metasploit-gs/lib/net/winrm/rex_http_transport.rb

require 'winrm'

module Net
  module MsfWinRM
    # Transport for communicating to a WinRM service, using Rex sockets
    class RexHttpTransport < WinRM::HTTP::HttpTransport
      # rubocop:disable Lint/
      def initialize(opts)
        if opts[:kerberos_authenticator]
          self.http_client = opts.fetch(:http_client) { Rex::Proto::Http::Client.new(opts[:host], opts[:port], {}, opts[:ssl], opts[:ssl_version], opts[:proxies], kerberos_authenticator: opts[:kerberos_authenticator]) }
          self.preferred_auth = 'Kerberos'
        else
          self.http_client = opts.fetch(:http_client) { Rex::Proto::Http::Client.new(opts[:host], opts[:port], {}, opts[:ssl], opts[:ssl_version], opts[:proxies], opts[:user], opts[:password]) }
          self.preferred_auth = 'Negotiate'
        end
        self.timeout = opts[:timeout]
        @mutex = Mutex.new
        self.uri = opts[:uri]
        self.vhost = opts[:vhost]
        if opts[:realm]
          http_client.set_config('domain' => opts[:realm])
        end
      end

      def peerinfo
        if http_client && http_client.conn
          http_client.conn.peerinfo
        end
      end

      def localinfo
        if http_client && http_client.conn
          http_client.conn.localinfo
        end
      end

      def krb_transform_response(encryptor, response)
        # OMI server doesn't always respond to encrypted messages with encrypted responses over SSL
        return unless response
        return if response.headers['Content-Type'] && response.headers['Content-Type'].first =~ (%r{\Aapplication/soap\+xml}i)
        return if response.body.empty?

        str = response.body.force_encoding('BINARY')
        str.sub!(%r{^.*Content-Type: application/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')
        str.sub!(%r{^.*Content-Type: application/octet-stream\r\n(.*)-- Encrypted.*$}m, '\1')

        # Strip off the "encrypted message header length" token
        str = str[4, str.length-4]
        begin
          plaintext = encryptor.decrypt_and_verify(str)
        rescue Rex::Proto::Kerberos::Model::Error::KerberosError => exception
          raise WinRM::WinRMHTTPTransportError, "Could not decrypt Kerberos message (#{exception})"
        end
        response.body = plaintext
      end

      def krb_transform_request(encryptor, req)
        return req if !req.opts['data']
        opts = req.opts.dup

        body_type = 'application/HTTP-Kerberos-session-encrypted'
        opts['ctype'] = 'multipart/encrypted;protocol="' + body_type + '";boundary="Encrypted Boundary"'
        data = opts['data']
        emessage, header_length, pad_length = encryptor.encrypt_and_increment(data)
        emessage = [header_length].pack('V') + emessage

        opts['data'] = body(emessage, data.length + pad_length, body_type)
        Rex::Proto::Http::ClientRequest.new(opts)
      end

      # Performs decryption of the stream coming from the HTTP client
      def ntlm_transform_response(ntlm_client, response)
        # OMI server doesn't always respond to encrypted messages with encrypted responses over SSL
        return unless response
        return if response.headers['Content-Type'] && response.headers['Content-Type'].first =~ (%r{\Aapplication/soap\+xml}i)
        return if response.body.empty?

        str = response.body.force_encoding('BINARY')
        str.sub!(%r{^.*Content-Type: application/octet-stream\r\n(.*)--Encrypted.*$}m, '\1')

        signature = str[4..19]
        message = ntlm_client.session.unseal_message(str[20..-1])
        if ntlm_client.session.verify_signature(signature, message)
          response.body = message
          return
        else
          raise WinRM::WinRMHTTPTransportError, 'Could not decrypt NTLM message.'
        end
      end

      # Performs encryption of the stream being sent to the HTTP client
      def ntlm_transform_request(ntlm_client, req)
        return req if !req.opts['data']
        opts = req.opts.dup

        opts['ctype'] = 'multipart/encrypted;protocol="application/HTTP-SPNEGO-session-encrypted";boundary="Encrypted Boundary"'
        data = opts['data']
        emessage = ntlm_client.session.seal_message(data)
        signature = ntlm_client.session.sign_message(data)
        edata = "\x10\x00\x00\x00#{signature}#{emessage}"

        opts['data'] = body(edata, data.bytesize)
        Rex::Proto::Http::ClientRequest.new(opts)
      end

      def _send_request(message)
        @mutex.synchronize do
          opts = {
            'uri' => uri,
            'method' => 'POST',
            'agent' => 'Microsoft WinRM Client',
            'ctype' => 'application/soap+xml;charset=UTF-8',
            'no_body_for_auth' => true,
            'preferred_auth' => self.preferred_auth,
          }

          opts.merge!('vhost' => self.vhost) if self.vhost

          if message
            opts['data'] = message
            opts['krb_transform_request'] = method(:krb_transform_request)
            opts['krb_transform_response'] = method(:krb_transform_response)
            opts['ntlm_transform_request'] = method(:ntlm_transform_request)
            opts['ntlm_transform_response'] = method(:ntlm_transform_response)
          end
          request = http_client.request_cgi(opts)
          response = http_client.send_recv(request, timeout, true)
          if response
            WinRM::ResponseHandler.new(response.body, response.code).parse_to_xml
          else
            raise WinRM::WinRMHTTPTransportError, 'No response'
          end
        end
      end

      def send_request(message)
        _send_request(message)
      end

      protected

      attr_accessor :http_client, :uri, :timeout, :preferred_auth, :vhost
    end
  end
end