search

GoSecure / pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
https://www.gosecure.net/blog/2020/10/20/announcing-pyrdp-1/
GNU General Public License v3.0
1.55k stars 250 forks source link

Adequately log BlueKeep Metasploit exploit attempt #235

Closed luck00 closed 3 years ago

luck00 commented 4 years ago

Hello,

I am trying to use pyrdp with a windows 7 to act as a honeypot for rdp bluekeep exploit. I test the windows 7 vm directly and the bluekeep poc work. I am using https://github.com/Ekultek/BlueKeep/blob/master/bluekeep_poc.py . But if I try to run bluekeep_poc.py through pyrdp I receive this in pyrdp :

[2020-06-17 16:18:23,505] - INFO - GLOBAL - pyrdp.mitm - Generating a private key and certificate for SSL connections
[2020-06-17 16:18:23,790] - INFO - GLOBAL - pyrdp.mitm - Private key path: /root/.config/pyrdp/private_key.pem
[2020-06-17 16:18:23,790] - INFO - GLOBAL - pyrdp.mitm - Certificate path: /root/.config/pyrdp/certificate.pem
[2020-06-17 16:18:23,791] - INFO - GLOBAL - pyrdp.mitm - Target: 10.77.22.20:3389
[2020-06-17 16:18:23,791] - INFO - GLOBAL - pyrdp.mitm - Output directory: /home/administrator/pyrdp/bin/pyrdp_output
[2020-06-17 16:18:23,792] - INFO - GLOBAL - pyrdp - MITM Server listening on port 3389
[2020-06-17 16:18:29,975] - INFO - Jordon596746 - pyrdp.mitm.connections.tcp - New client connected from 10.66.22.62
[2020-06-17 16:18:29,976] - INFO - Jordon596746 - pyrdp.mitm.connections.x224 - No cookie for this connection
[2020-06-17 16:18:29,978] - INFO - Jordon596746 - pyrdp.mitm.connections.tcp - Server connected
[2020-06-17 16:18:29,985] - INFO - Jordon596746 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2020-06-17 16:18:29,985] - INFO - Jordon596746 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 0.009480476379394531, totalInput: 0, totalOutput: 0, replayFilename: rdp_replay_20200617_16-18-29_974_Jordon596746.pyrdp
[2020-06-17 16:18:31,492] - INFO - Trang775352 - pyrdp.mitm.connections.tcp - New client connected from 10.66.22.62
[2020-06-17 16:18:31,492] - INFO - Trang775352 - pyrdp.mitm.connections.x224 - No cookie for this connection
[2020-06-17 16:18:31,494] - INFO - Trang775352 - pyrdp.mitm.connections.tcp - Server connected
CLIENT_RANDOM 95b5df8c15af46b3804d122ec64f07014782ab65e8080ba4db8b51aace952af4 e3af7d51c8901d689945e37520800e5cd58695ec8d6abf6bb6d29f7948558686f85b9d1d914470f8b6f77ead958bc9f2
[2020-06-17 16:18:31,509] - ERROR - Trang775352 - pyrdp.mitm.connections.tcp - Invalid channel array size
Traceback (most recent call last):
  File "/home/administrator/pyrdp/pyrdp/layer/tcp.py", line 91, in dataReceived
    self.recv(data)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/segmentation.py", line 79, in recv
    layer.recv(forwarded)
  File "/home/administrator/pyrdp/pyrdp/layer/buffered.py", line 55, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 110, in pduReceived
    self.observer.onPDUReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/core/observer.py", line 82, in __call__
    self.composite.doCall(self.item, args, kwargs)
  File "/home/administrator/pyrdp/pyrdp/core/observer.py", line 56, in doCall
    getattr(observer, item)(*args, **kwargs)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 48, in onPDUReceived
    self.handlers[pdu.header](pdu)
  File "/home/administrator/pyrdp/pyrdp/mitm/MCSMITM.py", line 85, in onConnectInitial
    rdpClientDataPDU = rdpClientConnectionParser.parse(gccConferenceCreateRequestPDU.payload)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 57, in parse
    structure = self.parseStructure(stream)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 86, in parseStructure
    return self.parsers[header](substream)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 144, in parseClientNetworkData
    raise ParsingError("Invalid channel array size")
pyrdp.exceptions.ParsingError: Invalid channel array size
[2020-06-17 16:18:31,514] - ERROR - Trang775352 - pyrdp.mitm.connections.tcp - Exception occurred when receiving: 030001ee02f0807f658201e20401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff02010204820181000500147c00018178000800100001c00044756361816a01c0ea000a0008008007380401ca03aa09040000b11d00004400450053004b0054004f0050002d004600380034003000470049004b00000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f00af07620063003700380065006600360033002d0039006400330033002d003400310039380038002d0039003200630066002d0000310062003200640061004242424207000100000056020000500100000000640000006400000004c00c00150000000000000002c00c001b0000000000000003c0680005000000726470736e6400000f0000c0636c6970726472000000a0c0647264796e766300000080c04d535f5431323000000000004d535f5431323000000000004d535f5431323000000000004d535f5431323000000000004d535f543132300000000000

Traceback (most recent call last):
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/python/log.py", line 103, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/python/log.py", line 86, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/python/context.py", line 122, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/python/context.py", line 85, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/asyncioreactor.py", line 136, in _readOrWrite
    why = method()
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py", line 243, in doRead
    return self._dataReceived(data)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py", line 330, in dataReceived
    self._flushReceiveBIO()
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/tls.py", line 295, in _flushReceiveBIO
    ProtocolWrapper.dataReceived(self, bytes)
  File "/home/administrator/pyrdp/venv/lib/python3.8/site-packages/twisted/protocols/policies.py", line 120, in dataReceived
    self.wrappedProtocol.dataReceived(data)
  File "/home/administrator/pyrdp/pyrdp/layer/tcp.py", line 91, in dataReceived
    self.recv(data)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/segmentation.py", line 79, in recv
    layer.recv(forwarded)
  File "/home/administrator/pyrdp/pyrdp/layer/buffered.py", line 55, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 198, in pduReceived
    self.next.recv(pdu.payload)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 143, in recv
    self.pduReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 110, in pduReceived
    self.observer.onPDUReceived(pdu)
  File "/home/administrator/pyrdp/pyrdp/core/observer.py", line 82, in __call__
    self.composite.doCall(self.item, args, kwargs)
  File "/home/administrator/pyrdp/pyrdp/core/observer.py", line 56, in doCall
    getattr(observer, item)(*args, **kwargs)
  File "/home/administrator/pyrdp/pyrdp/layer/layer.py", line 48, in onPDUReceived
    self.handlers[pdu.header](pdu)
  File "/home/administrator/pyrdp/pyrdp/mitm/MCSMITM.py", line 85, in onConnectInitial
    rdpClientDataPDU = rdpClientConnectionParser.parse(gccConferenceCreateRequestPDU.payload)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 57, in parse
    structure = self.parseStructure(stream)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 86, in parseStructure
    return self.parsers[header](substream)
  File "/home/administrator/pyrdp/pyrdp/parser/rdp/connection.py", line 144, in parseClientNetworkData
    raise ParsingError("Invalid channel array size")
pyrdp.exceptions.ParsingError: Invalid channel array size

[2020-06-17 16:18:31,520] - INFO - Trang775352 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2020-06-17 16:18:31,520] - INFO - Trang775352 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 0.028327465057373047, totalInput: 0, totalOutput: 0, replayFilename: rdp_replay_20200617_16-18-31_492_Trang775352.pyrdp
[2020-06-17 16:18:40,898] - INFO - Anna779006 - pyrdp.mitm.connections.tcp - New client connected from 27.255.80.168
[2020-06-17 16:18:40,899] - INFO - Anna779006 - pyrdp.mitm.connections.x224 - Cookie: mstshash=hello
[2020-06-17 16:18:40,900] - INFO - Anna779006 - pyrdp.mitm.connections.tcp - Server connected
[2020-06-17 16:18:42,033] - INFO - Anna779006 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2020-06-17 16:18:42,034] - INFO - Anna779006 - pyrdp.mitm.conne

Can anybody help me?

Thank you very much.

alxbl commented 4 years ago

From the code:

    def parseClientNetworkData(self, stream: BytesIO) -> ClientNetworkData:
        channelCount = Uint32LE.unpack(stream)
        data = stream.getvalue()[4 :]

        if len(data) != channelCount * 12:
            raise ParsingError("Invalid channel array size")

It looks like the PDU sent by the PoC has a malformed ClientNetworkData.

We would need to figure out if it's a parsing problem or if the PoC has a malformed packet.

We could also change the default behavior of PyRDP to forward raw bytes without attempting to parse them, which would probably be a good idea, but requires a ton of testing.

luck00 commented 4 years ago

I try in the first place to exploit windows 7 machine with bluekeep meterpreter exploit. Is working directly, but through pyrdp is not working. Is pyrdp designed to work with that exploit? From there I try to use that poc to give me some errors.

I try to understand if I can use pyrdp to monitor bluekeep atacks.

Res260 commented 4 years ago

PyRDP has a logging statement to monitor bluekeep exploit attempts, but the PoC will not go through IIRC

On Wed., Jun. 17, 2020, 14:56 luck00, notifications@github.com wrote:

I try in the first place to exploit windows 7 machine with bluekeep meterpreter exploit. Is working directly, but through pyrdp is not working. Is pyrdp designed to work with that exploit? From there I try to use that poc to give me some errors.

I try to understand if I can use pyrdp to monitor bluekeep atacks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoSecure/pyrdp/issues/235#issuecomment-645559476, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADPMNL26ZW3HSO4DGTCOSGDRXEGUZANCNFSM4OATNL7A .

alxbl commented 4 years ago

@Res260 At the very least it should have detected and logged the exploitation attempt, which is not the case here. I think we'll need to look at the PoC and reproduce to understand the behavior / accomodate it.

luck00 commented 4 years ago

And this is the console output when I try to exploit the host with meterpreter bluekeep.

[2020-06-18 13:43:49,030] - INFO - Cheryl901420 - pyrdp.mitm.connections.tcp - New client connected from 10.66.22.62
[2020-06-18 13:43:49,031] - INFO - Cheryl901420 - pyrdp.mitm.connections.x224 - Cookie: mstshash=BEFXlSN
[2020-06-18 13:43:49,033] - INFO - Cheryl901420 - pyrdp.mitm.connections.tcp - Server connected
[2020-06-18 13:43:50,035] - ERROR - Cheryl901420 - pyrdp.mitm.connections - Failed to connect to recording host: timeout expired
[2020-06-18 13:43:50,043] - INFO - Cheryl901420 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2020-06-18 13:43:50,044] - INFO - Cheryl901420 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 1.0133814811706543, totalInput: 0, totalOutput: 0, replayFilename: rdp_replay_20200618_13-43-49_30_Cheryl901420.pyrdp
[2020-06-18 13:43:51,927] - INFO - Roland509059 - pyrdp.mitm.connections.tcp - New client connected from 10.66.22.62
[2020-06-18 13:43:51,928] - INFO - Roland509059 - pyrdp.mitm.connections.x224 - Cookie: mstshash=psAzmPF
[2020-06-18 13:43:51,930] - INFO - Roland509059 - pyrdp.mitm.connections.tcp - Server connected
[2020-06-18 13:43:52,932] - ERROR - Roland509059 - pyrdp.mitm.connections - Failed to connect to recording host: timeout expired
CLIENT_RANDOM e862e2c7e62165f1059da94772e24dac73a6d02e4fea5e127b15b55d2c39cf7c 07a55fc57e9bdc8e6176e348a48f52963e4b71ab88275f5d4d6cfecb8688d059063d394ae45006023bbb15d0e3ca3db4
[2020-06-18 13:43:52,958] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - Bluekeep (CVE-2019-0708) scan or exploit attempt detected.
[2020-06-18 13:43:52,961] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - Client hostname ethdev
CLIENT_RANDOM 9484f91ed21b13b123579ee21e52a600e304d0b472a484dd7916603486ba379f 86a1a08283d3b59c1b1db584dcec5ad291c798257748f72e6d59f44d6b3763098572967c27e6a0bee99a423868413e34
[2020-06-18 13:43:52,965] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - cliprdr <---> Channel #1004
[2020-06-18 13:43:52,968] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - MS_T120 <---> Channel #1005
[2020-06-18 13:43:52,968] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - rdpsnd <---> Channel #1006
[2020-06-18 13:43:52,969] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - snddbg <---> Channel #1007
[2020-06-18 13:43:52,970] - INFO - Roland509059 - pyrdp.mitm.connections.mcs - rdpdr <---> Channel #1008
[2020-06-18 13:43:52,997] - WARNING - Roland509059 - pyrdp.mitm.connections.rdpdr - Could not read the RDPDR file mapping at pyrdp_output/mapping.json. The file may not exist or it may have incorrect permissions. A new mapping will be created.
[2020-06-18 13:43:53,001] - INFO - Roland509059 - pyrdp.mitm.connections.security - Client Info: username = 'psAzmPF\x00', password = '\x00', domain = 'SCawezk\x00', clientAddress = '192.168.0.100\x00'
[2020-06-18 13:43:53,459] - INFO - Roland509059 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion.
[2020-06-18 13:43:53,459] - INFO - Roland509059 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 1.5317463874816895, mcs: 16, mcsInput: 9, mcsInput_1003: 7, mcsOutput: 7, mcsOutput_1003: 6, slowPathOutput: 5, slowPathInput: 6, fastPathOutput: 9, mcsInput_1005: 2, virtualChannelInput: 2, mcsOutput_1008: 1, deviceRedirection: 1, deviceRedirectionServer: 1, totalInput: 11, totalOutput: 17, clientServerRatio: 0.6470588235294118, replayFilename: rdp_replay_20200618_13-43-51_926_Roland509059.pyrdp
[2020-06-18 13:43:55,866] - INFO - John381250 - pyrdp.mitm.connections.tcp - New client connected from 10.66.22.62
[2020-06-18 13:43:55,871] - INFO - John381250 - pyrdp.mitm.connections.x224 - Cookie: mstshash=PdHuoIe
[2020-06-18 13:43:55,872] - INFO - John381250 - pyrdp.mitm.connections.tcp - Server connected
[2020-06-18 13:43:56,875] - ERROR - John381250 - pyrdp.mitm.connections - Failed to connect to recording host: timeout expired
CLIENT_RANDOM a54b995123d6fc498e8b853229b790e6cb9bc4b74796824c1be9590322346304 c86ea726d700edefe95c212ff5c70ef18c1a73e79052e532829b713979fc939b55946a9fbe2fb7eff8e59c7e46d0ee7b
[2020-06-18 13:43:56,896] - INFO - John381250 - pyrdp.mitm.connections.mcs - Bluekeep (CVE-2019-0708) scan or exploit attempt detected.
[2020-06-18 13:43:56,897] - INFO - John381250 - pyrdp.mitm.connections.mcs - Client hostname ethdev
CLIENT_RANDOM 0773b47603b4c837e21cebf3508476f13948e28c412d3b76f5c0deca00a21150 a03ef772c461e8220a8cf998d9529196ab6d8d3c66d59168ab2d64569f5bf70c27b85602556a6865d9876f5a6d412320
[2020-06-18 13:43:56,900] - INFO - John381250 - pyrdp.mitm.connections.mcs - rdpdr <---> Channel #1004
[2020-06-18 13:43:56,901] - INFO - John381250 - pyrdp.mitm.connections.mcs - RDPSND <---> Channel #1005
[2020-06-18 13:43:56,902] - INFO - John381250 - pyrdp.mitm.connections.mcs - RDPSND <---> Channel #1006
[2020-06-18 13:43:56,902] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX0 <---> Channel #1007
[2020-06-18 13:43:56,903] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX1 <---> Channel #1008
[2020-06-18 13:43:56,904] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX2 <---> Channel #1009
[2020-06-18 13:43:56,904] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX3 <---> Channel #1010
[2020-06-18 13:43:56,905] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX4 <---> Channel #1011
[2020-06-18 13:43:56,906] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_XXX5 <---> Channel #1012
[2020-06-18 13:43:56,907] - INFO - John381250 - pyrdp.mitm.connections.mcs - MS_T120 <---> Channel #1013
[2020-06-18 13:43:56,920] - WARNING - John381250 - pyrdp.mitm.connections.rdpdr - Could not read the RDPDR file mapping at pyrdp_output/mapping.json. The file may not exist or it may have incorrect permissions. A new mapping will be created.
[2020-06-18 13:43:56,933] - INFO - John381250 - pyrdp.mitm.connections.security - Client Info: username = 'PdHuoIe\x00', password = '\x00', domain = 'vVZYXOx\x00', clientAddress = '192.168.0.100\x00'
[2020-06-18 13:45:49,022] - INFO - John381250 - pyrdp.mitm.connections.tcp - Client connection closed. Connection to the other side was lost in a non-clean fashion: Connection lost.
[2020-06-18 13:45:49,024] - INFO - John381250 - pyrdp.mitm.connections.tcp - Connection report: report: 1.0, connectionTime: 113.15631318092346, mcs: 513549, mcsInput: 513540, mcsInput_1003: 7, mcsOutput: 9, mcsOutput_1003: 6, slowPathOutput: 5, slowPathInput: 6, fastPathOutput: 11, mcsOutput_1004: 3, deviceRedirection: 7, deviceRedirectionServer: 3, mcsInput_1004: 4, deviceRedirectionClient: 4, mcsInput_1005: 257854, virtualChannelInput: 513528, mcsInput_1006: 255674, fastPathInput: 250, totalInput: 1027322, totalOutput: 23, clientServerRatio: 44666.17391304348, replayFilename: `rdp_replay_20200618_13-43-55_866_John381250.pyrdp