to connect with TLS failed but looks like the target is Windows XP")
      else
        vprint_status("Attempt to connect with TLS failed with error: #{err_msg}")
      end

      if ["SSL_NOT_ALLOWED_BY_SERVER", "Negotiation Response packet too short."].include? err_msg
        # This happens if the server is configured to ONLY permit RDP Security
        vprint_status("Attempting to connect using Standard RDP security")
        rdp_disconnect
        rdp_connect
        res = rdp_send_recv(pdu_negotiation_request(@user_name, RDPConstants::PROTOCOL_RDP))

        if res
          result, err_msg = rdp_parse_negotiation_response(res)
          return true, result if result

          # Windows XP doesn't return the standard Negotiation Response packet
          # but we at least know this was RDP since the packet contained a
          # Connect-Confirm response (0xd0).
          if err_msg == "Negotiation Response packet too short."
            return true, RDPConstants::PROTOCOL_RDP
          end

          vprint_status("Attempt to connect with Standard RDP failed with error #{err_msg}")
        end
      end
    end

    return false, 0
  end

  # Negotiate security protocol and begin session building
  #
  # @return [Boolean] success
  def rdp_negotiate_security(channels, req_proto = RDPConstants::PROTOCOL_SSL)
    if req_proto == RDPConstants::PROTOCOL_SSL
      swap_sock_plain_to_ssl
      res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
    elsif req_proto == RDPConstants::PROTOCOL_RDP
      res = rdp_send_recv(pdu_connect_initial(channels, req_proto, @computer_name))
      rsmod, rsexp, _rsran, server_rand, bitlen = rdp_parse_connect_response(res)
    elsif [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(req_proto)
      vprint_status("NLA Security protocol unsupported at this time.")
      return false
    else
      vprint_error("Unknown protocol requested (#{req_proto}).")
      return false
    end

    # erect domain and attach user
    vprint_status("Sending erect domain request")
    rdp_send(pdu_erect_domain_request)
    res = rdp_send_recv(pdu_attach_user_request)

    self.rdp_user_id = res[9, 2].unpack("n").first

    # send channel requests
    [1009, 1003, 1004, 1005, 1006, 1007, 1008].each do |chan|
      rdp_send_recv(pdu_channel_join_request(self.rdp_user_id, chan))
    end

    if req_proto == RDPConstants::PROTOCOL_RDP
      @rdp_sec = true

      # 5.3.4 Client Random Value
      client_rand = ''
      32.times { client_rand << rand(0..255) }
      rcran = bytes_to_bignum(client_rand)

      vprint_status("Sending security exchange PDU")
      rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))

      # We aren't decrypting anything at this point. Leave the variables here
      # to make it easier to understand in the future.
      rc4encstart, _rc4decstart, @hmackey, _sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)

      @rc4enckey = RC4.new(rc4encstart)
    end

    return true
  end

  def rdp_generate_license_keys(data)
    client_random = ''
    32.times { client_random << rand(0..255) }
    premaster_secret = ''
    32.times { premaster_secret << rand(0..255) }
    server_random = data[0..31]

    master_secret = rdp_salted_hash48(premaster_secret, "A", client_random, server_random)
    key_block = rdp_salted_hash48(master_secret, "A", client_random, server_random)

    license_sign_key = key_block[0..15]
    license_key = rdp_salted_hash16(key_block[16..31], client_random, server_random)

    return client_random, license_key, license_sign_key
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/e17772e9-9642-4bb6-a2bc-82875dd6da7c
  # Server License Request - 2.2.2.1
  def rdp_handle_license_request(data)
    # Note: license_key is currently unused
    client_random, license_key, license_sign_key = rdp_generate_license_keys(data)

    # We're not really decrypting the license from the server, but it should be good enough
    vprint_status("Sending new license request PDU")
    new_license_request = pdu_new_license_request(client_random, @user_name, @computer_name)
    pkt = rdp_build_pkt(new_license_request, license_info: true)

    # Expect that we are issued a license here
    res = rdp_send_recv(pkt)
    rdp_parse_license_pdu(res)
  end

  def rdp_handle_license_error_alert(data)
    error_code, state_transition, error_info = data[0..11].unpack("VVV")
    vprint_status("License error/alert code 0x#{error_code.to_s(16)} (#{RDPConstants::LICENSE_ERRS[error_code]})")
    # Ensure that we were issued a license by the server
    raise RdpCommunicationError if error_code != RDPConstants::LICENSE_ERR_LICENSE_ISSUED
  end

  def rdp_parse_license_pdu(data)
    raise RdpCommunicationError if data.length < 20
    rdp_version = data[0].unpack("C")[0]
    raise RdpCommunicationError if rdp_version != 3
    length = data[2..3].unpack("n")[0]
    if data.length < length
      vprint_error("Got #{data.length} bytes, expected #{length}")
      raise RdpCommunicationError
    end

    data_len = data[13].unpack("C")[0]
    tag_offset = 18
    tag_offset += 1 if (data_len & 0x80 == 0x80) # 2 byte length

    tag = data[tag_offset].unpack("C")[0]
    vprint_status("Got license packet type 0x#{tag.to_s(16)} (#{RDPConstants::LICENSE_TAGS[tag]})")

    case tag
      when RDPConstants::LICENSE_REQUEST
        rdp_handle_license_request(data[tag_offset + 4..-1])
      when RDPConstants::LICENSE_PLATFORM_CHALLENGE
      when RDPConstants::LICENSE_NEW_LICENSE
      when RDPConstants::LICENSE_UPGRADE_LICENSE
      when RDPConstants::LICENSE_LICENSE_INFO
      when RDPConstants::LICENSE_NEW_LICENSE_REQ
      when RDPConstants::LICENSE_PLATFORM_CHAL_RESP
      when RDPConstants::LICENSE_ERROR_ALERT
        rdp_handle_license_error_alert(data[tag_offset + 4..-1])
    end
  end

  # Finish building session after all security is negotiated
  def rdp_establish_session
    vprint_status("Sending client info PDU")
    res = rdp_send_recv(rdp_build_pkt(pdu_client_info(@user_name, @domain, @ip_address),
                                      "\x03\xeb", client_info: true))
    vprint_status("Received License packet (#{res.length} bytes)")
    rdp_parse_license_pdu(res)

    # Windows XP sometimes sends a very large license packet. This is likely
    # some form of license error. When it does this it doesn't send a Server
    # Demand packet. If we wait on one we will time out here and error. We
    # can still successfully check for vulnerability anyway.
    if res.length <= 34
      vprint_status("Waiting for Server Demand packet")
      _res = rdp_recv
      vprint_status("Received Server Demand packet")
    end

    vprint_status("Sending client confirm active PDU")
    rdp_send(rdp_build_pkt(pdu_client_confirm_active))

    vprint_status("Sending client synchronize PDU")
    vprint_status("Sending client control cooperate PDU")
    # Unsure why we're using 1009 here but it works.
    synch = rdp_build_pkt(pdu_client_synchronize(1009))
    coop = rdp_build_pkt(pdu_client_control_cooperate)
    rdp_send(synch + coop)

    vprint_status("Sending client control request control PDU")
    rdp_send(rdp_build_pkt(pdu_client_control_request))

    vprint_status("Sending client input synchronize PDU")
    rdp_send(rdp_build_pkt(pdu_client_input_event_synchronize))

    vprint_status("Sending client font list PDU")
    rdp_send(rdp_build_pkt(pdu_client_font_list))
  end

  def rdp_move_mouse(x = 1, y = 1)
    mouse_move_blob = ""
    mouse_move_blob << "\x04\x80\x0a"    # copypasta FAST PATH stuff from xfreerdp
    mouse_move_blob << "\x20"            # TS_FP_INPUT_EVENT::eventHeader = 0x20 (FASTPATH_INPUT_EVENT_MOUSE)
    mouse_move_blob << "\x00\x08"        # TS_FP_POINTER_EVENT::pointerFlags  = 0x0800 (PTRFLAGS_MOVE)
    mouse_move_blob << [x, y].pack('vv') # TS_FP_POINTER_EVENT::xPos, TS_FP_POINTER_EVENT::yPos
    rdp_send(mouse_move_blob)
  end

  #
  # Protocol parsers
  #

  # Parse RDP Negotiation Data - 2.2.1.2
  # Reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483
  # @return [String, nil] String representation of the Selected Protocol or nil on failure
  # @return [String] Error message
  def rdp_parse_negotiation_response(data)
    return false, "Response is not an RDP Negotiation Response packet." unless data.match("\x03\x00\x00..\xd0")
    return false, "Negotiation Response packet too short." if data.length < 19

    response_code = data[11].unpack("C")[0]

    if response_code == 2  # TYPE_RDP_NEG_RSP
      # RDP Negotiation Response - 2.2.1.2.1
      server_selected_proto = data[15..18].unpack("L<")[0]

      proto_label = RDPConstants::RDP_NEG_PROTOCOL[server_selected_proto]
      return server_selected_proto, nil if proto_label

      return nil, "Unknown protocol in Negotiation Response: #{server_selected_proto}"

    elsif response_code == 3  # TYPE_RDP_NEG_FAILURE
      # RDP Negotiation Failure - 2.2.1.2.2
      failure_code = data[15..18].unpack("L<")[0]
      return nil, RDPConstants::RDP_NEG_FAILURE[failure_code]
    else
      return nil, "Unknown Negotiation Response code: #{response_code}"
    end
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c
  # Parse Server MCS Connect Response PUD - 2.2.1.4
  def rdp_parse_connect_response(pkt)
    ptr = 0
    rdp_pkt = pkt[0x49..pkt.length]

    while ptr < rdp_pkt.length
      header_type = rdp_pkt[ptr..ptr + 1]
      header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]

      if header_type == "\x02\x0c"

        server_random = rdp_pkt[ptr + 20..ptr + 51]
        public_exponent = rdp_pkt[ptr + 84..ptr + 87]

        rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
        if rsa_magic != "RSA1"
          print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
          raise RdpCommunicationError
        end

        bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
        modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
      end

      ptr += header_length
    end

    # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}")
    # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
    # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}")

    rsmod = bytes_to_bignum(modulus)
    rsexp = bytes_to_bignum(public_exponent)
    rsran = bytes_to_bignum(server_random)

    # vprint_status("MODULUS  = #{bin_to_hex(modulus)} - #{rsmod.to_s}")
    # vprint_status("EXPONENT = #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
    # vprint_status("SVRANDOM = #{bin_to_hex(server_random)} - #{rsran.to_s}")

    return rsmod, rsexp, rsran, server_random, bitlen
  end

  #
  # Encryption: Standard RDP Security
  #

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
  # mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
  # data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
  # hmac = rdp_hmac(mac_salt_key, data_content) # == hexlified: "22d5aeb486994a0c785dc929a2855923"
  def rdp_hmac(mac_salt_key, data_content)
    sha1 = Digest::SHA1.new
    md5 = Digest::MD5.new

    pad1 = "\x36" * 40
    pad2 = "\x5c" * 48

    sha1 << mac_salt_key
    sha1 << pad1
    sha1 << [data_content.length].pack('L<')
    sha1 << data_content

    md5 << mac_salt_key
    md5 << pad2
    md5 << [sha1.hexdigest].pack("H*")

    [md5.hexdigest].pack("H*")
  end

  def rdp_salted_hash16(s_bytes, salt1, salt2)
    md5 = Digest::MD5.new

    md5 << s_bytes[0..15]
    md5 << salt1[0..31]
    md5 << salt2[0..31]

    [md5.hexdigest].pack("H*")
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f
  #  SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))
  def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
    sha1 = Digest::SHA1.new
    md5 = Digest::MD5.new

    sha1 << i_bytes
    sha1 << s_bytes
    sha1 << client_random_bytes
    sha1 << server_random_bytes

    md5 << s_bytes
    md5 << [sha1.hexdigest].pack("H*")

    [md5.hexdigest].pack("H*")
  end

  def rdp_salted_hash48(s_bytes, i_byte, client_random, server_random)
    rdp_salted_hash(s_bytes, i_byte, client_random, server_random) + \
      rdp_salted_hash(s_bytes, (i_byte.ord + 1).chr * 2, client_random, server_random) + \
      rdp_salted_hash(s_bytes, (i_byte.ord + 2).chr * 3, client_random, server_random)
  end

  #  FinalHash(K) = MD5(K + ClientRandom + ServerRandom)
  def rdp_final_hash(k, client_random_bytes, server_random_bytes)
    md5 = Digest::MD5.new

    md5 << k
    md5 << client_random_bytes
    md5 << server_random_bytes

    [md5.hexdigest].pack("H*")
  end

  def rdp_calculate_rc4_keys(client_random, server_random)
    # g = First192Bits(ClientRandom) + First192Bits(ServerRandom)
    g = client_random[0..23] + server_random[0..23]

    # PreMasterHash(I) = SaltedHash(g, I)
    # MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343)
    master_secret = rdp_salted_hash48(g, "A", client_random, server_random)

    # MasterHash(I) = SaltedHash(MasterSecret, I)
    # SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A)
    sessionKeyBlob = rdp_salted_hash48(master_secret, "X", client_random, server_random)

    # InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
    initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)

    # InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))
    initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)

    mac_key = sessionKeyBlob[0..15]

    return initialClientEncryptKey128, initialClientDecryptKey128, mac_key, sessionKeyBlob
  end

  def rsa_encrypt(bignum, rsexp, rsmod)
    (bignum ** rsexp) % rsmod
  end

  def rdp_rc4_crypt(rc4obj, data)
    rc4obj.encrypt(data)
  end

  def bytes_to_bignum(bytes_val, order = "little")
    bytes = bin_to_hex(bytes_val)
    if order == "little"
      bytes = bytes.scan(/../).reverse.join('')
    end
    s = "0x" + bytes
    s.to_i(16)
  end

  # https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
  def int_to_bytestring( int_val, num_chars = nil )
    unless num_chars
      bits_needed = Math.log(int_val) / Math.log(2)
      num_chars = ( bits_needed / 8.0 ).ceil
    end
    if pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[num_chars]
      [int_val].pack(pack_code)
    else
      a = (0..(num_chars)).map{ |i|
        (( int_val >> i*8 ) & 0xFF ).chr
      }.join
      a[0..-2] # seems legit lol
    end
  end

  def bin_to_hex(str_val)
    str_val.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
  end


  #
  # Protocol Data Unit definitions and helpers
  #

  # Build the X.224 packet, encrypt with Standard RDP Security as needed
  # default channel_id = 0x03eb = 1003
  def rdp_build_pkt(data, channel_id = "\x03\xeb", client_info: false, license_info: false)
    flags = 0
    flags |= 0x08 if @rdp_sec     # Set SEC_ENCRYPT
    flags |= 0x40 if client_info  # Set SEC_INFO_PKT
    flags |= 0x80 if license_info # Set SEC_LICENSE_PKT

    pdu = ""

    # TS_SECURITY_HEADER - 2.2.8.1.1.2.1
    # Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs
    if client_info || @rdp_sec
      pdu << [flags].pack("S<")  # flags  "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
      pdu << "\x00\x00"          # flagsHi
    end

    if @rdp_sec
      # Encrypt the payload with RDP Standard Encryption
      pdu << rdp_hmac(@hmackey, data)[0..7]
      pdu << rdp_rc4_crypt(@rc4enckey, data)
    else
      pdu << data
    end

    user_data_len = pdu.length
    udl_with_flag = 0x8000 | user_data_len

    pkt =  "\x64"      # sendDataRequest
    pkt << "\x00\x08"  # intiator userId .. TODO: for a functional client this isn't static
    pkt << channel_id  # channelId
    pkt << "\x70"      # dataPriority
    pkt << [udl_with_flag].pack("S>")
    pkt << pdu

    build_data_tpdu(pkt)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
  # Virtual Channel PDU 2.2.6.1
  def build_virtual_channel_pdu(flags, data)
    data_len = data.length

    [data_len].pack("L<") + # length
      [flags].pack("L<") +  # flags
      data
  end

  # Builds x.224 Data (DT) TPDU - Section 13.7
  def build_data_tpdu(data)
    tpkt_length = data.length + 7

    "\x03\x00" +                 # TPKT Header version 03, reserved 0
      [tpkt_length].pack("S>") + # TPKT length
      "\x02\xf0\x80" +           # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
      data
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpele/c57e4890-9049-421e-9fe8-9a6f9519675a
  # Client New License Request PDU - 2.2.2.2
  def pdu_new_license_request(client_random, user, host)
    length = 24 + client_random.length + 64 + user.length + 1 + host.length + 1

    [RDPConstants::LICENSE_NEW_LICENSE_REQ].pack("C") +
    "\x03" +                         # Version
    [length].pack("S<") +            # Length
    "\x01\x01\x00\x00\x00\x01\xff" + # KEY_EXCHANGE_ALG_RSA
    client_random[0..31] +
    "\x02\x00" +                     # Encrypted Premaster Secret RANDOM_BLOB
    [64].pack("S<") +
    "\x00" * 64 +                    # The client license premaster secret, we don't care about the license contents
    "\x0f\x00" +                     # USER_NAME_BLOB
    [user.length + 1].pack("S<") +
    user + "\x00" +
    "\x10\x00" +                     # CLIENT_MACHINE_NAME_BLOB
    [host.length + 1].pack("S<") +
    host + "\x00"

  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
  # Client X.224 Connect Request PDU - 2.2.1.1
  def pdu_negotiation_request(user_name = "", requested_protocols = 0)
    # Blank username is ok, nil = random
    user_name = Rex::Text.rand_text_alpha(12) if user_name.nil?
    tpkt_len = user_name.length + 38
    x224_len = user_name.length + 33

    "\x03\x00" +              # TPKT Header version 03, reserved 0
      [tpkt_len].pack("S>") + # TPKT length: 43
      [x224_len].pack("C") +  # X.224 LengthIndicator
      "\xe0" +        # X.224 Type: Connect Request
      "\x00\x00" +    # dst reference
      "\x00\x00" +    # src reference
      "\x00" +        # class and options
      # cookie - literal 'Cookie: mstshash='
      "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" +
      user_name +     # Identifier "username"
      "\x0d\x0a" +    # cookie terminator
      "\x01\x00" +    # Type: RDP Negotiation Request ( 0x01 )
      "\x08\x00" +    # Length
      [requested_protocols].pack('L<') # requestedProtocols
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
  def pdu_connect_initial(channels, selected_proto = 0, host_name = "rdesktop")
    # After negotiating TLS or NLA the connectInitial packet needs to include the
    # protocol selection that the server indicated in its Negotiation Response

    pdu = [
      "\x7f\x65",        # T.125 Connect-Initial (BER: Application 101)
      ber_data(
        "\x04\x01\x01",    # CallingDomainSelector: 1 (BER: OctetString)
        "\x04\x01\x01",    # CalledDomainSelector: 1 (BER: OctetString)
        "\x01\x01\xff",    # UpwaredFlag: True (BER: boolean)

        # TargetParamenters
        encode_domain_selector(
          max_chan_ids: 0x22,
          max_user_ids: 0x2
        ),
        # MinimumParameters
        encode_domain_selector(
          max_chan_ids: 0x1,
          max_user_ids: 0x1,
          max_token_ids: 0x1,
          max_mcspdu_size: 0x0420
        ),
        # MaximumParameters
        encode_domain_selector(
          max_chan_ids: 0xffff,
          max_user_ids: 0xfc17,
          max_token_ids: 0xffff
        ),
        # UserData
        ber_octet_string(
          # T.124 GCC Connection Data (ConnectData)- PER Encoding used
          per_object(oid(0, 0, 20, 124, 0, 1)),
          per_data(
            conf_create_req(),
            per_data(
              cs_core_data(client_name: host_name, selected_proto: selected_proto),
              cs_cluster_data(),
              cs_security_data(),
              cs_network_data(channels)
            )
          )
        )
      )
    ].join('')

    build_data_tpdu(pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
  # Client MCS Erect Domain Request PDU - 2.2.1.5
  def pdu_erect_domain_request
    pdu =
      "\x04" +       # T.125 ErectDomainRequest
      "\x01\x00" +   # subHeight - length 1, value 0
      "\x01\x00"     # subInterval - length 1, value 0

    build_data_tpdu(pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
  # Client MCS Attach User Request PDU - 2.2.1.6
  def pdu_attach_user_request
    pdu = "\x28"  # T.125 AttachUserRequest

    build_data_tpdu(pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
  # Client MCS Channel Join Request PDU -2.2.1.8
  def pdu_channel_join_request(user1, channel_id)
    pdu =
      "\x38" + # T.125 ChannelJoinRequest
      [user1, channel_id].pack("nn")

    build_data_tpdu(pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
  # Client Security Exchange PDU - 2.2.1.10
  def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
    encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
    encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)

    bitlen += 8 # Pad with size of TS_SECURITY_PACKET header

    userdata_length = 8 + bitlen
    userdata_length_low = userdata_length & 0xFF
    userdata_length_high = userdata_length / 256
    flags = 0x80 | userdata_length_high

    pdu =
      "\x64" +            # T.125 sendDataRequest
      "\x00\x08" +        # intiator userId
      "\x03\xeb" +        # channelId = 1003
      "\x70" +            # dataPriority = high, segmentation = begin | end
      [flags].pack("C") +
      [userdata_length_low].pack("C") + # UserData length
      # TS_SECURITY_PACKET - 2.2.1.10.1
      "\x01\x00" +           # securityHeader flags
      "\x00\x00" +           # securityHeader flagsHi
      [bitlen].pack("L<") +  # TS_ length
      encrypted_rcran +      # encryptedClientRandom - 64 bytes
      "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)

    build_data_tpdu(pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
  # TS_INFO_PACKET - 2.2.1.11.1.1
  def pdu_client_info(user_name, domain_name = "", ip_address = "")
    # Max len for 4.0/6.0 servers is 44 bytes including terminator
    # Max len for all other versions is 512 including terminator
    # We're going to limit to 44 (21 chars + null -> unicode) here.
    # Blank username is ok, nil = random
    user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
    user_unicode = Rex::Text.to_unicode(user_name[0..20], 'utf-16le')
    uname_len = user_unicode.length

    # Domain can can be, and for rdesktop typically is, empty.
    # Max len for 4.0/5.0 servers is 52 including terminator
    # Max len for all other versions is 512 including terminator
    # We're going to limit to 52 (25 chars + null -> unicode) here.
    domain_unicode = Rex::Text.to_unicode(domain_name[0..24], 'utf-16le')
    domain_len = domain_unicode.length

    # This address value is primarily used to reduce the fields by which this
    # module can be fingerprinted. It doesn't show up in Windows logs.
    # clientAddress + null terminator
    ip_unicode = Rex::Text.to_unicode(ip_address, 'utf-16le') + "\x00\x00"
    ip_len = ip_unicode.length

    "\x00\x00\x00\x00" +    # CodePage
      "\x33\x01\x00\x00" +  # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
      [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
      [uname_len].pack("S<") +  # cbUserName (length value) - EXCLUDES null terminator
      "\x00\x00" +  # cbPassword (length value)
      "\x00\x00" +  # cbAlternateShell (length value)
      "\x00\x00" +  # cbWorkingDir (length value)
      [domain_unicode].pack("a*") + # Domain
      "\x00\x00" +                  # Domain null terminator, EXCLUDED from value of cbDomain
      [user_unicode].pack("a*") +   # UserName
      "\x00\x00" +  # UserName null terminator, EXCLUDED FROM value of cbUserName
      "\x00\x00" +  # Password - empty
      "\x00\x00" +  # AlternateShell - empty
      "\x00\x00" +  # WorkingDir - empty
      # TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
      "\x02\x00" +              # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
      [ip_len].pack("S<") +     # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
      [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
      "\x3c\x00" +              # cbClientDir (length value): 60
      # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
      "\x3c\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00" + #
      "\x54\x00\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00" + #
      "\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00" + #
      "\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + #
      # clientTimeZone - TS_TIME_ZONE struct - 172 bytes
      # These are the default values for rdesktop
      "\xa4\x01\x00\x00" + # Bias
      # StandardName - 'GTB,normaltid'
      "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x6e\x00\x6f\x00\x72\x00" + #
      "\x6d\x00\x61\x00\x6c\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x0a\x00\x00\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00" + # StandardDate - Oct 5
      "\x00\x00\x00\x00" + # StandardBias
      # DaylightName - 'GTB,sommartid'
      "\x47\x00\x54\x00\x42\x00\x2c\x00\x20\x00\x73\x00\x6f\x00\x6d\x00" + #
      "\x6d\x00\x61\x00\x72\x00\x74\x00\x69\x00\x64\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x03\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate - Mar 3
      "\xc4\xff\xff\xff" + # DaylightBias
      "\x00\x00\x00\x00" + # clientSessionId
      "\x27\x00\x00\x00" + # performanceFlags
      "\x00\x00"           # cbAutoReconnectCookie
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
  # Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
  def build_share_control_header(type, data)
    total_len = data.length + 6

    [total_len].pack("S<") + # totalLength - includes all headers
      [type].pack("S<") +    # pduType - flags 16 bit, unsigned
      "\xf1\x03" +           # PDUSource: 0x03f1 = 1009
      data
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
  # Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
  def build_share_data_header(type, data)
    uncompressed_len = data.length + 4

    "\xea\x03\x01\x00" + # shareId: 66538
      "\x00" +     # pad1
      "\x01" +     # streamID: 1
      [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
      [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
      "\x00" +     # compressedType: 0
      "\x00\x00" + # compressedLength: 0
      data
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
  # Control Cooperate - TC_CONTROL_PDU 2.2.1.15
  def pdu_client_control_cooperate
    pdu =
      "\x04\x00" +       # action: 4 - CTRLACTION_COOPERATE
      "\x00\x00" +       # grantId: 0
      "\x00\x00\x00\x00" # controlId: 0

    # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
    data_header = build_share_data_header(0x14, pdu)

    # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
    build_share_control_header(0x17, data_header)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
  # Control Request - TC_CONTROL_PDU 2.2.1.16
  def pdu_client_control_request
    pdu =
      "\x01\x00" +       # action: 1 - CTRLACTION_REQUEST_CONTROL
      "\x00\x00" +       # grantId: 0
      "\x00\x00\x00\x00" # controlId: 0

    # pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
    data_header = build_share_data_header(0x14, pdu)

    # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
    build_share_control_header(0x17, data_header)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
  # Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
  def pdu_client_font_list
    pdu =
      "\x00\x00" + # numberFonts: 0
      "\x00\x00" + # totalNumberFonts: 0
      "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
      "\x32\x00"   # entrySize: 50

    # pduType2 = 0x27 = 29 -  PDUTYPE2_FONTLIST
    data_header = build_share_data_header(0x27, pdu)

    # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
    build_share_control_header(0x17, data_header)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
  # Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 /  2.2.14.1
  def pdu_client_synchronize(target_user = 0)
    pdu =
      "\x01\x00" +              # messageType: 1 SYNCMSGTYPE_SYNC
      [target_user].pack("S<")  # targetUser, 16 bit, unsigned.

    # pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
    data_header = build_share_data_header(0x1f, pdu)

    # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
    build_share_control_header(0x17, data_header)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
  # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
  def pdu_client_confirm_active
    pdu =
      "\xea\x03\x01\x00" + # shareId: 66538
      "\xea\x03" + # originatorId
      "\x06\x00" + # lengthSourceDescriptor: 6
      "\x8e\x01" + # lengthCombinedCapabilities: 398
      "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
      "\x0e\x00" + # numberCapabilities: 14
      "\x00\x00" + # pad2Octets
      "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
      "\x18\x00" + # lengthCapability: 24
      "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x0d\x04\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00" + #
      "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
      "\x1c\x00" + # lengthCapability: 28
      "\x10\x00\x01\x00\x01\x00\x01\x00\x20\x03\x58\x02\x00\x00\x01\x00" + #
      "\x01\x00\x00\x00\x01\x00\x00\x00" + #
      "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
      "\x58\x00" + # lengthCapability: 88
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x47\x01\x2a\x00" + #
      "\x01\x01\x01\x01\x00\x00\x00\x00\x01\x01\x01\x01\x00\x01\x01\x00" + #
      "\x00\x00\x00\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x00\x00\x00" + #
      "\xa1\x06\x00\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + #
      "\xe4\x04\x00\x00\x13\x00\x28\x00\x00\x00\x00\x03\x78\x00\x00\x00" + #
      "\x78\x00\x00\x00\x50\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
      "\x0a\x00" + # lengthCapability: 10
      "\x01\x00\x14\x00\x14\x00" + #
      "\x0a\x00" + # capabilitySetType: 10 - TS_COLORTABLE_CAPABILITYSET
      "\x08\x00" + # lengthCapability: 8
      "\x06\x00\x00\x00" + #
      "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
      "\x0c\x00" + # lengthCapability: 12
      "\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
      "\x0c\x00" + # lengthCapability: 12
      "\x00\x00\x00\x00\x02\x00\x02\x00" + #
      "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
      "\x08\x00" + # lengthCapability: 8
      "\x00\x00\x00\x00" + #
      "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
      "\x08\x00" + # lengthCapability: 8
      "\x01\x00\x00\x00" + #
      "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
      "\x58\x00" + # lengthCapability: 88
      "\x01\x00\x00\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + #
      "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + #
      "\x00\x00\x00\x00" + #
      "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
      "\x08\x00" + # lengthCapability: 8
      "\x01\x00\x00\x00" + #
      "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
      "\x08\x00" + # lengthCapability: 8
      "\x01\x00\x00\x00" + #
      "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
      "\x34\x00" + # lengthCapability: 52
      "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + #
      "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + #
      "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x02\x00\x00\x00"

    # type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
    build_share_control_header(0x13, pdu)
  end

  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
  # Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
  def pdu_client_input_event_synchronize
    pdu =
      "\x01\x00" +         # numEvents: 1
      "\x00\x00" +         # pad2Octets
      "\x00\x00\x00\x00" + # eventTime
      "\x00\x00" +         # messageType: 0 - INPUT_EVENT_SYNC
      # TS_SYNC_EVENT 202.8.1.1.3.1.1.5
      "\x00\x00" +         # pad2Octets
      "\x00\x00\x00\x00"   # toggleFlags

    # pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
    data_header = build_share_data_header(0x1c, pdu)

    # type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
    build_share_control_header(0x17, data_header)
  end

  #
  # Non-RDP protocol helper methods
  #

  # Create a new SSL session on the existing socket.
  # Stolen from exploit/smtp_deliver.rb
  def swap_sock_plain_to_ssl
    ctx = OpenSSL::SSL::SSLContext.new
    ctx.min_version = OpenSSL::SSL::TLS1_VERSION
    ctx.security_level = datastore['RDP_TLS_SECURITY_LEVEL']
    ssl = OpenSSL::SSL::SSLSocket.new(self.rdp_sock, ctx)

    begin
      ssl.connect
    rescue Errno::ECONNRESET
      vprint_error("Retry with advanced option RDP_TLS_SECURITY_LEVEL=0")
      raise
    end

    self.rdp_sock.extend(Rex::Socket::SslTcp)
    self.rdp_sock.sslsock = ssl
    self.rdp_sock.sslctx  = ctx
  end

protected

  def encode_domain_selector(
    max_chan_ids: 0,
    max_user_ids: 0,
    max_token_ids: 0,
    num_priorities: 1,
    min_throughput: 0,
    max_height: 1,
    max_mcspdu_size: 65535,
    protocol_ver: 2
  )

    body = [
      ber_int(max_chan_ids),
      ber_int(max_user_ids),
      ber_int(max_token_ids),
      ber_int(num_priorities),
      ber_int(min_throughput),
      ber_int(max_height),
      ber_int(max_mcspdu_size),
      ber_int(protocol_ver)
    ].join('')

    result = [
      "\x30",
      [body.length].pack('C'),
      body
    ].join('')

    result
  end

  def per_object(*ds)
    body = ds.join('')

    result = [
      "\x00",
      [body.length].pack('C'),
      body
    ].join('')

    result
  end

  def per_data(*ds)
    data = ds.join('')
    result = ''
    if data.length < 0x4000
      result = [data.length | 0x8000].pack('S>') + data
    else
      result = "\xA2" + [data.length].pack('S>') + data
    end

    result
  end

  def cs_cluster_data(
    flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3,
    session_id: 0
  )
    body = [flags, session_id].pack('L<L<')

    result = [
      [0xc004, body.length + 4].pack('S<S<'),
      body
    ].join('')

    result
  end

  def cs_security_data(
    encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT,
    ext_encryption_methods: 0
  )
    body = [encryption_methods, ext_encryption_methods].pack('L<L<')

    result = [
      [0xc002, body.length + 4].pack('S<S<'),
      body
    ].join('')

    result
  end

  def cs_network_data(channels)
    chan_data = channels.map{ |c|
      [c[0].encode('ASCII')].pack('a8') + [c[1]].pack('L')
    }.join('')

    body = [
      [channels.length].pack('L'),
      chan_data
    ].join('')

    result = [
      [0xc003, body.length + 4].pack('S<S<'),
      body
    ].join('')

    result
  end

  # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/00f1da4a-ee9c-421a-852f-c19f92343d73
  def cs_core_data(
    version: 0x80004,
    width: 800,
    height: 600,
    keyboard: 1033, # English
    client_build: 2600,
    client_name: "rdesktop",
    keyboard_type: 4, # IBMEhanced 101/102
    keyboard_subtype: 0,
    keyboard_func_key: 12,
    serial_num: 0,
    client_product_id: 1,
    client_dig_product_id: "",
    selected_proto: 0
    )

    client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
    client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')

    body = [
      [version, width, height].pack('L<S<S<'),
      "\x01\xca", # colour depth (8BPP)
      "\x03\xaa", # SASSequence
      [keyboard, client_build, client_name].pack('L<L<a32'),
      [keyboard_type, keyboard_subtype, keyboard_func_key].pack('L<L<L<'),
      "\x00" * 64, # imeFileName
      "\x01\xca", # postBeta2ColorDepth (8BPP)
      [client_product_id, serial_num].pack('S<L<'),
      "\x18\x00", # highColorDepth: 24 bpp
      "\x07\x00", # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp )
      "\x01\x00", # earlyCapabilityFlags: 1 (RNS_UD_CS_SUPPORT_ERRINFO_PDU)
      [client_dig_product_id].pack('a64'),
      "\x00", # connectionType: 0
      "\x00", # pad1octet
      # serverSelectedProtocol - After negotiating TLS or CredSSP this value must
      # match the selectedProtocol value from the server's Negotiate Connection
      # confirm PDU that was sent before encryption was started.
      [selected_proto].pack('L<')
    ].join('')

    result = [
      [0xc001, body.length + 4].pack('S<S<'),
      body
    ].join('')

    result
  end

  def conf_create_req(user_data_sets: 1, h221_key: "Duca")
    b2 = 0
    b2 |= 0x08 if user_data_sets > 0

    b5 = 0x40
    b5 |= 0x80 if user_data_sets > 0

    # TODO: add more flags here
    [
      "\x00",
      [b2].pack('C'),
      "\x00\x10\x00",
      [user_data_sets].pack('C'),
      [b5].pack('C'),
      "\x00",
      [h221_key.encode('ASCII')].pack('a*')
    ].join('')
  end

  def oid(itut, rec, t, t124, ver, desc)
    [(itut << 8) | rec, t, t124, ver, desc].pack('C*')
  end

  def ber_octet_string(*ds)
    result = [
      "\x04",
      ber_data(ds)
    ].join('')

    result
  end

  def ber_data(*ds)
    data = ds.join('')

    result = [
      "\x82",
      [data.length].pack('S>'),
      data
    ].join('')

    result
  end

  def ber_int(i)
    d = ''
    if i < (2 ** 8)
      d = [i].pack('C')
    elsif i < (2 ** 16)
      d = [i].pack('S>')
    else
      d = [i].pack('L>')
    end

    "\x02" + [d.length].pack('C') + d
  end

  def rdp_handle_packet(pkt)
    if pkt && pkt[0] == "\x03"
      if pkt[4..6] == "\x02\xf0\x80"
        if pkt[7] == "\x68"
          chan_user_id = pkt[8..9].unpack('S>')[0]
          chan_id = pkt[10..11].unpack('S>')[0]
          flags = pkt[18..21].unpack('L<')[0]
          data = pkt[22..pkt.length]
          rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
        end
      end
    end
  end

  def rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
    ctype = data[0..1].unpack('S')[0]

    if ctype == RDPConstants::RDPDR_CTYP_CORE
      opcode = data[2..3].unpack('S')[0]
      if opcode == RDPConstants::PAKID_CORE_SERVER_ANNOUNCE
        rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
      elsif opcode == RDPConstants::PAKID_CORE_SERVER_CAPABILITY
        rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
      elsif opcode == RDPConstants::PAKID_CORE_CLIENTID_CONFIRM
        rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
      end
    end
  end

  def rdp_on_core_server_announce(pkt, chan_user_id, chan_id, flags, data)
    vprint_status("Handling SERVER ANNOUNCE ...")
    rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
    rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
  end

  def rdp_on_core_server_capability(pkt, chan_user_id, chan_id, flags, data)
    vprint_status("Handling SERVER CAPABILITY ...")
    # change opcode 1 byte to match server capabilities
    reply = [data[0..2], "\x43", data[4..data.length]].join('')

    rdp_send_channel(chan_user_id, chan_id, reply)
  end

  def rdp_on_core_client_id_confirm(pkt, chan_user_id, chan_id, flags, data)
    vprint_status("Handling CLIENT ID CONFIRM ...")
    rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
  end

  def rdpdr_client_device_list_announce_request(pkt, chan_user_id, chan_id, flags, data)
    reply = [
      RDPConstants::RDPDR_CTYP_CORE,
      RDPConstants::PAKID_CORE_DEVICELIST_ANNOUNCE,
      0x0, # Device count
    ].pack('SSL')

    rdp_send_channel(chan_user_id, chan_id, reply)
  end

  def rdpdr_client_announce_reply(pkt, chan_user_id, chan_id, flags, data)
    reply = [
      RDPConstants::RDPDR_CTYP_CORE,
      RDPConstants::PAKID_CORE_CLIENTID_CONFIRM,
      0x1, # Version Major
      0xc, # Version Minor
      0x2, # client ID (TODO: configure this? read it from the packet?
    ].pack('SSSSL')

    rdp_send_channel(chan_user_id, chan_id, reply)
  end

  def rdpdr_client_name_request(pkt, chan_user_id, chan_id, flags, data)
    computer_name = Rex::Text.to_unicode("#{@computer_name}\x00", 'utf-16le')
    reply = [
      RDPConstants::RDPDR_CTYP_CORE,
      RDPConstants::PAKID_CORE_CLIENT_NAME,
      0x1, # Unicode flag
      0x0, # Code Page
      computer_name.length,
      computer_name,
    ].pack('SSLLLa*')

    rdp_send_channel(chan_user_id, chan_id, reply)
  end

  attr_accessor :rdp_sock

  attr_accessor :rdp_user_id

=begin
  # debug stuff
  def rdp_to_file(b, del = false)
    p = "/tmp/ruby-full.bin"
    ::File.delete(p) if del && ::File.exist?(p)
    f = ::File.new(p, "ab")
    f.write(b)
    f.close
  end
=end

end
end