rdp-tunnel
/
rdpupload
238 строк · 4.8 Кб
1#!/usr/bin/env python
2#
3# rdpupload 0.1 -- nicolas.collignon@hsc.fr
4#
5# upload binary file to rdesktop by simulating rdesktop keyboard input
6# a.k.a "rdesktop scripting through X11 automation"
7#
8# this tool can be used to upload a binary on a Terminal Server when
9# file sharing or clipboard support (through RDP) is blocked by the
10# ecurity policy.
11#
12# X11 automation is performed with xte scripts (generated with -x).
13# they are supposed to be run with the xte program from xautomation.
14# http://hoopajoo.net/projects/xautomation.html
15#
16# supported encoding:
17#
18#
19#
20
21from sys import stderr
22from os import path
23import string
24
25# debug.com encoder
26def encode_debug(in_data, out_name):
27
28i, j, line = 0, 256, ''
29out = 'n %s\nr cx\n%x\nf 0100 ffff 00\n' % (out_name, len(in_data))
30
31for c in in_data:
32
33byte = ord(c)
34if byte != 0:
35i += 1
36if not line: line = 'e %0x' % j
37line += ' %02x' % byte
38
39elif line:
40out += line + '\n'
41i, line = 0, ''
42
43j += 1
44
45if i == 20:
46out += line + '\n'
47i, line = 0, ''
48
49return out
50
51# VB encoder
52def encode_vb(in_data, out_name):
53off, size = 0, len(in_data)
54out = """With CreateObject("ADODB.Stream")
55.Type=2
56.Open
57"""
58# out = """Dim x
59#Set x=CreateObject("ADODB.Stream")
60#x.Type=2
61#x.Open
62#"""
63off, size = 0, len(in_data)
64
65while off < size:
66
67avail = min(size - off, 32)
68out += '.WriteText '
69#out += 'x.WriteText '
70out += '&'.join('chr(%i)' % ord(b) for b in in_data[off:off+avail])
71out += '\n'
72
73off += avail
74
75return out + '.SaveToFile "%s",2\n.Close\nEnd With\n' % out_name
76#return out + 'x.SaveToFile "%s",2\n' % out_name
77
78# xte encoder
79def encode_xte(in_data, out, focus_delay=5.0, ksleep=1.0):
80
81def xsleep(t, use_coeff=True):
82out.write('usleep %i\n' % int(1000000*t*(use_coeff and ksleep or 1)))
83
84word_charset = string.letters + string.digits + string.punctuation
85byte2sym = {' ':'space', '\t':'Tab', '\n':'Return'}
86word = ''
87
88xsleep(focus_delay, False)
89
90for byte in in_data:
91
92if byte in word_charset:
93word += byte
94if len(word) > 6:
95xsleep(0.080)
96out.write('str %s\n' % word)
97word = ''
98
99elif byte == '\r':
100continue
101
102else:
103if word:
104if len(word) > 4: xsleep(0.080)
105out.write('str %s\n' % word)
106word = ''
107
108if not byte2sym.has_key(byte):
109stderr.write('error: byte 0x%x not allowed' % byte)
110return
111
112xsleep(0.050)
113out.write('key %s\n' % byte2sym[byte])
114
115if word:
116out.write('str %s\n' % word)
117
118if __name__ == '__main__':
119from sys import argv, exit, stdin, stdout
120from getopt import getopt, GetoptError
121from os import path
122
123def usage():
124stderr.write("""
125usage: %s [-x] [-f format] [-t delay] [-s coeff] <infile> <outfile>
126
127-x,--xte generate xte script
128
129-f,--format fmt input encoding (default is no encoding)
130debug -> generate debug.com script
131vb -> generate VB script
132base64 -> generate base64 encoded payload
133
134-t,--delay float delay before starting input simulation (default is 5 sec)
135-s,--sleep float sleep factor (default is 1.0)
136
137infile input file
138
139outfile output file (ascii or xte script)
140
141""" % argv[0])
142exit(0)
143
144# default config
145
146xte_output = False
147fmt = 'raw'
148start_delay = 5.0
149sleep_factor = 1.0
150
151# parse arguments
152
153argc = len(argv)
154if argc < 3 or argc > 10:
155usage()
156
157try:
158opts, args = getopt(argv[1:], 'hxf:t:s:', ['xte','format','delay','sleep'])
159except GetoptError, err:
160stderr.write('error: %s\n' % str(err))
161exit(0)
162
163if len(args) != 2:
164usage()
165
166for o, a in opts:
167
168if o in ('-x','--xte'):
169xte_output = True
170
171elif o in ('-f','--format'):
172if a not in ('debug','base64','vb'):
173stderr.write('error: bad format\n')
174exit(0)
175fmt = a
176
177elif o in ('-t','--delay'):
178start_delay = float(a)
179if start_delay <= 0:
180stderr.write('error: bad start delay')
181exit(0)
182
183elif o in ('-s','--sleep'):
184sleep_factor = float(a)
185if sleep_factor <= 0:
186stderr.write('error: bad sleep factor')
187exit(0)
188
189else:
190usage()
191
192try:
193if args[0] == '-':
194fin = stdin
195out_name = 'outbin'
196else:
197fin = open(args[0], 'rb')
198out_name = path.basename(args[0]).replace('.','_')
199
200if args[1] == '-':
201fout = stdout
202else:
203fout = open(args[1], 'wb')
204
205except IOError, e:
206stderr.write(str(e)+'\n')
207
208# read input
209
210data_in = fin.read()
211fin.close()
212
213# encode input
214
215if fmt == 'raw':
216data_out = data_in
217
218elif fmt == 'debug':
219if len(data_in) > 65280:
220stderr.write('error: input file bigger than 65280 bytes\n')
221exit(0)
222
223data_out = encode_debug(data_in, out_name)
224
225elif fmt == 'base64':
226data_out = data_in.encode('base64')
227
228elif fmt == 'vb':
229data_out = encode_vb(data_in, out_name)
230
231# encode output
232
233if xte_output:
234encode_xte(data_out, fout, start_delay, sleep_factor)
235else:
236fout.write(data_out)
237
238fout.close()
239