Hello,
i stumbled upon an issue with how certain hosts are processed and that some hosts could lead to never terminating connections. Originally I opened an issue on Pennyw0rth/NetExec#1169 but it seems one main aspect of this issue is located in https://github.com/skelsec/aardwolf/blob/main/aardwolf/connection.py#L763 and https://github.com/skelsec/aardwolf/blob/main/aardwolf/connection.py#L744.
These lines parse the PDUs inside the server responses.
It turned out that some responses are parsed in an inaccurate way, which causes the __handle_mandatory_capability_exchange function to forever wait for a response, where there will be no response anymore.
In particular, I found that for a Windows Server with the "Remote Desktop Services" role installed, but without a Remote Desktop Licensing server, the parsing routines are confused, probably because __handle_license(self) reads unexpected data.
To replicate this scenario, you could do the following:
- On a Windows Server, install the "Remote Desktop Services" role. Make sure to only select the "Remote Desktop Session Host" in the list of components to install.
- Then try to login using the library
I'm not sure if there are more scenarios that could cause incorrect parsing. I'm not overly familiar with the RDP protocol, but maybe the parsing functions could introduce some more safety checks to validate that the incoming packets have the expected format and match the PDU that is expected to follow.
I hope I could help a little bit
Hello,
i stumbled upon an issue with how certain hosts are processed and that some hosts could lead to never terminating connections. Originally I opened an issue on Pennyw0rth/NetExec#1169 but it seems one main aspect of this issue is located in https://github.com/skelsec/aardwolf/blob/main/aardwolf/connection.py#L763 and https://github.com/skelsec/aardwolf/blob/main/aardwolf/connection.py#L744.
These lines parse the PDUs inside the server responses.
It turned out that some responses are parsed in an inaccurate way, which causes the __handle_mandatory_capability_exchange function to forever wait for a response, where there will be no response anymore.
In particular, I found that for a Windows Server with the "Remote Desktop Services" role installed, but without a Remote Desktop Licensing server, the parsing routines are confused, probably because __handle_license(self) reads unexpected data.
To replicate this scenario, you could do the following:
I'm not sure if there are more scenarios that could cause incorrect parsing. I'm not overly familiar with the RDP protocol, but maybe the parsing functions could introduce some more safety checks to validate that the incoming packets have the expected format and match the PDU that is expected to follow.
I hope I could help a little bit