rdp-tunnel

1
#!/usr/bin/env python
2
#
3
# rdpupload 0.1     -- nicolas.collignon@hsc.fr
4
#
5
# upload binary file to rdesktop by simulating rdesktop keyboard input
6
# a.k.a "rdesktop scripting through X11 automation"
7
#
8
# this tool can be used to upload a binary on a Terminal Server when
9
# file sharing or clipboard support (through RDP) is blocked by the
10
# ecurity policy.
11
#
12
# X11 automation is performed with xte scripts (generated with -x).
13
# they are supposed to be run with the xte program from xautomation.
14
# http://hoopajoo.net/projects/xautomation.html
15
#
16
# supported encoding:
17
#
18
#
19
#
20

21
from sys import stderr
22
from os import path
23
import string
24

25
# debug.com encoder
26
def encode_debug(in_data, out_name):
27

28
	i, j, line = 0, 256, ''
29
	out = 'n %s\nr cx\n%x\nf 0100 ffff 00\n' % (out_name, len(in_data))
30

31
	for c in in_data:
32

33
		byte = ord(c)
34
		if byte != 0:
35
			i += 1
36
			if not line: line = 'e %0x' % j
37
			line += ' %02x' % byte
38

39
		elif line:
40
			out += line + '\n'
41
			i, line = 0, ''
42

43
		j += 1
44

45
		if i == 20:
46
			out += line + '\n'
47
			i, line = 0, ''
48
	
49
	return out
50

51
# VB encoder
52
def encode_vb(in_data, out_name):
53
	off, size = 0, len(in_data)
54
	out = """With CreateObject("ADODB.Stream")
55
.Type=2
56
.Open
57
"""
58
#	out = """Dim x
59
#Set x=CreateObject("ADODB.Stream")
60
#x.Type=2
61
#x.Open
62
#"""
63
	off, size = 0, len(in_data)
64

65
	while off < size:
66

67
		avail = min(size - off, 32)
68
		out += '.WriteText ' 
69
		#out += 'x.WriteText ' 
70
		out += '&'.join('chr(%i)' % ord(b) for b in in_data[off:off+avail])
71
		out += '\n'
72

73
		off += avail
74

75
	return out + '.SaveToFile "%s",2\n.Close\nEnd With\n' % out_name
76
	#return out + 'x.SaveToFile "%s",2\n' % out_name
77

78
# xte encoder
79
def encode_xte(in_data, out, focus_delay=5.0, ksleep=1.0):
80

81
	def xsleep(t, use_coeff=True):
82
		out.write('usleep %i\n' % int(1000000*t*(use_coeff and ksleep or 1)))
83

84
	word_charset = string.letters + string.digits + string.punctuation
85
	byte2sym = {' ':'space', '\t':'Tab', '\n':'Return'}
86
	word = ''
87

88
	xsleep(focus_delay, False)
89

90
	for byte in in_data:
91

92
		if byte in word_charset:
93
			word += byte
94
			if len(word) > 6:
95
				xsleep(0.080)
96
				out.write('str %s\n' % word)
97
				word = ''
98

99
		elif byte == '\r':
100
			continue
101

102
		else:
103
			if word:
104
				if len(word) > 4: xsleep(0.080)
105
				out.write('str %s\n' % word)
106
				word = ''
107

108
			if not byte2sym.has_key(byte):
109
				stderr.write('error: byte 0x%x not allowed' % byte)
110
				return
111

112
			xsleep(0.050)
113
			out.write('key %s\n' % byte2sym[byte])
114
	
115
	if word:
116
		out.write('str %s\n' % word)
117

118
if __name__ == '__main__':
119
	from sys import argv, exit, stdin, stdout
120
	from getopt import getopt, GetoptError
121
	from os import path
122

123
	def usage():
124
		stderr.write("""
125
usage: %s [-x] [-f format] [-t delay] [-s coeff] <infile> <outfile>
126

127
 -x,--xte           generate xte script
128

129
 -f,--format fmt    input encoding (default is no encoding)
130
                       debug  -> generate debug.com script
131
                       vb     -> generate VB script
132
                       base64 -> generate base64 encoded payload
133

134
 -t,--delay float   delay before starting input simulation (default is 5 sec)
135
 -s,--sleep float   sleep factor (default is 1.0)
136

137
 infile             input file
138

139
 outfile            output file (ascii or xte script)
140

141
""" % argv[0])
142
		exit(0)
143

144
	# default config
145

146
	xte_output = False
147
	fmt = 'raw'
148
	start_delay = 5.0
149
	sleep_factor = 1.0
150

151
	# parse arguments
152

153
	argc = len(argv)
154
	if argc < 3 or argc > 10:
155
		usage()
156

157
	try:
158
		opts, args = getopt(argv[1:], 'hxf:t:s:', ['xte','format','delay','sleep'])
159
	except GetoptError, err:
160
		stderr.write('error: %s\n' % str(err))
161
		exit(0)
162
	
163
	if len(args) != 2:
164
		usage()
165
	
166
	for o, a in opts:
167

168
		if o in ('-x','--xte'):
169
			xte_output = True
170

171
		elif o in ('-f','--format'):
172
			if a not in ('debug','base64','vb'):
173
				stderr.write('error: bad format\n')
174
				exit(0)
175
			fmt = a
176

177
		elif o in ('-t','--delay'):
178
			start_delay = float(a)
179
			if start_delay <= 0:
180
				stderr.write('error: bad start delay')
181
				exit(0)
182

183
		elif o in ('-s','--sleep'):
184
			sleep_factor = float(a)
185
			if sleep_factor <= 0:
186
				stderr.write('error: bad sleep factor')
187
				exit(0)
188

189
		else:
190
			usage()
191

192
	try:
193
		if args[0] == '-':
194
			fin = stdin
195
			out_name = 'outbin'
196
		else:
197
			fin = open(args[0], 'rb')
198
			out_name = path.basename(args[0]).replace('.','_')
199
		
200
		if args[1] == '-':
201
			fout = stdout
202
		else:
203
			fout = open(args[1], 'wb')
204

205
	except IOError, e:
206
		stderr.write(str(e)+'\n')
207
	
208
	# read input
209

210
	data_in = fin.read()
211
	fin.close()
212

213
	# encode input
214

215
	if fmt == 'raw':
216
		data_out = data_in
217

218
	elif fmt == 'debug':
219
		if len(data_in) > 65280:
220
			stderr.write('error: input file bigger than 65280 bytes\n')
221
			exit(0)
222

223
		data_out = encode_debug(data_in, out_name)
224

225
	elif fmt == 'base64':
226
		data_out = data_in.encode('base64')
227
	
228
	elif fmt == 'vb':
229
		data_out = encode_vb(data_in, out_name)
230

231
	# encode output
232

233
	if xte_output:
234
		encode_xte(data_out, fout, start_delay, sleep_factor)
235
	else:
236
		fout.write(data_out)
237

238
	fout.close()
239