forked from NotMedic/rdp-tunnel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrdpupload
executable file
·238 lines (179 loc) · 4.77 KB
/
rdpupload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
#!/usr/bin/env python
#
# rdpupload 0.1 -- [email protected]
#
# upload binary file to rdesktop by simulating rdesktop keyboard input
# a.k.a "rdesktop scripting through X11 automation"
#
# this tool can be used to upload a binary on a Terminal Server when
# file sharing or clipboard support (through RDP) is blocked by the
# ecurity policy.
#
# X11 automation is performed with xte scripts (generated with -x).
# they are supposed to be run with the xte program from xautomation.
# http://hoopajoo.net/projects/xautomation.html
#
# supported encoding:
#
#
#
from sys import stderr
from os import path
import string
# debug.com encoder
def encode_debug(in_data, out_name):
i, j, line = 0, 256, ''
out = 'n %s\nr cx\n%x\nf 0100 ffff 00\n' % (out_name, len(in_data))
for c in in_data:
byte = ord(c)
if byte != 0:
i += 1
if not line: line = 'e %0x' % j
line += ' %02x' % byte
elif line:
out += line + '\n'
i, line = 0, ''
j += 1
if i == 20:
out += line + '\n'
i, line = 0, ''
return out
# VB encoder
def encode_vb(in_data, out_name):
off, size = 0, len(in_data)
out = """With CreateObject("ADODB.Stream")
.Type=2
.Open
"""
# out = """Dim x
#Set x=CreateObject("ADODB.Stream")
#x.Type=2
#x.Open
#"""
off, size = 0, len(in_data)
while off < size:
avail = min(size - off, 32)
out += '.WriteText '
#out += 'x.WriteText '
out += '&'.join('chr(%i)' % ord(b) for b in in_data[off:off+avail])
out += '\n'
off += avail
return out + '.SaveToFile "%s",2\n.Close\nEnd With\n' % out_name
#return out + 'x.SaveToFile "%s",2\n' % out_name
# xte encoder
def encode_xte(in_data, out, focus_delay=5.0, ksleep=1.0):
def xsleep(t, use_coeff=True):
out.write('usleep %i\n' % int(1000000*t*(use_coeff and ksleep or 1)))
word_charset = string.letters + string.digits + string.punctuation
byte2sym = {' ':'space', '\t':'Tab', '\n':'Return'}
word = ''
xsleep(focus_delay, False)
for byte in in_data:
if byte in word_charset:
word += byte
if len(word) > 6:
xsleep(0.080)
out.write('str %s\n' % word)
word = ''
elif byte == '\r':
continue
else:
if word:
if len(word) > 4: xsleep(0.080)
out.write('str %s\n' % word)
word = ''
if not byte2sym.has_key(byte):
stderr.write('error: byte 0x%x not allowed' % byte)
return
xsleep(0.050)
out.write('key %s\n' % byte2sym[byte])
if word:
out.write('str %s\n' % word)
if __name__ == '__main__':
from sys import argv, exit, stdin, stdout
from getopt import getopt, GetoptError
from os import path
def usage():
stderr.write("""
usage: %s [-x] [-f format] [-t delay] [-s coeff] <infile> <outfile>
-x,--xte generate xte script
-f,--format fmt input encoding (default is no encoding)
debug -> generate debug.com script
vb -> generate VB script
base64 -> generate base64 encoded payload
-t,--delay float delay before starting input simulation (default is 5 sec)
-s,--sleep float sleep factor (default is 1.0)
infile input file
outfile output file (ascii or xte script)
""" % argv[0])
exit(0)
# default config
xte_output = False
fmt = 'raw'
start_delay = 5.0
sleep_factor = 1.0
# parse arguments
argc = len(argv)
if argc < 3 or argc > 10:
usage()
try:
opts, args = getopt(argv[1:], 'hxf:t:s:', ['xte','format','delay','sleep'])
except GetoptError, err:
stderr.write('error: %s\n' % str(err))
exit(0)
if len(args) != 2:
usage()
for o, a in opts:
if o in ('-x','--xte'):
xte_output = True
elif o in ('-f','--format'):
if a not in ('debug','base64','vb'):
stderr.write('error: bad format\n')
exit(0)
fmt = a
elif o in ('-t','--delay'):
start_delay = float(a)
if start_delay <= 0:
stderr.write('error: bad start delay')
exit(0)
elif o in ('-s','--sleep'):
sleep_factor = float(a)
if sleep_factor <= 0:
stderr.write('error: bad sleep factor')
exit(0)
else:
usage()
try:
if args[0] == '-':
fin = stdin
out_name = 'outbin'
else:
fin = open(args[0], 'rb')
out_name = path.basename(args[0]).replace('.','_')
if args[1] == '-':
fout = stdout
else:
fout = open(args[1], 'wb')
except IOError, e:
stderr.write(str(e)+'\n')
# read input
data_in = fin.read()
fin.close()
# encode input
if fmt == 'raw':
data_out = data_in
elif fmt == 'debug':
if len(data_in) > 65280:
stderr.write('error: input file bigger than 65280 bytes\n')
exit(0)
data_out = encode_debug(data_in, out_name)
elif fmt == 'base64':
data_out = data_in.encode('base64')
elif fmt == 'vb':
data_out = encode_vb(data_in, out_name)
# encode output
if xte_output:
encode_xte(data_out, fout, start_delay, sleep_factor)
else:
fout.write(data_out)
fout.close()