From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:42:04 +0200
Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 nselib/rdp.lua | 453 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 453 insertions(+)
 create mode 100644 nselib/rdp.lua

(limited to 'nselib/rdp.lua')

diff --git a/nselib/rdp.lua b/nselib/rdp.lua
new file mode 100644
index 0000000..e468a96
--- /dev/null
+++ b/nselib/rdp.lua
@@ -0,0 +1,453 @@
+---
+-- A minimal RDP (Remote Desktop Protocol) library. Currently has functionality to determine encryption
+-- and cipher support.
+--
+--
+-- @author Patrik Karlsson <patrik@cqure.net>
+-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
+--
+
+local nmap = require("nmap")
+local stdnse = require("stdnse")
+local string = require "string"
+local asn1 = require "asn1"
+_ENV = stdnse.module("rdp", stdnse.seeall)
+
+-- Server Core Data  2.2.1.4.2
+PROTO_VERSION = {
+  [0x00080001] = " RDP 4.0 server",
+  [0x00080004] = " RDP 5.x, 6.x, 7.x, or 8.x server",
+  [0x00080005] = " RDP 10.0 server",
+  [0x00080006] = " RDP 10.1 server",
+  [0x00080007] = " RDP 10.2 server",
+  [0x00080008] = " RDP 10.3 server",
+  [0x00080009] = " RDP 10.4 server",
+  [0x0008000A] = " RDP 10.5 server",
+  [0x0008000B] = " RDP 10.6 server",
+  [0x0008000C] = " RDP 10.7 server",
+}
+
+-- T.125 Result enumerated type
+CONNECT_RESPONSE_RESULT = {
+  [ 0] = "rt-successful",
+  [ 1] = "rt-domain-merging",
+  [ 2] = "rt-domain-not-hierarchical",
+  [ 3] = "rt-no-such-channel",
+  [ 4] = "rt-no-such-domain",
+  [ 5] = "rt-no-such-user",
+  [ 6] = "rt-not-admitted",
+  [ 7] = "rt-other-user-id",
+  [ 8] = "rt-parameters-unacceptable",
+  [ 9] = "rt-token-not-available",
+  [10] = "rt-token-not-possessed",
+  [11] = "rt-too-many-channels",
+  [12] = "rt-too-many-tokens",
+  [13] = "rt-too-many-users",
+  [14] = "rt-unspecified-failure",
+  [15] = "rt-user-rejected",
+}
+
+-- requestedProtocols - flag - RDP_NEG_REQ - MS-RDPBCGR 2.2.1.1.1
+PROTOCOL_RDP = 0         -- Standard RDP Security
+PROTOCOL_SSL = 1         -- TLS 1.0, 1.1, 1.2
+PROTOCOL_HYBRID = 2      -- CredSSP (NLA). TLS flag should be set as well
+PROTOCOL_RDSTLS = 4      -- RDSTLS
+PROTOCOL_HYBRID_EX = 8   -- CredSSP (NLA) with Early User Auth PDU
+
+Packet = {
+
+  TPKT = {
+
+    new = function(self, data)
+      local o = { data = tostring(data), version = 3 }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    __tostring = function(self)
+      return string.pack(">BBI2",
+        self.version,
+        self.reserved or 0,
+        (self.data and #self.data + 4 or 4))
+      ..self.data
+    end,
+
+    parse = function(data)
+      local tpkt = Packet.TPKT:new()
+      local pos
+
+      tpkt.version, tpkt.reserved, tpkt.length, pos = string.unpack(">BBI2", data)
+      tpkt.data = data:sub(pos)
+      return tpkt
+    end
+  },
+
+  ITUT = {
+
+    new = function(self, code, data)
+      local o = { data = tostring(data), code = code }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    parse = function(data)
+      local itut = Packet.ITUT:new()
+      local pos
+
+      itut.length, itut.code, pos = string.unpack("BB", data)
+
+      if ( itut.code == 0xF0 ) then
+        -- X.224 - Data TPDU (DT)
+        itut.eot, pos = string.unpack("B", data, pos)
+      elseif ( itut.code == 0xD0 ) then
+        -- X.224 - Connection Confirm (CC)
+        itut.dstref, itut.srcref, itut.class, pos = string.unpack(">I2I2B", data, pos)
+      end
+
+      itut.data = data:sub(pos)
+      return itut
+    end,
+
+    __tostring = function(self)
+      local len, eot
+      if self.code == 0xF0 then
+        eot = "\x80"
+        len = 2
+      else
+        eot = ""
+        len = #self.data + 1
+      end
+      local data = string.pack("BB",
+        len,
+        self.code or 0)
+      .. eot
+      .. self.data
+
+      return data
+    end,
+
+  },
+
+  ConfCreateResponse = {
+
+
+    new = function(self)
+      local o =  {}
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    parse = function(data)
+
+      local tag_decoder = {}
+
+      tag_decoder["\x0A"] = function( self, encStr, elen, pos )
+        return self.decodeInt(encStr, elen, pos)
+      end
+
+      local ccr = Packet.ConfCreateResponse:new()
+
+      local decoder = asn1.ASN1Decoder:new()
+      decoder:registerTagDecoders( tag_decoder )
+
+      local _, pos = decoder.decodeLength(data, 3)
+      local response_result, userdata
+      response_result, pos = decoder:decode(data, pos)
+      ccr.result = CONNECT_RESPONSE_RESULT[response_result]
+
+      ccr.calledConnectId, pos = decoder:decode(data, pos)
+
+      -- T.125 DomainParameters SEQUENCE
+      -- Not interested in its values now, just need to correctly parse
+      -- the block so we can arrive at userData
+      _, pos =  decoder:decode(data, pos)
+
+      -- T.125 userData OCTO string
+      userdata, _ =  decoder:decode(data, pos)
+
+      if userdata == nil then
+        return ccr
+      end
+
+      -- Hackery to avoid writing ASN.1 PER decoding. Skip over fixed length
+      -- T.124 ConnectData header. Decode the length since it can be multiple
+      -- bytes. Drops us where we need to be.
+       _, pos = asn1.ASN1Decoder.decodeLength(userdata, 22 )
+      local block_type, block_len
+      while userdata:len() > pos do
+        block_type, block_len  = string.unpack("<I2I2", userdata, pos)
+        if block_type == 0x0c01 then
+          -- 2.2.1.42 Server Core Data - TS_UD_SC_CORE
+          local proto_ver = string.unpack("<I4",userdata, pos + 4)
+          ccr.proto_version = ("RDP Protocol Version: %s"):format(PROTO_VERSION[proto_ver] or "Unknown")
+        elseif block_type == 0x0c02 then
+          -- 2.2.1.4.3 Server Security Data - TS_UD_SC_SEC1
+          ccr.enc_level = string.unpack("B", userdata, pos + 8)
+          ccr.enc_cipher= string.unpack("B", userdata, pos + 4)
+        end
+        pos = pos + block_len
+      end
+      return ccr
+    end,
+  },
+
+}
+
+Request = {
+
+  ConnectionRequest = {
+
+    new = function(self, proto)
+      local o = { proto = proto }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    __tostring = function(self)
+      local cookie = "mstshash=nmap"
+
+      local data = string.pack(">I2I2B",
+        0x0000, -- dst reference
+        0x0000, -- src reference
+        0x00) -- class and options
+        .. ("Cookie: %s\r\n"):format(cookie)
+
+      if ( self.proto ) then
+        data = data .. string.pack("<BBI2I4",
+          0x01, -- TYPE_RDP_NEG_REQ
+          0x00, -- flags
+          0x0008, -- length
+          self.proto -- protocol
+        )
+      end
+      return tostring(Packet.TPKT:new(Packet.ITUT:new(0xE0, data)))
+    end
+  },
+
+  MCSConnectInitial = {
+
+    new = function(self, cipher, server_proto)
+      local o = { cipher = cipher, server_proto = server_proto }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    __tostring = function(self)
+
+      local data = stdnse.fromhex(
+      "7f 65" .. -- BER: Application-Defined Type = APPLICATION 101,
+      "82 01 94" .. -- BER: Type Length = 404 bytes
+      "04 01 01" .. -- Connect-Initial::callingDomainSelector
+      "04 01 01" .. -- Connect-Initial::calledDomainSelector
+      "01 01 ff" .. -- Connect-Initial::upwardFlag = TRUE
+      "30 19" .. -- Connect-Initial::targetParameters (25 bytes)
+      "02 01 22" .. -- DomainParameters::maxChannelIds = 34
+      "02 01 02" .. -- DomainParameters::maxUserIds = 2
+      "02 01 00" .. -- DomainParameters::maxTokenIds = 0
+      "02 01 01" .. -- DomainParameters::numPriorities = 1
+      "02 01 00" .. -- DomainParameters::minThroughput = 0
+      "02 01 01" .. -- DomainParameters::maxHeight = 1
+      "02 02 ff ff" .. -- DomainParameters::maxMCSPDUsize = 65535
+      "02 01 02" .. -- DomainParameters::protocolVersion = 2
+      "30 19" .. -- Connect-Initial::minimumParameters (25 bytes)
+      "02 01 01" .. -- DomainParameters::maxChannelIds = 1
+      "02 01 01" .. -- DomainParameters::maxUserIds = 1
+      "02 01 01" .. -- DomainParameters::maxTokenIds = 1
+      "02 01 01" .. -- DomainParameters::numPriorities = 1
+      "02 01 00" .. -- DomainParameters::minThroughput = 0
+      "02 01 01" .. -- DomainParameters::maxHeight = 1
+      "02 02 04 20" .. -- DomainParameters::maxMCSPDUsize = 1056
+      "02 01 02" .. -- DomainParameters::protocolVersion = 2
+      "30 1c" .. -- Connect-Initial::maximumParameters (28 bytes)
+      "02 02 ff ff" .. -- DomainParameters::maxChannelIds = 65535
+      "02 02 fc 17" .. -- DomainParameters::maxUserIds = 64535
+      "02 02 ff ff" .. -- DomainParameters::maxTokenIds = 65535
+      "02 01 01" .. -- DomainParameters::numPriorities = 1
+      "02 01 00" .. -- DomainParameters::minThroughput = 0
+      "02 01 01" .. -- DomainParameters::maxHeight = 1
+      "02 02 ff ff" .. -- DomainParameters::maxMCSPDUsize = 65535
+      "02 01 02" .. -- DomainParameters::protocolVersion = 2
+      "04 82 01 33" .. -- Connect-Initial::userData (307 bytes)
+      "00 05" .. -- object length = 5 bytes
+      "00 14 7c 00 01" .. -- object
+      "81 2a" .. -- ConnectData::connectPDU length = 42 bytes
+      "00 08 00 10 00 01 c0 00 44 75 63 61 81 1c" .. -- PER encoded (ALIGNED variant of BASIC-PER) GCC Conference Create Request PDU
+      "01 c0 d8 00" .. -- TS_UD_HEADER::type = CS_CORE (0xc001), length = 216 bytes
+      "04 00 08 00" .. -- TS_UD_CS_CORE::version = 0x0008004
+      "00 05" .. -- TS_UD_CS_CORE::desktopWidth = 1280
+      "20 03" .. -- TS_UD_CS_CORE::desktopHeight = 1024
+      "01 ca" .. -- TS_UD_CS_CORE::colorDepth = RNS_UD_COLOR_8BPP (0xca01)
+      "03 aa" .. -- TS_UD_CS_CORE::SASSequence
+      "09 04 00 00" .. -- TS_UD_CS_CORE::keyboardLayout = 0x409 = 1033 = English (US)
+      "28 0a 00 00" .. -- TS_UD_CS_CORE::clientBuild = 2600
+      "45 00 4d 00 50 00 2d 00 4c 00 41 00 50 00 2d 00 " ..
+      "30 00 30 00 31 00 34 00 00 00 00 00 00 00 00 00 " .. -- TS_UD_CS_CORE::clientName = EMP-LAP-0014
+      "04 00 00 00" .. -- TS_UD_CS_CORE::keyboardType
+      "00 00 00 00" .. -- TS_UD_CS_CORE::keyboardSubtype
+      "0c 00 00 00" .. -- TS_UD_CS_CORE::keyboardFunctionKey
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " .. -- TS_UD_CS_CORE::imeFileName = ""
+      "01 ca" .. -- TS_UD_CS_CORE::postBeta2ColorDepth = RNS_UD_COLOR_8BPP (0xca01)
+      "01 00" .. -- TS_UD_CS_CORE::clientProductId
+      "00 00 00 00" .. -- TS_UD_CS_CORE::serialNumber
+      "18 00" .. -- TS_UD_CS_CORE::highColorDepth = 24 bpp
+      "07 00" .. -- TS_UD_CS_CORE::supportedColorDepths =  24 bpp
+      "01 00" .. -- TS_UD_CS_CORE::earlyCapabilityFlags
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..
+      "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " ..  -- TS_UD_CS_CORE::clientDigProductId
+      "00" .. -- TS_UD_CS_CORE::connectionType = 0 (not used as RNS_UD_CS_VALID_CONNECTION_TYPE not set)
+      "00")   -- TS_UD_CS_CORE::pad1octet
+      -- TS_UD_CS_CORE::serverSelectedProtocol
+      .. string.pack("<I4", self.server_proto or 0) .. stdnse.fromhex(
+      "04 c0 0c 00" .. -- TS_UD_HEADER::type = CS_CLUSTER (0xc004), length = 12 bytes
+      "09 00 00 00" .. -- TS_UD_CS_CLUSTER::Flags = 0x0d
+      "00 00 00 00" .. -- TS_UD_CS_CLUSTER::RedirectedSessionID
+      "02 c0 0c 00") -- TS_UD_HEADER::type = CS_SECURITY (0xc002), length = 12 bytes
+      -- "1b 00 00 00" .. -- TS_UD_CS_SEC::encryptionMethods
+      .. string.pack("<I4", self.cipher or 0) .. stdnse.fromhex(
+      "00 00 00 00" .. -- TS_UD_CS_SEC::extEncryptionMethods
+      "03 c0 2c 00" .. -- TS_UD_HEADER::type = CS_NET (0xc003), length = 44 bytes
+      "03 00 00 00" .. -- TS_UD_CS_NET::channelCount = 3
+      "72 64 70 64 72 00 00 00" .. -- CHANNEL_DEF::name = "rdpdr"
+      "00 00 80 80" .. -- CHANNEL_DEF::options = 0x80800000
+      "63 6c 69 70 72 64 72 00" .. -- CHANNEL_DEF::name = "cliprdr"
+      "00 00 a0 c0" .. -- CHANNEL_DEF::options = 0xc0a00000
+      "72 64 70 73 6e 64 00 00" .. -- CHANNEL_DEF::name = "rdpsnd"
+      "00 00 00 c0" -- CHANNEL_DEF::options = 0xc0000000
+      )
+      return tostring(Packet.TPKT:new(Packet.ITUT:new(0xF0, data)))
+    end
+
+  },
+
+}
+
+Response = {
+
+  ConnectionConfirm = {
+
+    new = function(self)
+      local o = { }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    parse = function(data)
+      local cc = Response.ConnectionConfirm:new()
+
+      cc.tpkt = Packet.TPKT.parse(data)
+      cc.itut = Packet.ITUT.parse(cc.tpkt.data)
+      return cc
+    end,
+
+  },
+
+  MCSConnectResponse = {
+    new = function(self)
+      local o = { }
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    parse = function(data)
+      local cr = Response.MCSConnectResponse:new()
+
+      cr.tpkt = Packet.TPKT.parse(data)
+      cr.itut = Packet.ITUT.parse(cr.tpkt.data)
+      if ( cr.itut.code == 0xF0 ) then
+        -- X.224 - Data TPDU (DT)
+        cr.ccr  = Packet.ConfCreateResponse.parse(cr.itut.data)
+      end
+      return cr
+    end
+  }
+
+}
+
+Comm = {
+
+  -- Creates a new Comm instance
+  -- @param host table
+  -- @param port table
+  -- @return o instance of Comm
+  new = function(self, host, port)
+    local o = { host = host, port = port }
+    setmetatable(o, self)
+    self.__index = self
+    return o
+  end,
+
+  -- Connect to the server
+  -- @return status true on success, false on failure
+  -- @return err string containing error message, if status is false
+  connect = function(self)
+    self.socket = nmap.new_socket()
+    self.socket:set_timeout(5000)
+    if ( not(self.socket:connect(self.host, self.port)) ) then
+      return false, "Failed connecting to server"
+    end
+    return true
+  end,
+
+  -- Close the connection to the server
+  -- @return status true on success, false on failure
+  close = function(self)
+    return self.socket:close()
+  end,
+
+  -- Sends a message to the server
+  -- @param pkt an instance of Request.*
+  -- @return status true on success, false on failure
+  -- @return err string containing error message, if status is false
+  send = function(self, pkt)
+    return self.socket:send(tostring(pkt))
+  end,
+
+  -- Receives a message from the server
+  -- @return status true on success, false on failure
+  -- @return err string containing error message, if status is false
+  recv = function(self)
+    return self.socket:receive()
+  end,
+
+  -- Sends a message to the server and receives the response
+  -- @param pkt an instance of Request.*
+  -- @return status true on success, false on failure
+  -- @return err string containing error message, if status is false
+  --         pkt instance of Response.* on success
+  exch = function(self, pkt)
+    local status, err = self:send(pkt)
+    if ( not(status) ) then
+      return false, err
+    end
+
+    local _, data = self:recv()
+    if ( #data< 5 ) then
+      return false, "Packet too short"
+    end
+
+    local itut_code = string.byte(data, 6)
+    if ( itut_code == 0xD0 ) then
+      stdnse.debug2("RDP: Received ConnectionConfirm response")
+      return true, Response.ConnectionConfirm.parse(data)
+    elseif ( itut_code == 0xF0 ) then
+      return true, Response.MCSConnectResponse.parse(data)
+    elseif itut_code ~= nil then
+        stdnse.debug1(("comm:exch - Unknown itut_code: %s"):format(itut_code))
+    end
+    return false, "Received unhandled packet"
+  end,
+}
+
+return _ENV;
-- 
cgit v1.2.3