From 95f9e2cf917afeac2b8113fe0e17c1abc57c36a8 Mon Sep 17 00:00:00 2001
From: tomsellers <tomsellers@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 28 May 2019 23:01:21 +0000
Subject: [PATCH] Address rdp protocol parsing issues in rdp.lua and
 rdp-enum-ciphers.nse Closes #1611

---
 CHANGELOG                       |  4 +++
 nselib/rdp.lua                  | 54 ++++++++++++++++++++++++++++++
 scripts/rdp-enum-encryption.nse | 58 ++++++++++++++++++++++-----------
 3 files changed, 97 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 2d14fe3e8..ad020e7dd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption and
+  the RDP nse library which broke scanning of Windows XP. Clarify protocol
+  types [Tom Sellers]
+
 o [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its resource
   file unless executed from a specific working directory. [nnposter]
 
diff --git a/nselib/rdp.lua b/nselib/rdp.lua
index 32f098b57..9ec377a73 100644
--- a/nselib/rdp.lua
+++ b/nselib/rdp.lua
@@ -12,6 +12,20 @@ local stdnse = require("stdnse")
 local string = require "string"
 _ENV = stdnse.module("rdp", stdnse.seeall)
 
+-- Server Core Data  2.2.1.4.2
+PROTO_VERSION = {
+  [0x00080001] = " RDP 4.0 server",
+  [0x00080004] = " RDP 5.x, 6.x, 7.x, or 8.x server",
+  [0x00080005] = " RDP 10.0 server",
+  [0x00080006] = " RDP 10.1 server",
+  [0x00080007] = " RDP 10.2 server",
+  [0x00080008] = " RDP 10.3 server",
+  [0x00080009] = " RDP 10.4 server",
+  [0x0008000A] = " RDP 10.5 server",
+  [0x0008000B] = " RDP 10.6 server",
+  [0x0008000C] = " RDP 10.7 server",
+}
+
 Packet = {
 
   TPKT = {
@@ -57,8 +71,10 @@ Packet = {
       itut.length, itut.code, pos = string.unpack("BB", data)
 
       if ( itut.code == 0xF0 ) then
+        -- X.224 - Data TPDU (DT)
         itut.eot, pos = string.unpack("B", data, pos)
       elseif ( itut.code == 0xD0 ) then
+        -- X.224 - Connection Confirm (CC)
         itut.dstref, itut.srcref, itut.class, pos = string.unpack(">I2I2B", data, pos)
       end
 
@@ -86,6 +102,38 @@ Packet = {
 
   },
 
+  ConfCreateResponse = {
+
+
+    new = function(self, data)
+      local o =  {}
+      setmetatable(o, self)
+      self.__index = self
+      return o
+    end,
+
+    parse = function(data)
+      local ccr = Packet.ConfCreateResponse:new()
+      local pos = 67
+
+      while data:len() > pos do
+        block_type, block_len  = string.unpack("<I2I2", data, pos)
+        if block_type == 0x0c01 then
+          -- 2.2.1.42 Server Core Data - TS_UD_SC_CORE
+          proto_ver = string.unpack("<I4", data, pos + 4)
+          ccr.proto_version = ("RDP Protocol Version: %s"):format(PROTO_VERSION[proto_ver] or "Unknown")
+        elseif block_type == 0x0c02 then
+          -- 2.2.1.4.3 Server Security Data - TS_UD_SC_SEC1
+          ccr.enc_level = string.unpack("B", data, pos + 8)
+          ccr.enc_cipher= string.unpack("B", data, pos + 4)
+        end
+        pos = pos + block_len
+      end
+
+      return ccr
+    end,
+  },
+
 }
 
 Request = {
@@ -258,6 +306,10 @@ Response = {
 
       cr.tpkt = Packet.TPKT.parse(data)
       cr.itut = Packet.ITUT.parse(cr.tpkt.data)
+      if ( cr.itut.code == 0xF0 ) then
+        -- X.224 - Data TPDU (DT)
+        cr.ccr  = Packet.ConfCreateResponse.parse(cr.itut.data)
+      end
       return cr
     end
   }
@@ -333,6 +385,8 @@ Comm = {
       return true, Response.ConnectionConfirm.parse(data)
     elseif ( itut_code == 0xF0 ) then
       return true, Response.MCSConnectResponse.parse(data)
+    elseif itut_code ~= nil then
+        stdnse.debug1(("comm:exch - Unknown itut_code: %s"):format(itut_code))
     end
     return false, "Received unhandled packet"
   end,
diff --git a/scripts/rdp-enum-encryption.nse b/scripts/rdp-enum-encryption.nse
index 158f0e6c7..1bdcdc3ba 100644
--- a/scripts/rdp-enum-encryption.nse
+++ b/scripts/rdp-enum-encryption.nse
@@ -15,14 +15,18 @@ http://labs.mwrinfosecurity.com/tools/2009/01/12/rdp-cipher-checker/
 -- @output
 -- PORT     STATE SERVICE
 -- 3389/tcp open  ms-wbt-server
--- | rdp-enum-encryption:
 -- |   Security layer
--- |     CredSSP: SUCCESS
+-- |     CredSSP (NLA): SUCCESS
+-- |     CredSSP with Early User Auth: SUCCESS
 -- |     Native RDP: SUCCESS
+-- |     RDSTLS: SUCCESS
 -- |     SSL: SUCCESS
 -- |   RDP Encryption level: High
+-- |     40-bit RC4: SUCCESS
+-- |     56-bit RC4: SUCCESS
 -- |     128-bit RC4: SUCCESS
--- |_    FIPS 140-1: SUCCESS
+-- |     FIPS 140-1: SUCCESS
+-- |_  RDP Protocol Version:  RDP 5.x, 6.x, 7.x, or 8.x server
 --
 
 author = "Patrik Karlsson"
@@ -46,7 +50,9 @@ local function enum_protocols(host, port)
   local PROTOCOLS = {
     ["Native RDP"] = 0,
     ["SSL"] = 1,
-    ["CredSSP"] = 3
+    ["CredSSP (NLA)"] = 3,
+    ["RDSTLS"] = 4,
+    ["CredSSP with Early User Auth"] = 8
   }
 
   local ERRORS = {
@@ -71,16 +77,24 @@ local function enum_protocols(host, port)
       return false, response
     end
 
-    local success = string.unpack("B", response.itut.data)
-    if ( success == 2 ) then
-      table.insert(res_proto, ("%s: SUCCESS"):format(k))
-    elseif ( nmap.debugging() > 0 ) then
-      local err = string.unpack("B", response.itut.data, 5)
-      if ( err > 0 ) then
-        table.insert(res_proto, ("%s: FAILED (%s)"):format(k, ERRORS[err] or "Unknown"))
-      else
-        table.insert(res_proto, ("%s: FAILED"):format(k))
+    if response.itut.data ~= "" then
+      local success = string.unpack("B", response.itut.data)
+
+      if ( success == 2 ) then
+        table.insert(res_proto, ("%s: SUCCESS"):format(k))
+      elseif ( nmap.debugging() > 0 ) then
+        local err = string.unpack("B", response.itut.data, 5)
+        if ( err > 0 ) then
+          table.insert(res_proto, ("%s: FAILED (%s)"):format(k, ERRORS[err] or "Unknown"))
+        else
+          table.insert(res_proto, ("%s: FAILED"):format(k))
+        end
       end
+    else
+      -- rdpNegData, which contains the negotiaion response or failure,
+      -- is optional. WinXP SP3 does not return this section which means
+      -- we can't tell if the protocol is accepted or not.
+      table.insert(res_proto, ("%s: Unknown"):format(k))
     end
   end
   table.sort(res_proto)
@@ -105,6 +119,7 @@ local function enum_ciphers(host, port)
   }
 
   local res_ciphers = {}
+  local proto_version
 
   local function get_ordered_ciphers()
     local i = 0
@@ -133,17 +148,19 @@ local function enum_ciphers(host, port)
     local status, response = comm:exch(msc)
     comm:close()
     if ( status ) then
-      local enc_level = string.unpack("B", response.itut.data, 95 + 8)
-      local enc_cipher= string.unpack("B", response.itut.data, 95 + 4)
-      if ( enc_cipher == v ) then
+      if ( response.ccr and response.ccr.enc_cipher == v ) then
         table.insert(res_ciphers, ("%s: SUCCESS"):format(k))
       end
-      res_ciphers.name = ("RDP Encryption level: %s"):format(ENC_LEVELS[enc_level] or "Unknown")
+      res_ciphers.name = ("RDP Encryption level: %s"):format(ENC_LEVELS[response.ccr.enc_level] or "Unknown")
+
+      if response.ccr.proto_version then
+        proto_version = response.ccr.proto_version
+      end
     elseif ( nmap.debugging() > 0 ) then
       table.insert(res_ciphers, ("%s: FAILURE"):format(k))
     end
   end
-  return true, res_ciphers
+  return true, res_ciphers, proto_version
 end
 
 action = function(host, port)
@@ -154,12 +171,15 @@ action = function(host, port)
     return res_proto
   end
 
-  local status, res_ciphers = enum_ciphers(host, port)
+  local status, res_ciphers, proto_version = enum_ciphers(host, port)
   if ( not(status) ) then
     return res_ciphers
   end
 
   table.insert(result, res_proto)
   table.insert(result, res_ciphers)
+  if proto_version then
+    table.insert(result, proto_version)
+  end
   return stdnse.format_output(true, result)
 end