release 1.2.2

README.md

@@ -1,25 +1,25 @@
 # RDPY [![Build Status](https://travis-ci.org/citronneur/rdpy.svg?branch=dev)](https://travis-ci.org/citronneur/rdpy)
 
-Remote Desktop Protocol in twisted PYthon.
+Remote Desktop Protocol in twisted python.
 
-RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (Client and Server Side). RDPY is built over the event driven network engine Twisted.
+RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side). RDPY is built over the event driven network engine Twisted.
 
-RDPY provide RDP and VNC binaries :
+RDPY provides the following RDP and VNC binaries :
 * RDP Man In The Middle proxy which record session
 * RDP Honeypot
-* RDP screen shooter
+* RDP screenshoter
 * RDP client
 * VNC client
-* VNC screen shooter
+* VNC screenshoter
 * RSS Player
 
 ## Build
 
 RDPY is fully implemented in python, except the bitmap decompression algorithm which is implemented in C for performance purposes.
 
-### Depends
+### Dependencies
 
-Depends are only needed for pyqt4 binaries :
+Dependencies are only needed for pyqt4 binaries :
 * rdpy-rdpclient
 * rdpy-rdpscreenshot
 * rdpy-vncclient
@@ -28,7 +28,7 @@ Depends are only needed for pyqt4 binaries :
 
 #### Linux
 
-Exemple from Debian based system :
+Example for Debian based systems :
 ```
 sudo apt-get install python-qt4
 ```
@@ -53,7 +53,7 @@ Or use PIP:
 $ pip install rdpy
 ```
 
-For virtualenv, you need to link qt4 library to it:
+For virtualenv, you will need to link the qt4 library to it:
 ```
 $ ln -s /usr/lib/python2.7/dist-packages/PyQt4/ $VIRTUAL_ENV/lib/python2.7/site-packages/
 $ ln -s /usr/lib/python2.7/dist-packages/sip.so $VIRTUAL_ENV/lib/python2.7/site-packages/
@@ -65,13 +65,13 @@ RDPY comes with some very useful binaries. These binaries are linux and windows
 
 ### rdpy-rdpclient
 
-rdpy-rdpclient is a simple RDP Qt4 client .
+rdpy-rdpclient is a simple RDP Qt4 client.
 
 ```
 $ rdpy-rdpclient.py [-u username] [-p password] [-d domain] [-r rss_ouput_file] [...] XXX.XXX.XXX.XXX[:3389]
 ```
 
-You can use rdpy-rdpclient as Recorder Session Scenario, used in rdpy-rdphoneypot.
+You can use rdpy-rdpclient in a Recorder Session Scenario, used in rdpy-rdphoneypot.
 
 ### rdpy-vncclient
 
@@ -83,7 +83,7 @@ $ rdpy-vncclient.py [-p password] XXX.XXX.XXX.XXX[:5900]
 
 ### rdpy-rdpscreenshot
 
-rdpy-rdpscreenshot save login screen in file.
+rdpy-rdpscreenshot saves login screen in file.
 
 ```
 $ rdpy-rdpscreenshot.py [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]
@@ -91,7 +91,7 @@ $ rdpy-rdpscreenshot.py [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX
 
 ### rdpy-vncscreenshot
 
-rdpy-vncscreenshot save first screen update in file.
+rdpy-vncscreenshot saves the first screen update in file.
 
 ```
 $ rdpy-vncscreenshot.py [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]
@@ -100,24 +100,25 @@ $ rdpy-vncscreenshot.py [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:590
 ### rdpy-rdpmitm
 
 rdpy-rdpmitm is a RDP proxy allows you to do a Man In The Middle attack on RDP protocol.
-Record Session Scenario into rss file which can be replay by rdpy-rssplayer.
+Record Session Scenario into rss file which can be replayed by rdpy-rssplayer.
 
 ```
 $ rdpy-rdpmitm.py -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]
 ```
 
-Output directory is use to save rss file with following format (YYYYMMDDHHMMSS_ip_index.rss)
+Output directory is used to save the rss file with following format (YYYYMMDDHHMMSS_ip_index.rss)
 The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer. The CredSSP security layer is planned for an upcoming release. If one of both parameters are omitted, the server use standard RDP as security layer.
 
 ### rdpy-rdphoneypot
 
-rdpy-rdphoneypot is a RDP honey Pot. Use Recorded Session Scenario to replay scenario through RDP Protocol.
+rdpy-rdphoneypot is an RDP honey Pot. Use Recorded Session Scenario to replay scenario through RDP Protocol.
 
 ```
-$ rdpy-rdphoneypot.py [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path
+$ rdpy-rdphoneypot.py [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 ... rss_file_path_N
 ```
 
 The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer. The CredSSP security layer is planned for an upcoming release. If one of both parameters are omitted, the server use standard RDP as security layer.
+You can specify more than one files to match more common screen size.
 
 ### rdpy-rssplayer
 
@@ -133,7 +134,7 @@ RDPY can also be used as Qt widget through rdpy.ui.qt4.QRemoteDesktop class. It
 
 ## RDPY library
 
-In a nutshell the RDPY can be used as a protocol library with a twisted engine.
+In a nutshell RDPY can be used as a protocol library with a twisted engine.
 
 ### Simple RDP Client
 
@@ -144,14 +145,14 @@ class MyRDPFactory(rdp.ClientFactory):
 
 	def clientConnectionLost(self, connector, reason):
         reactor.stop()
-        
+
     def clientConnectionFailed(self, connector, reason):
         reactor.stop()
-        
+
     def buildObserver(self, controller, addr):
-    
+
         class MyObserver(rdp.RDPClientObserver)
-        
+
         	def onReady(self):
 		        """
 		        @summary: Call when stack is ready
@@ -160,7 +161,7 @@ class MyRDPFactory(rdp.ClientFactory):
 				self._controller.sendKeyEventUnicode(ord(unicode("r".toUtf8(), encoding="UTF-8")), True)
 				#mouse move and click at pixel 200x200
 				self._controller.sendPointerEvent(200, 200, 1, true)
-				
+
 			def onUpdate(self, destLeft, destTop, destRight, destBottom, width, height, bitsPerPixel, isCompress, data):
 		        """
 		        @summary: Notify bitmap update
@@ -174,7 +175,7 @@ class MyRDPFactory(rdp.ClientFactory):
 		        @param isCompress: use RLE compression
 		        @param data: bitmap data
 		        """
-				
+
 			def onClose(self):
 		        """
 		        @summary: Call when stack is close
@@ -194,15 +195,15 @@ from rdpy.protocol.rdp import rdp
 class MyRDPFactory(rdp.ServerFactory):
 
     def buildObserver(self, controller, addr):
-    
+
         class MyObserver(rdp.RDPServerObserver)
-        
+
         	def onReady(self):
         		"""
-        		@summary: Call when server is ready 
+        		@summary: Call when server is ready
         		to send and receive messages
         		"""
-        		
+
         	def onKeyEventScancode(self, code, isPressed):
         		"""
 		        @summary: Event call when a keyboard event is catch in scan code format
@@ -210,7 +211,7 @@ class MyRDPFactory(rdp.ServerFactory):
 		        @param isPressed: True if key is down
 		        @see: rdp.RDPServerObserver.onKeyEventScancode
 		        """
-	        
+
 	        def onKeyEventUnicode(self, code, isPressed):
 		        """
 		        @summary: Event call when a keyboard event is catch in unicode format
@@ -218,7 +219,7 @@ class MyRDPFactory(rdp.ServerFactory):
 		        @param isPressed: True if key is down
 		        @see: rdp.RDPServerObserver.onKeyEventUnicode
 		        """
-		    
+
 		    def onPointerEvent(self, x, y, button, isPressed):
 		        """
 		        @summary: Event call on mouse event
@@ -228,7 +229,7 @@ class MyRDPFactory(rdp.ServerFactory):
 		        @param isPressed: True if mouse button is pressed
 		        @see: rdp.RDPServerObserver.onPointerEvent
 		        """
-		        
+
 		    def onClose(self):
 		        """
 		        @summary: Call when human client close connection
@@ -244,19 +245,19 @@ reactor.run()
 
 ### Simple VNC Client
 ```python
-from rdpy.protocol.rfb import rdp
+from rdpy.protocol.rfb import rfb
 
 class MyRFBFactory(rfb.ClientFactory):
 
 	def clientConnectionLost(self, connector, reason):
         reactor.stop()
-        
+
     def clientConnectionFailed(self, connector, reason):
         reactor.stop()
-        
+
     def buildObserver(self, controller, addr):
         class MyObserver(rfb.RFBClientObserver)
-        		
+
 			def onReady(self):
 		        """
 		        @summary: Event when network stack is ready to receive or send event
@@ -273,18 +274,18 @@ class MyRFBFactory(rfb.ClientFactory):
 		        @param encoding: encoding type rfb.message.Encoding
 		        @param data: image data in accordance with pixel format and encoding
 		        """
-		        
+
 		    def onCutText(self, text):
 		        """
 		        @summary: event when server send cut text event
 		        @param text: text received
 		        """
-		        
+
 		    def onBell(self):
 		        """
 		        @summary: event when server send biiip
 		        """
-				
+
 			def onClose(self):
 		        """
 		        @summary: Call when stack is close

bin/rdpy-rdphoneypot.py

@@ -31,13 +31,15 @@ from twisted.internet import reactor
 log._LOG_LEVEL = log.Level.INFO
 
 class HoneyPotServer(rdp.RDPServerObserver):
-    def __init__(self, controller, rssFile):
+    def __init__(self, controller, rssFileSizeList):
         """
         @param controller: {RDPServerController}
+        @param rssFileSizeList: {Tuple} Tuple(Tuple(width, height), rssFilePath)
         """
         rdp.RDPServerObserver.__init__(self, controller)
-        self._rssFile = rssFile
+        self._rssFileSizeList = rssFileSizeList
         self._dx, self._dy = 0, 0
+        self._rssFile = None
         
     def onReady(self):
         """
@@ -47,6 +49,14 @@ class HoneyPotServer(rdp.RDPServerObserver):
                     restart a connection sequence
         @see: rdp.RDPServerObserver.onReady
         """
+        if self._rssFile is None:
+            #compute which RSS file to keep
+            width, height = self._controller.getScreen()
+            size = width * height
+            rssFilePath = sorted(self._rssFileSizeList, key = lambda x: abs(x[0][0] * x[0][1] - size))[0][1]
+            log.info("select file (%s, %s) -> %s"%(width, height, rssFilePath))
+            self._rssFile = rss.createReader(rssFilePath)
+        
         domain, username, password = self._controller.getCredentials()
         hostname = self._controller.getHostname()
         log.info("""Credentials:
@@ -89,7 +99,7 @@ class HoneyPotServer(rdp.RDPServerObserver):
             clientSize = nextEvent.event.width.value, nextEvent.event.height.value
             serverSize = self._controller.getScreen()
             
-            self._dx, self._dy = (serverSize[0] - clientSize[0]) / 2, (serverSize[1] - clientSize[1]) / 2
+            self._dx, self._dy = (max(0, serverSize[0] - clientSize[0]) / 2), max(0, (serverSize[1] - clientSize[1]) / 2)
             #restart connection sequence
             return
         
@@ -100,14 +110,14 @@ class HoneyPotServerFactory(rdp.ServerFactory):
     """
     @summary: Factory on listening events
     """
-    def __init__(self, rssFilePath, privateKeyFilePath, certificateFilePath):
+    def __init__(self, rssFileSizeList, privateKeyFilePath, certificateFilePath):
         """
-        @param rssFilePath: Recorded Session Scenario File path
+        @param rssFileSizeList: {Tuple} Tuple(Tuple(width, height), rssFilePath)
         @param privateKeyFilePath: {str} file contain server private key (if none -> back to standard RDP security)
         @param certificateFilePath: {str} file contain server certificate (if none -> back to standard RDP security)
         """
         rdp.ServerFactory.__init__(self, 16, privateKeyFilePath, certificateFilePath)
-        self._rssFilePath = rssFilePath
+        self._rssFileSizeList = rssFileSizeList
         
     def buildObserver(self, controller, addr):
         """
@@ -116,14 +126,27 @@ class HoneyPotServerFactory(rdp.ServerFactory):
         @see: rdp.ServerFactory.buildObserver
         """
         log.info("Connection from %s:%s"%(addr.host, addr.port))
-        return HoneyPotServer(controller, rss.createReader(self._rssFilePath))
+        return HoneyPotServer(controller, self._rssFileSizeList)
+    
+def readSize(filePath):
+    """
+    @summary: read size event in rss file
+    @param filePath: path of rss file
+    """
+    r = rss.createReader(filePath)
+    while True:
+        e = r.nextEvent()
+        if e is None:
+            return None
+        elif e.type.value == rss.EventType.SCREEN:
+            return e.event.width.value, e.event.height.value
     
 def help():
     """
     @summary: Print help in console
     """
     print """
-    Usage:  rdpy-rdphoneypot.py rss_filepath
+    Usage:  rdpy-rdphoneypot.py rss_filepath(1..n)
             [-l listen_port default 3389] 
             [-k private_key_file_path (mandatory for SSL)] 
             [-c certificate_file_path (mandatory for SSL)] 
@@ -133,6 +156,7 @@ if __name__ == '__main__':
     listen = "3389"
     privateKeyFilePath = None
     certificateFilePath = None
+    rssFileSizeList = []
     
     try:
         opts, args = getopt.getopt(sys.argv[1:], "hl:k:c:")
@@ -149,5 +173,12 @@ if __name__ == '__main__':
         elif opt == "-c":
             certificateFilePath = arg
     
-    reactor.listenTCP(int(listen), HoneyPotServerFactory(args[0], privateKeyFilePath, certificateFilePath))
+    #build size map
+    log.info("Build size map")
+    for arg in args:
+        size = readSize(arg)
+        rssFileSizeList.append((size, arg))
+        log.info("(%s, %s) -> %s"%(size[0], size[1], arg))
+    
+    reactor.listenTCP(int(listen), HoneyPotServerFactory(rssFileSizeList, privateKeyFilePath, certificateFilePath))
     reactor.run()

bin/rdpy-rdpscreenshot.py

@@ -121,7 +121,7 @@ class RDPScreenShotFactory(rdp.ClientFactory):
                 """
                 @summary: callback use when bitmap is received 
                 """
-                image = RDPBitmapToQtImage(destLeft, width, height, bitsPerPixel, isCompress, data);
+                image = RDPBitmapToQtImage(width, height, bitsPerPixel, isCompress, data);
                 with QtGui.QPainter(self._buffer) as qp:
                 #draw image
                     qp.drawImage(destLeft, destTop, image, 0, 0, destRight - destLeft + 1, destBottom - destTop + 1)

rdpy/core/rss.py

@@ -252,4 +252,5 @@ def createReader(path):
     @param path: {str} path of input file
     @return: {FileReader}
     """
-    return FileReader(open(path, "rb"))
+    with open(path, "rb") as f:
+        return FileReader(f)

rdpy/core/type.py

@@ -257,7 +257,7 @@ class SimpleType(Type, CallableValue):
         @raise InvalidSize: if there is not enough data in stream
         """
         if s.dataLen() < self._typeSize:
-            raise InvalidSize("Stream is too small to read expected Simple")
+            raise InvalidSize("Stream is too small to read expected SimpleType")
         self.value = struct.unpack(self._structFormat, s.read(self._typeSize))[0]
       
     def mask(self):
@@ -498,6 +498,9 @@ class CompositeType(Type):
         @summary: Call sizeof on each sub type
         @return: sum of sizeof of each Type attributes
         """
+        if self._is_readed and not self._readLen is None:
+            return self._readLen.value
+        
         size = 0
         for name in self._typeName:
             size += sizeof(self.__dict__[name])
@@ -808,7 +811,7 @@ class String(Type, CallableValue):
                 self.value = s.getvalue()[s.pos:]
             else:
                 self.value = ""
-                while self.value[-len(self._until):] != self._until or s.dataLen() == 0:
+                while self.value[-len(self._until):] != self._until and s.dataLen() != 0:
                     self.value += s.read(1)
         else:
             self.value = s.read(self._readLen.value)

rdpy/protocol/rdp/gcc.py

@@ -256,17 +256,17 @@ class ClientCoreData(CompositeType):
         self.keyboardType = UInt32Le(KeyboardType.IBM_101_102_KEYS)
         self.keyboardSubType = UInt32Le(0)
         self.keyboardFnKeys = UInt32Le(12)
-        self.imeFileName = String("\x00"*64, readLen = UInt8(64))
+        self.imeFileName = String("\x00"*64, readLen = UInt8(64), optional = True)
-        self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP)
+        self.postBeta2ColorDepth = UInt16Le(ColorDepth.RNS_UD_COLOR_8BPP, optional = True)
-        self.clientProductId = UInt16Le(1)
+        self.clientProductId = UInt16Le(1, optional = True)
-        self.serialNumber = UInt32Le(0)
+        self.serialNumber = UInt32Le(0, optional = True)
-        self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP)
+        self.highColorDepth = UInt16Le(HighColor.HIGH_COLOR_24BPP, optional = True)
-        self.supportedColorDepths = UInt16Le(Support.RNS_UD_15BPP_SUPPORT | Support.RNS_UD_16BPP_SUPPORT | Support.RNS_UD_24BPP_SUPPORT | Support.RNS_UD_32BPP_SUPPORT)
+        self.supportedColorDepths = UInt16Le(Support.RNS_UD_15BPP_SUPPORT | Support.RNS_UD_16BPP_SUPPORT | Support.RNS_UD_24BPP_SUPPORT | Support.RNS_UD_32BPP_SUPPORT, optional = True)
-        self.earlyCapabilityFlags = UInt16Le(CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU)
+        self.earlyCapabilityFlags = UInt16Le(CapabilityFlags.RNS_UD_CS_SUPPORT_ERRINFO_PDU, optional = True)
-        self.clientDigProductId = String("\x00"*64, readLen = UInt8(64))
+        self.clientDigProductId = String("\x00"*64, readLen = UInt8(64), optional = True)
-        self.connectionType = UInt8()
+        self.connectionType = UInt8(optional = True)
-        self.pad1octet = UInt8()
+        self.pad1octet = UInt8(optional = True)
-        self.serverSelectedProtocol = UInt32Le()
+        self.serverSelectedProtocol = UInt32Le(optional = True)
     
 class ServerCoreData(CompositeType):
     """
@@ -278,7 +278,8 @@ class ServerCoreData(CompositeType):
     def __init__(self, readLen = None):
         CompositeType.__init__(self, readLen = readLen)
         self.rdpVersion = UInt32Le(Version.RDP_VERSION_5_PLUS)
-        self.clientRequestedProtocol = UInt32Le()
+        self.clientRequestedProtocol = UInt32Le(optional = True)
+        self.earlyCapabilityFlags = UInt32Le(optional = True)
         
 class ClientSecurityData(CompositeType):
     """
@@ -353,8 +354,8 @@ class ProprietaryServerCertificate(CompositeType):
         self.wPublicKeyBlobLen = UInt16Le(lambda:sizeof(self.PublicKeyBlob))
         self.PublicKeyBlob = RSAPublicKey(readLen = self.wPublicKeyBlobLen)
         self.wSignatureBlobType = UInt16Le(0x0008, constant = True)
-        self.wSignatureBlobLen = UInt16Le(lambda:(sizeof(self.SignatureBlob) - 8))
+        self.wSignatureBlobLen = UInt16Le(lambda:(sizeof(self.SignatureBlob) + sizeof(self.padding)))
-        self.SignatureBlob = String(readLen = self.wSignatureBlobLen)
+        self.SignatureBlob = String(readLen = UInt16Le(lambda:(self.wSignatureBlobLen.value - sizeof(self.padding))))
         self.padding = String(b"\x00" * 8, readLen = UInt8(8))
         
     def getPublicKey(self):
@@ -380,7 +381,7 @@ class ProprietaryServerCertificate(CompositeType):
         md5Digest = md5.new()
         md5Digest.update(s.getvalue())
         
-        return md5Digest.digest() + "\x00" + "\xff" * 46 + "\x01"
+        return md5Digest.digest() + "\x00" + "\xff" * 45 + "\x01"
         
     def sign(self):
         """
@@ -463,7 +464,7 @@ class ChannelDef(CompositeType):
         
 class ClientNetworkData(CompositeType):
     """
-    GCC client network block
+    @summary: GCC client network block
     All channels asked by client are listed here
     @see: http://msdn.microsoft.com/en-us/library/cc240512.aspx
     """
@@ -476,7 +477,7 @@ class ClientNetworkData(CompositeType):
         
 class ServerNetworkData(CompositeType):
     """
-    GCC server network block
+    @summary: GCC server network block
     All channels asked by client are listed here
     @see: All channels asked by client are listed here
     """
@@ -491,7 +492,7 @@ class ServerNetworkData(CompositeType):
         
 class Settings(CompositeType):
     """
-    Class which group all clients settings supported by RDPY
+    @summary: Class which group all clients settings supported by RDPY
     """
     def __init__(self, init = [], readLen = None):
         CompositeType.__init__(self, readLen = readLen)
@@ -518,21 +519,21 @@ class Settings(CompositeType):
         
 def clientSettings():
     """
-    Build settings for client
+    @summary: Build settings for client
     @return: Settings
     """
     return Settings([ClientCoreData(), ClientNetworkData(), ClientSecurityData()])
 
 def serverSettings():
     """
-    Build settings for server
+    @summary: Build settings for server
     @return Settings
     """
     return Settings([ServerCoreData(), ServerSecurityData(), ServerNetworkData()])
         
 def readConferenceCreateRequest(s):
     """
-    Read a response from client
+    @summary: Read a response from client
     GCC create request
     @param s: Stream
     @param client settings (Settings)
@@ -559,7 +560,7 @@ def readConferenceCreateRequest(s):
     
 def readConferenceCreateResponse(s):
     """
-    Read response from server
+    @summary: Read response from server
     and return server settings read from this response
     @param s: Stream
     @return: ServerSettings 
@@ -583,7 +584,7 @@ def readConferenceCreateResponse(s):
 
 def writeConferenceCreateRequest(userData):
     """
-    Write conference create request structure
+    @summary: Write conference create request structure
     @param userData: Settings for client
     @return: GCC packet
     """
@@ -598,7 +599,7 @@ def writeConferenceCreateRequest(userData):
     
 def writeConferenceCreateResponse(serverData):
     """
-    Write a conference create response packet
+    @summary: Write a conference create response packet
     @param serverData: Settings for server
     @return: gcc packet
     """
@@ -607,6 +608,6 @@ def writeConferenceCreateResponse(serverData):
     
     return (per.writeChoice(0), per.writeObjectIdentifier(t124_02_98_oid),
             per.writeLength(len(serverDataStream.getvalue()) + 14), per.writeChoice(0x14),
-            per.writeInteger16(0x79F3, 1001), per.writeInteger(1), per.writeEnumerates(16),
+            per.writeInteger16(0x79F3, 1001), per.writeInteger(1), per.writeEnumerates(0),
             per.writeNumberOfSet(1), per.writeChoice(0xc0),
             per.writeOctetStream(h221_sc_key, 4), per.writeOctetStream(serverDataStream.getvalue()))

rdpy/protocol/rdp/lic.py

@@ -97,8 +97,8 @@ class LicenseBinaryBlob(CompositeType):
     @summary: Blob use by license manager to exchange security data
     @see: http://msdn.microsoft.com/en-us/library/cc240481.aspx
     """
-    def __init__(self, blobType = BinaryBlobType.BB_ANY_BLOB):
+    def __init__(self, blobType = BinaryBlobType.BB_ANY_BLOB, optional = False):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, optional = optional)
         self.wBlobType = UInt16Le(blobType, constant = True if blobType != BinaryBlobType.BB_ANY_BLOB else False)
         self.wBlobLen = UInt16Le(lambda:sizeof(self.blobData))
         self.blobData = String(readLen = self.wBlobLen)
@@ -110,11 +110,11 @@ class LicensingErrorMessage(CompositeType):
     """
     _MESSAGE_TYPE_ = MessageType.ERROR_ALERT
     
-    def __init__(self):
+    def __init__(self, readLen = None):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, readLen = readLen)
         self.dwErrorCode = UInt32Le()
         self.dwStateTransition = UInt32Le()
-        self.blob = LicenseBinaryBlob(BinaryBlobType.BB_ERROR_BLOB)
+        self.blob = LicenseBinaryBlob(BinaryBlobType.BB_ANY_BLOB)
         
 class ProductInformation(CompositeType):
     """
@@ -159,8 +159,8 @@ class ServerLicenseRequest(CompositeType):
     """
     _MESSAGE_TYPE_ = MessageType.LICENSE_REQUEST
     
-    def __init__(self):
+    def __init__(self, readLen = None):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, readLen = readLen)
         self.serverRandom = String("\x00" * 32, readLen = UInt8(32))
         self.productInfo = ProductInformation()
         self.keyExchangeList = LicenseBinaryBlob(BinaryBlobType.BB_KEY_EXCHG_ALG_BLOB)
@@ -175,8 +175,8 @@ class ClientNewLicenseRequest(CompositeType):
     """
     _MESSAGE_TYPE_ = MessageType.NEW_LICENSE_REQUEST
     
-    def __init__(self):
+    def __init__(self, readLen = None):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, readLen = readLen)
         #RSA and must be only RSA
         self.preferredKeyExchangeAlg = UInt32Le(0x00000001, constant = True)
         #pure microsoft client ;-)
@@ -194,8 +194,8 @@ class ServerPlatformChallenge(CompositeType):
     """
     _MESSAGE_TYPE_ = MessageType.PLATFORM_CHALLENGE
     
-    def __init__(self):
+    def __init__(self, readLen = None):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, readLen = readLen)
         self.connectFlags = UInt32Le()
         self.encryptedPlatformChallenge = LicenseBinaryBlob(BinaryBlobType.BB_ANY_BLOB)
         self.MACData = String(readLen = UInt8(16))
@@ -207,8 +207,8 @@ class ClientPLatformChallengeResponse(CompositeType):
     """
     _MESSAGE_TYPE_ = MessageType.PLATFORM_CHALLENGE_RESPONSE
     
-    def __init__(self):
+    def __init__(self, readLen = None):
-        CompositeType.__init__(self)
+        CompositeType.__init__(self, readLen = readLen)
         self.encryptedPlatformChallengeResponse = LicenseBinaryBlob(BinaryBlobType.BB_DATA_BLOB)
         self.encryptedHWID = LicenseBinaryBlob(BinaryBlobType.BB_DATA_BLOB)
         self.MACData = String(readLen = UInt8(16))
@@ -231,7 +231,7 @@ class LicPacket(CompositeType):
             """
             for c in [LicensingErrorMessage, ServerLicenseRequest, ClientNewLicenseRequest, ServerPlatformChallenge, ClientPLatformChallengeResponse]:
                 if self.bMsgtype.value == c._MESSAGE_TYPE_:
-                    return c()
+                    return c(readLen = self.wMsgSize - 4)
             log.debug("unknown license message : %s"%self.bMsgtype.value)
             return String()
         

rdpy/protocol/rdp/mcs.py

@@ -515,15 +515,16 @@ class Server(MCSLayer):
         self.readDomainParams(data)
         self.readDomainParams(data)
         self._clientSettings = gcc.readConferenceCreateRequest(Stream(ber.readOctetString(data)))
-         
+        
-        i = 1
+        if not self._clientSettings.CS_NET is None:
-        for channelDef in self._clientSettings.getBlock(gcc.MessageType.CS_NET).channelDefArray._array:
+            i = 1
-            self._serverSettings.getBlock(gcc.MessageType.SC_NET).channelIdArray._array.append(UInt16Le(i + Channel.MCS_GLOBAL_CHANNEL))
+            for channelDef in self._clientSettings.CS_NET.channelDefArray._array:
-            #if channel can be handle by serve add it
+                self._serverSettings.SC_NET.channelIdArray._array.append(UInt16Le(i + Channel.MCS_GLOBAL_CHANNEL))
-            for serverChannelDef, layer in self._virtualChannels:
+                #if channel can be handle by serve add it
-                if channelDef.name == serverChannelDef.name:
+                for serverChannelDef, layer in self._virtualChannels:
-                    self._channels[i + Channel.MCS_GLOBAL_CHANNEL] = layer
+                    if channelDef.name == serverChannelDef.name:
-            i += 1
+                        self._channels[i + Channel.MCS_GLOBAL_CHANNEL] = layer
+                i += 1
         
         self.sendConnectResponse()
         self.setNextState(self.recvErectDomainRequest)

rdpy/protocol/rdp/pdu/data.py

@@ -429,7 +429,8 @@ class ShareControlHeader(CompositeType):
         #share control header
         self.totalLength = UInt16Le(totalLength)
         self.pduType = UInt16Le(pduType)
-        self.PDUSource = UInt16Le(userId)
+        #for xp sp3 and deactiveallpdu PDUSource may not be present
+        self.PDUSource = UInt16Le(userId, optional = True)
         
 class ShareDataHeader(CompositeType):
     """
@@ -519,7 +520,9 @@ class DeactiveAllPDU(CompositeType):
     _PDUTYPE_ = PDUType.PDUTYPE_DEACTIVATEALLPDU
     
     def __init__(self):
-        CompositeType.__init__(self)
+        #in old version this packet is empty i don't know
+        #and not specified
+        CompositeType.__init__(self, optional = True)
         self.shareId = UInt32Le()
         self.lengthSourceDescriptor = UInt16Le(lambda:sizeof(self.sourceDescriptor))
         self.sourceDescriptor = String("rdpy", readLen = self.lengthSourceDescriptor)

rdpy/protocol/rdp/pdu/layer.py

@@ -179,6 +179,9 @@ class Client(PDULayer):
         
         for cap in pdu.pduMessage.capabilitySets._array:
             self._serverCapabilities[cap.capabilitySetType] = cap
+            
+        #secure checksum cap here maybe protocol (another) design error
+        self._transport._enableSecureCheckSum = bool(self._serverCapabilities[caps.CapsType.CAPSTYPE_GENERAL].capability.extraFlags & caps.GeneralExtraFlag.ENC_SALTED_CHECKSUM)
         
         self.sendConfirmActivePDU()
         #send synchronize
@@ -312,7 +315,7 @@ class Client(PDULayer):
         generalCapability = self._clientCapabilities[caps.CapsType.CAPSTYPE_GENERAL].capability
         generalCapability.osMajorType.value = caps.MajorType.OSMAJORTYPE_WINDOWS
         generalCapability.osMinorType.value = caps.MinorType.OSMINORTYPE_WINDOWS_NT
-        generalCapability.extraFlags.value = caps.GeneralExtraFlag.LONG_CREDENTIALS_SUPPORTED | caps.GeneralExtraFlag.NO_BITMAP_COMPRESSION_HDR
+        generalCapability.extraFlags.value = caps.GeneralExtraFlag.LONG_CREDENTIALS_SUPPORTED | caps.GeneralExtraFlag.NO_BITMAP_COMPRESSION_HDR | caps.GeneralExtraFlag.ENC_SALTED_CHECKSUM
         if not self._fastPathSender is None:
             generalCapability.extraFlags.value |= caps.GeneralExtraFlag.FASTPATH_OUTPUT_SUPPORTED
         
@@ -413,6 +416,9 @@ class Server(PDULayer):
         #find use full flag
         self._clientFastPathSupported = bool(self._clientCapabilities[caps.CapsType.CAPSTYPE_GENERAL].capability.extraFlags.value & caps.GeneralExtraFlag.FASTPATH_OUTPUT_SUPPORTED)
         
+        #secure checksum cap here maybe protocol (another) design error
+        self._transport._enableSecureCheckSum = bool(self._clientCapabilities[caps.CapsType.CAPSTYPE_GENERAL].capability.extraFlags & caps.GeneralExtraFlag.ENC_SALTED_CHECKSUM)
+        
         self.setNextState(self.recvClientSynchronizePDU)
         
     def recvClientSynchronizePDU(self, s):
@@ -525,7 +531,7 @@ class Server(PDULayer):
         generalCapability = self._serverCapabilities[caps.CapsType.CAPSTYPE_GENERAL].capability
         generalCapability.osMajorType.value = caps.MajorType.OSMAJORTYPE_WINDOWS
         generalCapability.osMinorType.value = caps.MinorType.OSMINORTYPE_WINDOWS_NT
-        generalCapability.extraFlags.value = caps.GeneralExtraFlag.LONG_CREDENTIALS_SUPPORTED | caps.GeneralExtraFlag.NO_BITMAP_COMPRESSION_HDR | caps.GeneralExtraFlag.FASTPATH_OUTPUT_SUPPORTED
+        generalCapability.extraFlags.value = caps.GeneralExtraFlag.LONG_CREDENTIALS_SUPPORTED | caps.GeneralExtraFlag.NO_BITMAP_COMPRESSION_HDR | caps.GeneralExtraFlag.FASTPATH_OUTPUT_SUPPORTED | caps.GeneralExtraFlag.ENC_SALTED_CHECKSUM
         
         inputCapability = self._serverCapabilities[caps.CapsType.CAPSTYPE_INPUT].capability
         inputCapability.inputFlags.value = caps.InputFlags.INPUT_FLAG_SCANCODES | caps.InputFlags.INPUT_FLAG_MOUSEX

rdpy/protocol/rdp/sec.py

@@ -164,12 +164,12 @@ def macData(macSaltKey, data):
     md5Digest = md5.new()
     
     #encode length
-    s = Stream()
+    dataLength = Stream()
-    s.writeType(UInt32Le(len(data)))
+    dataLength.writeType(UInt32Le(len(data)))
     
     sha1Digest.update(macSaltKey)
     sha1Digest.update("\x36" * 40)
-    sha1Digest.update(s.getvalue())
+    sha1Digest.update(dataLength.getvalue())
     sha1Digest.update(data)
     
     sha1Sig = sha1Digest.digest()
@@ -180,6 +180,38 @@ def macData(macSaltKey, data):
     
     return md5Digest.digest()
 
+def macSaltedData(macSaltKey, data, encryptionCount):
+    """
+    @see: https://msdn.microsoft.com/en-us/library/cc240789.aspx
+    @param macSaltKey: {str} mac key
+    @param data: {str} data to sign
+    @param encryptionCount: nb encrypted packet
+    @return: {str} signature
+    """
+    sha1Digest = sha.new()
+    md5Digest = md5.new()
+    
+    #encode length
+    dataLengthS = Stream()
+    dataLengthS.writeType(UInt32Le(len(data)))
+    
+    encryptionCountS = Stream()
+    encryptionCountS.writeType(UInt32Le(encryptionCount))
+    
+    sha1Digest.update(macSaltKey)
+    sha1Digest.update("\x36" * 40)
+    sha1Digest.update(dataLengthS.getvalue())
+    sha1Digest.update(data)
+    sha1Digest.update(encryptionCountS.getvalue())
+    
+    sha1Sig = sha1Digest.digest()
+    
+    md5Digest.update(macSaltKey)
+    md5Digest.update("\x5c" * 48)
+    md5Digest.update(sha1Sig)
+    
+    return md5Digest.digest()
+
 def tempKey(initialKey, currentKey):
     """
     @see: http://msdn.microsoft.com/en-us/library/cc240792.aspx
@@ -342,6 +374,9 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         #True if classic encryption is enable
         self._enableEncryption = False
         
+        #Enable Secure Mac generation
+        self._enableSecureCheckSum = False
+        
         #initialise decrypt and encrypt keys
         self._macKey = None
         self._initialDecrytKey = None
@@ -358,10 +393,11 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         self._encryptRc4 = None
         
     
-    def readEncryptedPayload(self, s):
+    def readEncryptedPayload(self, s, saltedMacGeneration):
         """
         @summary: decrypt basic RDP security payload
         @param s: {Stream} encrypted stream
+        @param saltedMacGeneration: {bool} use salted mac generation
         @return: {Stream} decrypted
         """
         #if update is needed
@@ -378,18 +414,22 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         decrypted = rc4.crypt(self._decryptRc4, encryptedPayload.value)
 
         #ckeck signature
-        if macData(self._macKey, decrypted)[:8] != signature.value:
+        if not saltedMacGeneration and macData(self._macKey, decrypted)[:8] != signature.value:
-            raise InvalidExpectedDataException("Bad packet signature")
+            raise InvalidExpectedDataException("bad signature")
+        
+        if saltedMacGeneration and macSaltedData(self._macKey, decrypted, self._nbDecryptedPacket)[:8] != signature.value:
+            raise InvalidExpectedDataException("bad signature")
         
         #count
         self._nbDecryptedPacket += 1
 
         return Stream(decrypted)
     
-    def writeEncryptedPayload(self, data):
+    def writeEncryptedPayload(self, data, saltedMacGeneration):
         """
         @summary: sign and crypt data
-        @param s: {Stream} raw stream
+        @param data: {Type} raw stream
+        @param saltedMacGeneration: {bool} use salted mac generation
         @return: {Tuple} (signature, encryptedData)
         """
         if self._nbEncryptedPacket == 4096:
@@ -400,9 +440,14 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
             self._nbEncryptedPacket = 0
             
         self._nbEncryptedPacket += 1
+        
         s = Stream()
         s.writeType(data)
-        return (String(macData(self._macKey, s.getvalue())[:8]), String(rc4.crypt(self._encryptRc4, s.getvalue())))
+        
+        if saltedMacGeneration:
+            return (String(macSaltedData(self._macKey, s.getvalue(), self._nbEncryptedPacket - 1)[:8]), String(rc4.crypt(self._encryptRc4, s.getvalue())))
+        else:
+            return (String(macData(self._macKey, s.getvalue())[:8]), String(rc4.crypt(self._encryptRc4, s.getvalue())))
     
     def recv(self, data):
         """
@@ -419,7 +464,7 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         data.readType((securityFlag, securityFlagHi))
         
         if securityFlag.value & SecurityFlag.SEC_ENCRYPT:
-            data = self.readEncryptedPayload(data)
+            data = self.readEncryptedPayload(data, securityFlag.value & SecurityFlag.SEC_SECURE_CHECKSUM)
             
         self._presentation.recv(data)
         
@@ -433,7 +478,12 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
             self._transport.send(data)
             return
         
-        self.sendFlagged(SecurityFlag.SEC_ENCRYPT, data)
+        flag = SecurityFlag.SEC_ENCRYPT
+        
+        if self._enableSecureCheckSum:
+            flag |= SecurityFlag.SEC_SECURE_CHECKSUM
+        
+        self.sendFlagged(flag, data)
     
     def sendFlagged(self, flag, data):
         """
@@ -444,7 +494,7 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         @param data: {Type | Tuple}
         """
         if flag & SecurityFlag.SEC_ENCRYPT:
-            data = self.writeEncryptedPayload(data)
+            data = self.writeEncryptedPayload(data, flag & SecurityFlag.SEC_SECURE_CHECKSUM)
         self._transport.send((UInt16Le(flag), UInt16Le(), data))
         
     def recvFastPath(self, secFlag, fastPathS):
@@ -454,7 +504,7 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         @param fastPathS: {Stream}
         """
         if self._enableEncryption and secFlag & tpkt.SecFlags.FASTPATH_OUTPUT_ENCRYPTED:
-            fastPathS = self.readEncryptedPayload(fastPathS)
+            fastPathS = self.readEncryptedPayload(fastPathS, secFlag & tpkt.SecFlags.FASTPATH_OUTPUT_SECURE_CHECKSUM)
         
         self._fastPathPresentation.recvFastPath(secFlag, fastPathS)
         
@@ -472,7 +522,11 @@ class SecLayer(LayerAutomata, IStreamSender, tpkt.IFastPathListener, tpkt.IFastP
         """
         if self._enableEncryption:
             secFlag |= tpkt.SecFlags.FASTPATH_OUTPUT_ENCRYPTED
-            fastPathS = self.writeEncryptedPayload(fastPathS)
+            
+            if self._enableSecureCheckSum:
+                secFlag |= tpkt.SecFlags.FASTPATH_OUTPUT_SECURE_CHECKSUM
+                
+            fastPathS = self.writeEncryptedPayload(fastPathS, self._enableSecureCheckSum)
         
         self._fastPathTransport.sendFastPath(secFlag, fastPathS)
         
@@ -661,7 +715,7 @@ class Server(SecLayer):
             raise InvalidExpectedDataException("Waiting info packet")
         
         if securityFlag.value & SecurityFlag.SEC_ENCRYPT:
-            s = self.readEncryptedPayload(s)
+            s = self.readEncryptedPayload(s, securityFlag.value & SecurityFlag.SEC_SECURE_CHECKSUM)
         
         s.readType(self._info)
         #next state send error license

setup.py

@@ -4,20 +4,20 @@ import setuptools
 from distutils.core import setup, Extension
 
 setup(name='rdpy',
-	version='1.2.1',
+	version='1.2.2',
 	description='Remote Desktop Protocol in Python',
 	long_description="""
 	RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (Client and Server side). 
 	RDPY is built over the event driven network engine Twisted.
 	
 	RDPY provide RDP and VNC binaries :
-	\t-RDP Man In The Middle proxy which record session
+	- RDP Man In The Middle proxy which record session
-	\t-RDP Honeypot
+	- RDP Honeypot
-	\t-RDP screenshoter
+	- RDP screenshoter
-	\t-RDP client
+	- RDP client
-	\t-VNC client
+	- VNC client
-	\t-VNC screenshoter
+	- VNC screenshoter
-	\t-RSS Player
+	- RSS Player
 	""",
 	author='Sylvain Peyrefitte',
 	author_email='citronneur@gmail.com',