Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package main
import (
"bufio"
"bytes"
"encoding/binary"
"fmt"
"io"
"log"
"math/rand"
"net"
"net/http"
"strconv"
"time"
"unicode/utf16"
"unicode/utf8"
)
const (
crlf = "\r\n"
rdgConnectionIdKey = "Rdg-Connection-Id"
HANDSHAKE = 1
)
const (
PKT_TYPE_HANDSHAKE_REQUEST = 0x1
PKT_TYPE_HANDSHAKE_RESPONSE = 0x2
PKT_TYPE_EXTENDED_AUTH_MSG = 0x3
PKT_TYPE_TUNNEL_CREATE = 0x4
PKT_TYPE_TUNNEL_RESPONSE = 0x5
PKT_TYPE_TUNNEL_AUTH = 0x6
PKT_TYPE_TUNNEL_AUTH_RESPONSE = 0x7
PKT_TYPE_CHANNEL_CREATE = 0x8
PKT_TYPE_CHANNEL_RESPONSE = 0x9
PKT_TYPE_DATA = 0xA
PKT_TYPE_SERVICE_MESSAGE = 0xB
PKT_TYPE_REAUTH_MESSAGE = 0xC
PKT_TYPE_KEEPALIVE = 0xD
PKT_TYPE_CLOSE_CHANNEL = 0x10
PKT_TYPE_CLOSE_CHANNEL_RESPONSE = 0x11
)
const (
HTTP_EXTENDED_AUTH_NONE = 0x0
HTTP_EXTENDED_AUTH_SC = 0x1 /* Smart card authentication. */
HTTP_EXTENDED_AUTH_PAA = 0x02 /* Pluggable authentication. */
HTTP_EXTENDED_AUTH_SSPI_NTLM = 0x04 /* NTLM extended authentication. */
)
const (
HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE = 0x1
)
// HandshakeHeader is the interface that writes both upgrade request or
// response headers into a given io.Writer.
type HandshakeHeader interface {
io.WriterTo
}
type RdgSession struct {
ConnId string
CorrelationId string
UserId string
ConnIn net.Conn
ConnOut net.Conn
BufOut *bufio.Writer
BufIn *bufio.Reader
State int
Remote net.Conn
}
// ErrNotHijacker is an error returned when http.ResponseWriter does not
// implement http.Hijacker interface.
var ErrNotHijacker = RejectConnectionError(
RejectionStatus(http.StatusInternalServerError),
RejectionReason("given http.ResponseWriter is not a http.Hijacker"),
)
var DefaultSession RdgSession
func Upgrade(next http.Handler) http.Handler {
return DefaultSession.RdgHandshake(next)
}
func Accept(w http.ResponseWriter) (conn net.Conn, rw *bufio.ReadWriter, err error) {
log.Print("Accept connection")
hj, ok := w.(http.Hijacker)
if ok {
return hj.Hijack()
} else {
err = ErrNotHijacker
}
if err != nil {
httpError(w, err.Error(), http.StatusInternalServerError)
return nil, nil, err
}
return
}
func (s RdgSession) RdgHandshake(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
/*_, _, ok := r.BasicAuth()
if !ok && s.ConnIn == nil {
w.Header().Set("WWW-Authenticate", `Basic realm="rdpgw"`)
w.WriteHeader(401)
w.Write([]byte("Unauthorized.\n"))
fmt.Println("Unauthorized")
return
}*/
conn, rw, _ := Accept(w)
if r.Method == MethodRDGOUT {
log.Printf("Opening RDGOUT for client %s", conn.RemoteAddr().String())
s.ConnId = r.Header.Get(rdgConnectionIdKey)
s.ConnOut = conn
s.BufOut = rw.Writer
WriteAcceptSeed(rw.Writer)
rw.Writer.Flush()
} else if r.Method == MethodRDGIN {
if s.ConnIn == nil {
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
s.ConnIn = conn
s.BufIn = rw.Reader
log.Printf("Opening RDGIN for client %s", conn.RemoteAddr().String())
WriteAcceptSeed(rw.Writer)
rw.Writer.Flush()
p := make([]byte, 4096)
rw.Reader.Read(p)
//log.Printf("Read %q", p)
log.Printf("Reading packet from client %s", conn.RemoteAddr().String())
scanner := bufio.NewScanner(rw.Reader)
scanner.Split(ReadPacket)
for scanner.Scan() {
packet := scanner.Bytes()
packetType, size, _, packet := readHeader(packet)
log.Printf("Scanned packet got packet type %x size %d", packetType, size)
switch packetType {
case PKT_TYPE_HANDSHAKE_REQUEST:
major, minor, _, auth := readHandshake(packet)
sendHandshakeResponse(s.BufOut, major, minor, auth)
case PKT_TYPE_TUNNEL_CREATE:
readCreateTunnelRequest(packet)
sendCreateTunnelResponse(s.BufOut)
case PKT_TYPE_TUNNEL_AUTH:
readTunnelAuthRequest(packet)
sendTunnelAuthResponse(s.BufOut)
case PKT_TYPE_CHANNEL_CREATE:
server, port := readChannelCreateRequest(packet)
var err error
s.Remote, err = net.Dial("tcp", net.JoinHostPort(server, strconv.Itoa(int(port))))
if err != nil {
log.Printf("Error connecting to %s, %d, %s", server, port, err)
return
}
sendChannelCreateResponse(s.BufOut)
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
case PKT_TYPE_DATA:
receiveDataPacket(s.Remote, packet)
}
}
}
}
})
}
// [MS-TSGU]: Terminal Services Gateway Server Protocol version 39.0
// The server sends back the final status code 200 OK, and also a random entity body of limited size (100 bytes).
// This enables a reverse proxy to start allowing data from the RDG server to the RDG client. The RDG server does
// not specify an entity length in its response. It uses HTTP 1.0 semantics to send the entity body and closes the
// connection after the last byte is sent.
func WriteAcceptSeed(bw *bufio.Writer) {
bw.WriteString(HttpOK)
bw.WriteString("Date: " + time.Now().Format(time.RFC1123) + "\r\n")
bw.WriteString("Content-Type: application/octet-stream\r\n")
bw.WriteString("Content-Length: 0\r\n")
bw.WriteString(crlf)
seed := make([]byte, 10)
rand.Read(seed)
bw.Write(seed)
}
func ReadPacket(data []byte, atEOF bool) (advance int, packet []byte, err error) {
log.Printf("Reading data len = %d", len(data))
if atEOF && len(data) == 0 {
return 0, nil, nil
}
if i := bytes.Index(data, []byte{'\r', '\n'}); i >= 0 {
//log.Printf("Got rn at %d ", i)
chunkSize, err := strconv.ParseInt(string(data[0:i]), 16, 0)
log.Printf("chunkSize %d", chunkSize)
if err != nil {
return i + 2, data[0:i], err
}
//log.Printf("Return %d", i+2+int(chunkSize)+2)
return i + 2 + int(chunkSize) + 2, data[i+2 : i+2+int(chunkSize)+2], nil
}
if atEOF {
return len(data), data, nil
}
return 0, nil, nil
}
func readHeader(data []byte) (packetType uint16, size uint32, advance int, remain []byte) {
r := bytes.NewReader(data)
binary.Read(r, binary.LittleEndian, &packetType)
r.Seek(4, io.SeekStart)
binary.Read(r, binary.LittleEndian, &size)
return packetType, size, 8, data[8:]
}
func sendHandshakeResponse(w *bufio.Writer, major byte, minor byte, auth uint16) {
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, uint32(0)) // error_code
buf.Write([]byte{major, minor})
binary.Write(buf, binary.LittleEndian, uint16(0)) // server version
binary.Write(buf, binary.LittleEndian, uint16(2)) // PAA
w.Write(createPacket(PKT_TYPE_HANDSHAKE_RESPONSE, buf.Bytes()))
w.Flush()
}
func readHandshake(data []byte) (major byte, minor byte, version uint16, extAuth uint16) {
r := bytes.NewReader(data)
binary.Read(r, binary.LittleEndian, &major)
binary.Read(r, binary.LittleEndian, &minor)
binary.Read(r, binary.LittleEndian, &version)
binary.Read(r, binary.LittleEndian, &extAuth)
log.Printf("major: %d, minor: %d, version: %d, ext auth: %d", major, minor, version, extAuth)
return
}
func readCreateTunnelRequest(data []byte) (caps uint32, cookie string){
var fields uint16
r := bytes.NewReader(data)
binary.Read(r, binary.LittleEndian, &caps)
binary.Read(r, binary.LittleEndian, &fields)
r.Seek(2, io.SeekCurrent)
if fields == HTTP_TUNNEL_PACKET_FIELD_PAA_COOKIE {
var size uint16
binary.Read(r, binary.LittleEndian, &size)
cookieB := make([]byte, size)
r.Read(cookieB)
cookie, _ = DecodeUTF16(cookieB)
log.Printf("Create tunnel caps: %d, cookie: %s", caps, cookie)
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
return
}
func sendCreateTunnelResponse(w *bufio.Writer) {
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, uint16(0)) // server version
binary.Write(buf, binary.LittleEndian, uint32(0)) // error code
binary.Write(buf, binary.LittleEndian, uint16(0)) // fields present
binary.Write(buf, binary.LittleEndian, uint16(0)) // reserved
w.Write(createPacket(PKT_TYPE_TUNNEL_RESPONSE, buf.Bytes()))
w.Flush()
}
func readTunnelAuthRequest(data []byte) {
buf := bytes.NewReader(data)
var size uint16
binary.Read(buf, binary.LittleEndian, &size)
clData := make([]byte, size)
binary.Read(buf, binary.LittleEndian, &clData)
clientName, _ := DecodeUTF16(clData)
log.Printf("Client: %s", clientName)
}
func sendTunnelAuthResponse(w *bufio.Writer) {
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, uint32(0)) // error code
binary.Write(buf, binary.LittleEndian, uint16(0)) // fields present
binary.Write(buf, binary.LittleEndian, uint16(0)) // reserved
w.Write(createPacket(PKT_TYPE_TUNNEL_AUTH_RESPONSE, buf.Bytes()))
w.Flush()
}
func readChannelCreateRequest(data []byte) (server string, port uint16){
buf := bytes.NewReader(data)
var resourcesSize byte
var alternative byte
var protocol uint16
var nameSize uint16
binary.Read(buf, binary.LittleEndian, &resourcesSize)
binary.Read(buf, binary.LittleEndian, &alternative)
binary.Read(buf, binary.LittleEndian, &port)
binary.Read(buf, binary.LittleEndian, &protocol)
binary.Read(buf, binary.LittleEndian, &nameSize)
nameData := make([]byte, nameSize)
binary.Read(buf, binary.LittleEndian, &nameData)
log.Printf("Name data %q", nameData)
server, _ = DecodeUTF16(nameData)
log.Printf("Should connect to %s on port %d", server, port)
return
}
func sendChannelCreateResponse(w *bufio.Writer) {
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, uint32(0)) // error code
binary.Write(buf, binary.LittleEndian, uint16(0)) // fields present
binary.Write(buf, binary.LittleEndian, uint16(0)) // reserved
w.Write(createPacket(PKT_TYPE_CHANNEL_RESPONSE, buf.Bytes()))
w.Flush()
}
func createPacket(pktType uint16, data []byte) (packet []byte){
size := len(data) + 8
buf := new(bytes.Buffer)
log.Printf("Data sent Size: %d", size)
// http chunk size in hex string
// fmt.Fprintf(buf,"%x\r\n", size)
binary.Write(buf, binary.LittleEndian, uint16(pktType))
binary.Write(buf, binary.LittleEndian, uint16(0)) // reserved
binary.Write(buf, binary.LittleEndian, uint32(size))
buf.Write(data)
// http close crlf
// buf.Write([]byte(crlf))
// log.Printf("data sent: %q", buf.Bytes())
return buf.Bytes()
}
func receiveDataPacket(conn net.Conn, data []byte) {
buf := bytes.NewReader(data)
var cblen uint16
binary.Read(buf, binary.LittleEndian, &cblen)
log.Printf("Received PKT_DATA %d", cblen)
pkt := make([]byte, cblen)
//binary.Read(buf, binary.LittleEndian, &pkt)
buf.Read(pkt)
//log.Printf("DATA FROM CLIENT %q", pkt)
conn.Write(pkt)
}
func sendDataPacket(conn net.Conn, w *bufio.Writer) {
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
b1 := new(bytes.Buffer)
buf := make([]byte, 32767)
for {
n, err := conn.Read(buf)
binary.Write(b1, binary.LittleEndian, uint16(n))
log.Printf("RDP SIZE: %d", n)
if err != nil {
log.Printf("Error reading from conn %s", err)
break
}
b1.Write(buf[:n])
w.Write(createPacket(PKT_TYPE_DATA, b1.Bytes()))
w.Flush()
b1.Reset()
}
}
func DecodeUTF16(b []byte) (string, error) {
if len(b)%2 != 0 {
log.Printf("Error decoding utf16")
return "", fmt.Errorf("Must have even length byte slice")
}
u16s := make([]uint16, 1)
ret := &bytes.Buffer{}
b8buf := make([]byte, 4)
lb := len(b)
for i := 0; i < lb; i += 2 {
u16s[0] = uint16(b[i]) + (uint16(b[i+1]) << 8)
r := utf16.Decode(u16s)
n := utf8.EncodeRune(b8buf, r[0])
ret.Write(b8buf[:n])
}
return ret.String(), nil
}