140 |
int len_password = 2 * strlen(password); |
int len_password = 2 * strlen(password); |
141 |
int len_program = 2 * strlen(program); |
int len_program = 2 * strlen(program); |
142 |
int len_directory = 2 * strlen(directory); |
int len_directory = 2 * strlen(directory); |
143 |
|
int len_ip = 2 * strlen("127.0.0.1"); |
144 |
|
int len_dll = 2 * strlen("C:\\WINNT\\System32\\mstscax.dll"); |
145 |
|
int packetlen = 0; |
146 |
uint32 sec_flags = encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; |
uint32 sec_flags = encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; |
147 |
STREAM s; |
STREAM s; |
148 |
|
|
168 |
} |
} |
169 |
else |
else |
170 |
{ |
{ |
171 |
|
flags |= RDP_LOGON_BLOB; |
172 |
DEBUG_RDP5(("Sending RDP5-style Logon packet\n")); |
DEBUG_RDP5(("Sending RDP5-style Logon packet\n")); |
173 |
s = sec_init(sec_flags, 12 + (flags & RDP_LOGON_AUTO ? 2 : 0) + 6 + (flags & RDP_LOGON_AUTO ? len_password : 0) + len_domain + len_user + 4 + len_program + len_directory + 30 + 2 + 60 + 32 + 20 + 32 + 20); /* Phew! */ |
packetlen = 4 + // Unknown uint32 |
174 |
|
4 + // flags |
175 |
|
2 + // len_domain |
176 |
|
2 + // len_user |
177 |
|
(flags & RDP_LOGON_AUTO ? 2 : 0) + // len_password |
178 |
|
(flags & RDP_LOGON_BLOB ? 2 : 0) + // Length of BLOB |
179 |
|
2 + // len_program |
180 |
|
2 + // len_directory |
181 |
|
(0 < len_domain ? len_domain : 2) + // domain |
182 |
|
len_user + |
183 |
|
(flags & RDP_LOGON_AUTO ? len_password : 0) + |
184 |
|
0 + // We have no 512 byte BLOB. Perhaps we must? |
185 |
|
(flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO) ? 2 : 0) + // After the BLOB is a unknown int16. If there is a BLOB, that is. |
186 |
|
(0 < len_program ? len_program : 2) + |
187 |
|
(0 < len_directory ? len_directory : 2) + |
188 |
|
2 + // Unknown (2) |
189 |
|
2 + // Client ip length |
190 |
|
len_ip + // Client ip |
191 |
|
2 + // DLL string length |
192 |
|
len_dll + // DLL string |
193 |
|
2 + // Unknown |
194 |
|
2 + // Unknown |
195 |
|
64 + // Time zone #0 |
196 |
|
2 + // Unknown |
197 |
|
64 + // Time zone #1 |
198 |
|
32; // Unknown |
199 |
|
|
200 |
|
s = sec_init(sec_flags, packetlen); |
201 |
|
DEBUG_RDP5(("Called sec_init with packetlen %d\n", packetlen)); |
202 |
|
|
203 |
out_uint32(s, 0); |
out_uint32(s, 0); // Unknown |
204 |
out_uint32_le(s, flags); |
out_uint32_le(s, flags); |
205 |
out_uint16_le(s, len_domain); |
out_uint16_le(s, len_domain); |
206 |
out_uint16_le(s, len_user); |
out_uint16_le(s, len_user); |
207 |
if (flags & RDP_LOGON_AUTO) |
if (flags & RDP_LOGON_AUTO) |
208 |
{ |
{ |
209 |
out_uint16_le(s, len_password); |
out_uint16_le(s, len_password); |
210 |
|
|
211 |
|
} |
212 |
|
if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { |
213 |
|
out_uint16_le(s, 0); |
214 |
} |
} |
|
out_uint16(s, 0); /* Seems to be length of a 512 byte blob with |
|
|
completely unknown data, but hopefully we'll do |
|
|
with a 0 length block as well */ |
|
215 |
out_uint16_le(s, len_program); |
out_uint16_le(s, len_program); |
216 |
out_uint16_le(s, len_directory); |
out_uint16_le(s, len_directory); |
217 |
rdp_out_unistr(s, domain, len_domain); |
if (0 < len_domain) |
218 |
|
rdp_out_unistr(s, domain, len_domain); |
219 |
|
else |
220 |
|
out_uint16_le(s, 0); |
221 |
|
rdp_out_unistr(s, user, len_user); |
222 |
if (flags & RDP_LOGON_AUTO) |
if (flags & RDP_LOGON_AUTO) |
223 |
{ |
{ |
224 |
rdp_out_unistr(s, password, len_password); |
rdp_out_unistr(s, password, len_password); |
225 |
} |
} |
226 |
rdp_out_unistr(s, user, len_user); |
if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { |
227 |
out_uint16(s, 0); |
out_uint16_le(s, 0); |
228 |
out_uint16(s, 0); |
} |
229 |
if (0 < len_program) |
if (0 < len_program) { |
230 |
rdp_out_unistr(s, program, len_program); |
rdp_out_unistr(s, program, len_program); |
231 |
if (0 < len_directory) |
|
232 |
|
} else { |
233 |
|
out_uint16_le(s, 0); |
234 |
|
} |
235 |
|
if (0 < len_directory) { |
236 |
rdp_out_unistr(s, directory, len_directory); |
rdp_out_unistr(s, directory, len_directory); |
237 |
out_uint8s(s, 30); /* Some kind of client data - let's see if the server |
} else { |
238 |
handles zeros well.. */ |
out_uint16_le(s, 0); |
239 |
out_uint16_le(s, 60); |
} |
240 |
rdp_out_unistr(s, "C:\\WINNT\\System32\\mstscax.dll", 58); |
out_uint16_le(s, 2); |
241 |
out_uint32_be(s, 0x88ffffff); |
out_uint16_le(s, len_ip+2); // Length of client ip |
242 |
rdp_out_unistr(s, "GTB, normaltid", 2 * strlen("GTB, normaltid") - 2); |
rdp_out_unistr(s, "127.0.0.1", len_ip); |
243 |
out_uint8s(s, 30 - 2 * strlen("GTP, normaltid")); |
out_uint16_le(s, len_dll+2); |
244 |
|
rdp_out_unistr(s, "C:\\WINNT\\System32\\mstscax.dll", len_dll); |
245 |
|
out_uint16_le(s, 0xffc4); |
246 |
|
out_uint16_le(s, 0xffff); |
247 |
|
rdp_out_unistr(s, "GTB, normaltid", |
248 |
|
2*strlen("GTB, normaltid")); |
249 |
|
out_uint8s(s, 62-2*strlen("GTB, normaltid")); |
250 |
|
|
251 |
|
|
252 |
out_uint32_le(s, 0x0a0000); |
out_uint32_le(s, 0x0a0000); |
253 |
out_uint32_le(s, 0x050000); |
out_uint32_le(s, 0x050000); |
254 |
out_uint32_le(s, 2); |
out_uint32_le(s, 3); |
255 |
out_uint32(s, 0); |
out_uint32_le(s, 0); |
256 |
out_uint32_le(s, 0xffffffc4); |
out_uint32_le(s, 0); |
257 |
out_uint32_le(s, 0xfffffffe); |
|
258 |
out_uint32_le(s, 0x0f); |
rdp_out_unistr(s, "GTB, sommartid", |
259 |
out_uint32(s, 0); |
2*strlen("GTB, sommartid")); |
260 |
|
out_uint8s(s, 62-2*strlen("GTB, sommartid")); |
261 |
|
|
262 |
rdp_out_unistr(s, "GTB, sommartid", 2 * strlen("GTB, sommartid") - 1); |
out_uint32_le(s, 0x30000); |
|
out_uint8s(s, 30 - 2 * strlen("GTP, sommartid")); |
|
|
|
|
|
out_uint32_le(s, 0x030000); |
|
263 |
out_uint32_le(s, 0x050000); |
out_uint32_le(s, 0x050000); |
264 |
out_uint32_le(s, 2); |
out_uint32_le(s, 2); |
265 |
out_uint32(s, 0); |
out_uint32(s, 0); |
268 |
out_uint32_le(s, 0x0f); |
out_uint32_le(s, 0x0f); |
269 |
out_uint32(s, 0); |
out_uint32(s, 0); |
270 |
|
|
271 |
|
|
272 |
} |
} |
273 |
s_mark_end(s); |
s_mark_end(s); |
274 |
sec_send(s, sec_flags); |
sec_send(s, sec_flags); |