Some changes + NTLM challenge message

rdpy/protocol/rdp/lic.py

@@ -22,10 +22,11 @@
 @see: http://msdn.microsoft.com/en-us/library/cc241880.aspx
 """
 
-from rdpy.core.type import CompositeType, UInt8, UInt16Le, UInt32Le, String, sizeof, FactoryType, ArrayType, Stream
+from rdpy.core.type import CompositeType, CallableValue, UInt8, UInt16Le, UInt32Le, String, sizeof, FactoryType, ArrayType, Stream
 from rdpy.core.error import InvalidExpectedDataException
 import rdpy.core.log as log
-import sec, gcc
+import sec
+from t125 import gcc
 from rdpy.security import rc4
 from rdpy.security import rsa_wrapper as rsa
 
@@ -161,7 +162,7 @@ class ServerLicenseRequest(CompositeType):
     
     def __init__(self, readLen = None):
         CompositeType.__init__(self, readLen = readLen)
-        self.serverRandom = String("\x00" * 32, readLen = UInt8(32))
+        self.serverRandom = String("\x00" * 32, readLen = CallableValue(32))
         self.productInfo = ProductInformation()
         self.keyExchangeList = LicenseBinaryBlob(BinaryBlobType.BB_KEY_EXCHG_ALG_BLOB)
         self.serverCertificate = LicenseBinaryBlob(BinaryBlobType.BB_CERTIFICATE_BLOB)
@@ -182,7 +183,7 @@ class ClientNewLicenseRequest(CompositeType):
         #pure microsoft client ;-)
         #http://msdn.microsoft.com/en-us/library/1040af38-c733-4fb3-acd1-8db8cc979eda#id10
         self.platformId = UInt32Le(0x04000000 | 0x00010000)
-        self.clientRandom = String("\x00" * 32, readLen = UInt8(32))
+        self.clientRandom = String("\x00" * 32, readLen = CallableValue(32))
         self.encryptedPreMasterSecret = LicenseBinaryBlob(BinaryBlobType.BB_RANDOM_BLOB)
         self.ClientUserName = LicenseBinaryBlob(BinaryBlobType.BB_CLIENT_USER_NAME_BLOB)
         self.ClientMachineName = LicenseBinaryBlob(BinaryBlobType.BB_CLIENT_MACHINE_NAME_BLOB)
@@ -198,7 +199,7 @@ class ServerPlatformChallenge(CompositeType):
         CompositeType.__init__(self, readLen = readLen)
         self.connectFlags = UInt32Le()
         self.encryptedPlatformChallenge = LicenseBinaryBlob(BinaryBlobType.BB_ANY_BLOB)
-        self.MACData = String(readLen = UInt8(16))
+        self.MACData = String(readLen = CallableValue(16))
 
 class ClientPLatformChallengeResponse(CompositeType):
     """
@@ -211,7 +212,7 @@ class ClientPLatformChallengeResponse(CompositeType):
         CompositeType.__init__(self, readLen = readLen)
         self.encryptedPlatformChallengeResponse = LicenseBinaryBlob(BinaryBlobType.BB_DATA_BLOB)
         self.encryptedHWID = LicenseBinaryBlob(BinaryBlobType.BB_DATA_BLOB)
-        self.MACData = String(readLen = UInt8(16))
+        self.MACData = String(readLen = CallableValue(16))
 
 class LicPacket(CompositeType):
     """

rdpy/protocol/rdp/nla/ntlm.py

@@ -22,7 +22,7 @@
 @see: https://msdn.microsoft.com/en-us/library/cc236621.aspx
 """
 
-from rdpy.core.type import CompositeType, String, UInt8, UInt16Le, UInt24Le, UInt32Le
+from rdpy.core.type import CompositeType, CallableValue, String, UInt8, UInt16Le, UInt24Le, UInt32Le
 
 class MajorVersion(object):
     """
@@ -89,13 +89,14 @@ class Version(CompositeType):
 
 class NegotiateMessage(CompositeType):
     """
-    @summary: Negotiate capability of NTLM Authentication
+    @summary: Message send from client to server to negotiate capability of NTLM Authentication
     @see: https://msdn.microsoft.com/en-us/library/cc236641.aspx
     """
     def __init__(self):
         CompositeType.__init__(self)
         self.Signature = String("NTLMSSP\x00", constant = True)
-        self.MessageType = UInt32Le(0x00000001)
+        self.MessageType = UInt32Le(0x00000001, constant = True)
+        
         self.NegotiateFlags = UInt32Le(Negotiate.NTLMSSP_NEGOTIATE_KEY_EXCH |
                               Negotiate.NTLMSSP_NEGOTIATE_128 |
                               Negotiate.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY |
@@ -105,12 +106,41 @@ class NegotiateMessage(CompositeType):
                               Negotiate.NTLMSSP_NEGOTIATE_SEAL |
                               Negotiate.NTLMSSP_REQUEST_TARGET |
                               Negotiate.NTLMSSP_NEGOTIATE_UNICODE)
+        
         self.DomainNameLen = UInt16Le()
         self.DomainNameMaxLen = UInt16Le(lambda:self.DomainNameLen.value)
         self.DomainNameBufferOffset = UInt32Le()
+        
         self.WorkstationLen = UInt16Le()
         self.WorkstationMaxLen = UInt16Le(lambda:self.WorkstationLen.value)
         self.WorkstationBufferOffset = UInt32Le()
+        
         self.Version = Version(conditional = lambda:(self.NegotiateFlags & Negotiate.NTLMSSP_NEGOTIATE_VERSION))
+        
         self.Payload = String()
-        
+
+class ChallengeMessage(CompositeType):
+    """
+    @summary: Message send from server to client contains server challenge
+    @see: https://msdn.microsoft.com/en-us/library/cc236642.aspx
+    """
+    def __init__(self):
+        CompositeType.__init__(self)
+        self.Signature = String("NTLMSSP\x00", constant = True)
+        self.MessageType = UInt32Le(0x00000002, constant = True)
+        
+        self.TargetNameLen = UInt16Le()
+        self.TargetNameMaxLen = UInt16Le(lambda:self.TargetNameLen.value)
+        self.TargetNameBufferOffset = UInt32Le()
+        
+        self.NegotiateFlags = UInt32Le()
+        
+        self.ServerChallenge = String(readLen = CallableValue(8))
+        self.Reserved = String("\x00" * 8, readLen = CallableValue(8))
+        
+        self.TargetInfoLen = UInt16Le()
+        self.TargetInfoMaxLen = UInt16Le(lambda:self.TargetInfoLen.value)
+        self.TargetInfoBufferOffset = UInt32Le()
+        
+        self.Version = Version(conditional = lambda:(self.NegotiateFlags & Negotiate.NTLMSSP_NEGOTIATE_VERSION))
+        self.Payload = String()

rdpy/protocol/rdp/pdu/caps.py

@@ -24,7 +24,7 @@ Definition of structure use for capabilities nego
 Use in PDU layer
 """
 
-from rdpy.core.type import CompositeType, String, UInt8, UInt16Le, UInt32Le, sizeof, ArrayType, FactoryType
+from rdpy.core.type import CompositeType, CallableValue, String, UInt8, UInt16Le, UInt32Le, sizeof, ArrayType, FactoryType
     
 class CapsType(object):
     """
@@ -308,7 +308,7 @@ class OrderCapability(CompositeType):
     
     def __init__(self, readLen = None):
         CompositeType.__init__(self, readLen = readLen)
-        self.terminalDescriptor = String("\x00" * 16, readLen = UInt8(16))
+        self.terminalDescriptor = String("\x00" * 16, readLen = CallableValue(16))
         self.pad4octetsA = UInt32Le(0)
         self.desktopSaveXGranularity = UInt16Le(1)
         self.desktopSaveYGranularity = UInt16Le(20)
@@ -316,7 +316,7 @@ class OrderCapability(CompositeType):
         self.maximumOrderLevel = UInt16Le(1)
         self.numberFonts = UInt16Le()
         self.orderFlags = UInt16Le(OrderFlag.NEGOTIATEORDERSUPPORT)
-        self.orderSupport = ArrayType(UInt8, init = [UInt8(0) for _ in range (0, 32)],  readLen = UInt8(32))
+        self.orderSupport = ArrayType(UInt8, init = [UInt8(0) for _ in range (0, 32)],  readLen = CallableValue(32))
         self.textFlags = UInt16Le()
         self.orderSupportExFlags = UInt16Le()
         self.pad4octetsB = UInt32Le()
@@ -388,7 +388,7 @@ class InputCapability(CompositeType):
         #same value as gcc.ClientCoreSettings.keyboardFnKeys
         self.keyboardFunctionKey = UInt32Le()
         #same value as gcc.ClientCoreSettingrrs.imeFileName
-        self.imeFileName = String("\x00" * 64, readLen = UInt8(64))
+        self.imeFileName = String("\x00" * 64, readLen = CallableValue(64))
         
 class BrushCapability(CompositeType):
     """
@@ -412,7 +412,7 @@ class GlyphCapability(CompositeType):
     
     def __init__(self, readLen = None):
         CompositeType.__init__(self, readLen = readLen)
-        self.glyphCache = ArrayType(CacheEntry, init = [CacheEntry() for _ in range(0,10)], readLen = UInt8(10))
+        self.glyphCache = ArrayType(CacheEntry, init = [CacheEntry() for _ in range(0,10)], readLen = CallableValue(10))
         self.fragCache = UInt32Le()
         #all fonts are sent with bitmap format (very expensive)
         self.glyphSupportLevel = UInt16Le(GlyphSupport.GLYPH_SUPPORT_NONE)

rdpy/protocol/rdp/pdu/data.py

@@ -22,7 +22,7 @@ Implement the main graphic layer
 
 In this layer are managed all mains bitmap update orders end user inputs
 """
-from rdpy.core.type import CompositeType, String, UInt8, UInt16Le, UInt32Le, sizeof, ArrayType, FactoryType
+from rdpy.core.type import CompositeType, CallableValue, String, UInt8, UInt16Le, UInt32Le, sizeof, ArrayType, FactoryType
 from rdpy.core.error import InvalidExpectedDataException
 import rdpy.core.log as log
 import caps, order
@@ -670,7 +670,7 @@ class PersistentListPDU(CompositeType):
         self.bitMask = UInt8()
         self.pad2 = UInt8()
         self.pad3 = UInt16Le()
-        self.entries = ArrayType(PersistentListEntry, readLen = UInt16Le(lambda:(self.numEntriesCache0 + self.numEntriesCache1 + self.numEntriesCache2 + self.numEntriesCache3 + self.numEntriesCache4)))
+        self.entries = ArrayType(PersistentListEntry, readLen = CallableValue(lambda:(self.numEntriesCache0 + self.numEntriesCache1 + self.numEntriesCache2 + self.numEntriesCache3 + self.numEntriesCache4)))
 
 class ClientInputEventPDU(CompositeType):
     """
@@ -873,7 +873,7 @@ class BitmapData(CompositeType):
         self.flags = UInt16Le()
         self.bitmapLength = UInt16Le(lambda:(sizeof(self.bitmapComprHdr) + sizeof(self.bitmapDataStream)))
         self.bitmapComprHdr = BitmapCompressedDataHeader(bodySize = lambda:sizeof(self.bitmapDataStream), scanWidth = lambda:self.width.value, uncompressedSize = lambda:(self.width.value * self.height.value * self.bitsPerPixel.value), conditional = lambda:((self.flags.value & BitmapFlag.BITMAP_COMPRESSION) and not (self.flags.value & BitmapFlag.NO_BITMAP_COMPRESSION_HDR)))
-        self.bitmapDataStream = String(bitmapDataStream, readLen = UInt16Le(lambda:(self.bitmapLength.value if (not self.flags.value & BitmapFlag.BITMAP_COMPRESSION or self.flags.value & BitmapFlag.NO_BITMAP_COMPRESSION_HDR) else self.bitmapComprHdr.cbCompMainBodySize.value)))
+        self.bitmapDataStream = String(bitmapDataStream, readLen = CallableValue(lambda:(self.bitmapLength.value if (not self.flags.value & BitmapFlag.BITMAP_COMPRESSION or self.flags.value & BitmapFlag.NO_BITMAP_COMPRESSION_HDR) else self.bitmapComprHdr.cbCompMainBodySize.value)))
 
 class FastPathBitmapUpdateDataPDU(CompositeType):
     """

rdpy/protocol/rdp/rdp.py

@@ -27,7 +27,8 @@ import pdu.layer
 import pdu.data
 import pdu.caps
 import rdpy.core.log as log
-import tpkt, x224, mcs, gcc, sec
+import tpkt, x224, sec
+from t125 import mcs, gcc
 
 class RDPClientController(pdu.layer.PDUClientListener):
     """

rdpy/protocol/rdp/sec.py

@@ -22,8 +22,9 @@ RDP Standard security layer
 """
 
 import sha, md5
-import gcc, lic, tpkt, mcs
+import lic, tpkt
-from rdpy.core.type import CompositeType, Stream, UInt32Le, UInt16Le, String, sizeof, UInt8
+from t125 import gcc, mcs
+from rdpy.core.type import CompositeType, CallableValue, Stream, UInt32Le, UInt16Le, String, sizeof, UInt8
 from rdpy.core.layer import LayerAutomata, IStreamSender
 from rdpy.core.error import InvalidExpectedDataException
 from rdpy.core import log
@@ -308,8 +309,8 @@ class ClientSecurityExchangePDU(CompositeType):
     def __init__(self):
         CompositeType.__init__(self)
         self.length = UInt32Le(lambda:(sizeof(self) - 4))
-        self.encryptedClientRandom = String(readLen = UInt8(lambda:(self.length.value - 8)))
+        self.encryptedClientRandom = String(readLen = CallableValue(lambda:(self.length.value - 8)))
-        self.padding = String("\x00" * 8, readLen = UInt8(8))
+        self.padding = String("\x00" * 8, readLen = CallableValue(8))
         
 class RDPInfo(CompositeType):
     """
@@ -329,13 +330,13 @@ class RDPInfo(CompositeType):
         self.cbAlternateShell = UInt16Le(lambda:sizeof(self.alternateShell) - 2)
         self.cbWorkingDir = UInt16Le(lambda:sizeof(self.workingDir) - 2)
         #microsoft domain
-        self.domain = String(readLen = UInt16Le(lambda:self.cbDomain.value + 2), unicode = True)
+        self.domain = String(readLen = CallableValue(lambda:self.cbDomain.value + 2), unicode = True)
-        self.userName = String(readLen = UInt16Le(lambda:self.cbUserName.value + 2), unicode = True)
+        self.userName = String(readLen = CallableValue(lambda:self.cbUserName.value + 2), unicode = True)
-        self.password = String(readLen = UInt16Le(lambda:self.cbPassword.value + 2), unicode = True)
+        self.password = String(readLen = CallableValue(lambda:self.cbPassword.value + 2), unicode = True)
         #shell execute at start of session
-        self.alternateShell = String(readLen = UInt16Le(lambda:self.cbAlternateShell.value + 2), unicode = True)
+        self.alternateShell = String(readLen = CallableValue(lambda:self.cbAlternateShell.value + 2), unicode = True)
         #working directory for session
-        self.workingDir = String(readLen = UInt16Le(lambda:self.cbWorkingDir.value + 2), unicode = True)
+        self.workingDir = String(readLen = CallableValue(lambda:self.cbWorkingDir.value + 2), unicode = True)
         self.extendedInfo = RDPExtendedInfo(conditional = extendedInfoConditional)
         
 class RDPExtendedInfo(CompositeType):
@@ -408,7 +409,7 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
             self._decryptRc4 = rc4.RC4Key(self._currentDecrytKey)
             self._nbDecryptedPacket = 0
         
-        signature = String(readLen = UInt8(8))
+        signature = String(readLen = CallableValue(8))
         encryptedPayload = String()
         s.readType((signature, encryptedPayload))
         decrypted = rc4.crypt(self._decryptRc4, encryptedPayload.value)

rdpy/protocol/rdp/t125/gcc.py

@@ -23,7 +23,7 @@ http://msdn.microsoft.com/en-us/library/cc240508.aspx
 """
 
 import md5
-from rdpy.core.type import UInt8, UInt16Le, UInt32Le, CompositeType, String, Stream, sizeof, FactoryType, ArrayType
+from rdpy.core.type import UInt8, UInt16Le, UInt32Le, CompositeType, CallableValue, String, Stream, sizeof, FactoryType, ArrayType
 import per, mcs
 from rdpy.core.error import InvalidExpectedDataException
 from rdpy.core import log
@@ -252,18 +252,18 @@ class ClientCoreData(CompositeType):
         self.sasSequence = UInt16Le(Sequence.RNS_UD_SAS_DEL)
         self.kbdLayout = UInt32Le(KeyboardLayout.US)
         self.clientBuild = UInt32Le(3790)
-        self.clientName = String("rdpy" + "\x00"*11, readLen = UInt8(32), unicode = True)
+        self.clientName = String("rdpy" + "\x00"*11, readLen = CallableValue(32), unicode = True)
         self.keyboardType = UInt32Le(KeyboardType.IBM_101_102_KEYS)
         self.keyboardSubType = UInt32Le(0)
         self.keyboardFnKeys = UInt32Le(12)
-        self.imeFileName = String("\x00"*64, readLen = UInt8(64), optional = True)
+        self.imeFileName = String("\x00"*64, readLen = CallableValue(64), optional = True)
         self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP, optional = True)
         self.clientProductId = UInt16Le(1, optional = True)
         self.serialNumber = UInt32Le(0, optional = True)
         self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP, optional = True)
         self.supportedColorDepths = UInt16Le(Support.RNS_UD_15BPP_SUPPORT | Support.RNS_UD_16BPP_SUPPORT | Support.RNS_UD_24BPP_SUPPORT | Support.RNS_UD_32BPP_SUPPORT, optional = True)
         self.earlyCapabilityFlags = UInt16Le(CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU, optional = True)
-        self.clientDigProductId = String("\x00"*64, readLen = UInt8(64), optional = True)
+        self.clientDigProductId = String("\x00"*64, readLen = CallableValue(64), optional = True)
         self.connectionType = UInt8(optional = True)
         self.pad1octet = UInt8(optional = True)
         self.serverSelectedProtocol = UInt32Le(optional = True)
@@ -355,8 +355,8 @@ class ProprietaryServerCertificate(CompositeType):
         self.PublicKeyBlob = RSAPublicKey(readLen = self.wPublicKeyBlobLen)
         self.wSignatureBlobType = UInt16Le(0x0008, constant = True)
         self.wSignatureBlobLen = UInt16Le(lambda:(sizeof(self.SignatureBlob) + sizeof(self.padding)))
-        self.SignatureBlob = String(readLen = UInt16Le(lambda:(self.wSignatureBlobLen.value - sizeof(self.padding))))
+        self.SignatureBlob = String(readLen = CallableValue(lambda:(self.wSignatureBlobLen.value - sizeof(self.padding))))
-        self.padding = String(b"\x00" * 8, readLen = UInt8(8))
+        self.padding = String(b"\x00" * 8, readLen = CallableValue(8))
         
     def getPublicKey(self):
         """
@@ -418,7 +418,7 @@ class X509CertificateChain(CompositeType):
         CompositeType.__init__(self)
         self.NumCertBlobs = UInt32Le()
         self.CertBlobArray = ArrayType(CertBlob, readLen = self.NumCertBlobs)
-        self.padding = String(readLen = UInt8(lambda:(8 + 4 * self.NumCertBlobs.value)))
+        self.padding = String(readLen = CallableValue(lambda:(8 + 4 * self.NumCertBlobs.value)))
         
     def getPublicKey(self):
         """
@@ -447,8 +447,8 @@ class RSAPublicKey(CompositeType):
         self.bitlen = UInt32Le(lambda:((self.keylen.value - 8) * 8))
         self.datalen = UInt32Le(lambda:((self.bitlen.value / 8) - 1))
         self.pubExp = UInt32Le()
-        self.modulus = String(readLen = UInt16Le(lambda:(self.keylen.value - 8)))
+        self.modulus = String(readLen = CallableValue(lambda:(self.keylen.value - 8)))
-        self.padding = String("\x00" * 8, readLen = UInt8(8))
+        self.padding = String("\x00" * 8, readLen = CallableValue(8))
 
 class ChannelDef(CompositeType):
     """
@@ -458,7 +458,7 @@ class ChannelDef(CompositeType):
     def __init__(self, name = "", options = 0):
         CompositeType.__init__(self)
         #name of channel
-        self.name = String(name[0:8] + "\x00" * (8 - len(name)), readLen = UInt8(8))
+        self.name = String(name[0:8] + "\x00" * (8 - len(name)), readLen = CallableValue(8))
         #unknown
         self.options = UInt32Le()
         
@@ -554,7 +554,7 @@ def readConferenceCreateRequest(s):
     
     per.readOctetStream(s, h221_cs_key, 4)
     length = per.readLength(s)
-    clientSettings = Settings(readLen = UInt32Le(length))
+    clientSettings = Settings(readLen = CallableValue(length))
     s.readType(clientSettings)
     return clientSettings
     
@@ -578,7 +578,7 @@ def readConferenceCreateResponse(s):
         raise InvalidExpectedDataException("cannot read h221_sc_key")
     
     length = per.readLength(s)
-    serverSettings = Settings(readLen = UInt32Le(length))
+    serverSettings = Settings(readLen = CallableValue(length))
     s.readType(serverSettings)
     return serverSettings
 

rdpy/protocol/rdp/t125/mcs.py

@@ -27,7 +27,7 @@ It exist channel for file system order, audio channel, clipboard etc...
 from rdpy.core.layer import LayerAutomata, IStreamSender, Layer
 from rdpy.core.type import sizeof, Stream, UInt8, UInt16Le, String
 from rdpy.core.error import InvalidExpectedDataException, InvalidValue, InvalidSize, CallPureVirtualFuntion
-from rdpy.protocol.rdp.ber import writeLength
+from ber import writeLength
 import rdpy.core.log as log
 
 import ber, gcc, per

rdpy/protocol/rdp/tpkt.py

@@ -224,4 +224,12 @@ class TPKT(RawLayer, IFastPathSender):
                     must be called after startTLS function
         """
         #send first NTLM packet
-        self.transport.write(cssp.createBERRequest( [ ntlm.NegotiateMessage() ] ))
+        self.transport.write(cssp.createBERRequest( [ ntlm.NegotiateMessage() ] ))
+        
+        
+        
+    def readNTLMChallenge(self, data):
+        """
+        @summary: server NTLM challenge
+        """
+        

test/test_protocol_rdp_ber.py

@@ -26,7 +26,7 @@ import os, sys
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 
 import unittest
-import rdpy.protocol.rdp.ber as ber
+import rdpy.protocol.rdp.t125.ber as ber
 import rdpy.core.type as type
 import rdpy.core.error as error
 

test/test_protocol_rdp_per.py

@@ -26,7 +26,7 @@ import os, sys
 sys.path.insert(1, os.path.join(sys.path[0], '..'))
 
 import unittest
-import rdpy.protocol.rdp.per as per
+import rdpy.protocol.rdp.t125.per as per
 import rdpy.core.type as type
 import rdpy.core.error as error
 

test/test_protocol_rdp_x224.py

@@ -106,19 +106,6 @@ class X224Test(unittest.TestCase):
         layer.connect()
         
         self.assertRaises(X224Test.X224_PASS, layer.recv, type.String('\x01\x02'))  
-        
-    def test_x224_client_recvConnectionConfirm_negotiation_bad_protocol(self):
-        """
-        @summary:  unit test for X224Client.recvConnectionConfirm and sendConnectionRequest function
-                    Server ask another protocol than SSL or RDP
-        """
-        message = x224.ServerConnectionConfirm()
-        message.protocolNeg.selectedProtocol.value = x224.Protocols.PROTOCOL_HYBRID
-        s = type.Stream()
-        s.writeType(message)
-        s.pos = 0
-        layer = x224.Client(None)
-        self.assertRaises(error.InvalidExpectedDataException, layer.recvConnectionConfirm, s)
 
     def test_x224_client_recvConnectionConfirm_negotiation_failure(self):
         """