Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RDPDR File close responses are not handled properly by the MITM #264

Closed
xshill opened this issue Nov 17, 2020 · 1 comment
Closed

RDPDR File close responses are not handled properly by the MITM #264

xshill opened this issue Nov 17, 2020 · 1 comment
Assignees
@xshill
Labels
bug Something isn't working
Milestone
v1.1.0

Comments

@xshill
Copy link
Collaborator

xshill commented Nov 17, 2020

When transferring a file from a shared drive to the server filesystem, the RDPDR file stealer sometimes creates empty files (even though the file itself is not empty). It's useless and it clogs up the output folder and mapping.json file.

{
    "ChristineHerrera": {
        "creationTime": "2020-11-17T14:54:04.776912",
        "localPath": "pyrdp_output/files/ChristineHerrera",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    },
    "ClarenceMcanally": {
        "creationTime": "2020-11-17T14:55:47.534201",
        "localPath": "pyrdp_output/files/ClarenceMcanally",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    },
    "DavidRowles": {
        "creationTime": "2020-11-17T14:55:07.086586",
        "localPath": "pyrdp_output/files/DavidRowles",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    },
    "EvanDemaire": {
        "creationTime": "2020-11-17T15:03:44.626242",
        "localPath": "pyrdp_output/files/EvanDemaire",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    },
    "JesseWalker": {
        "creationTime": "2020-11-17T14:56:33.743618",
        "localPath": "pyrdp_output/files/JesseWalker",
        "remotePath": "\\Templates\\test.txt",
        "sha1": "c90e32d1e617ff4cb0ebd4789ded7ed10981a5e7"
    },
    "MaxKern": {
        "creationTime": "2020-11-17T14:55:18.115505",
        "localPath": "pyrdp_output/files/MaxKern",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    },
    "MichaelSummers": {
        "creationTime": "2020-11-17T14:55:57.601731",
        "localPath": "pyrdp_output/files/MichaelSummers",
        "remotePath": "\\Templates\\test.txt",
        "sha1": ""
    }
}
@xshill xshill added the bug Something isn't working label Nov 17, 2020
@xshill xshill self-assigned this Nov 17, 2020
@xshill
Copy link
Collaborator Author

xshill commented Nov 17, 2020

The RDPDRMITM component doesn't handle file closes properly, which causes file duplications in file interceptor (among other problems). Although many file close responses are received, most of them don't make the check: if key in self.openedFiles:. Since they don't make it past that line, identical files never get filtered out and deleted by comparing hashes.

[user: ~/projects/pyrdp/pyrdp_output/files]$ sha1sum *
ce15a3b4fa87aef8ffad2e743966a7874aa7d38d  AimeeFroedge
**1a7bc51e89410165eb0e593029e7f8329a3b072a**  DonaldBallesteros
c90e32d1e617ff4cb0ebd4789ded7ed10981a5e7  JesseWalker
795aedebed0ccca1c1aa064fa75e9e76ae185958  LouisMillsap
**1a7bc51e89410165eb0e593029e7f8329a3b072a**  MaryWeaver
**1a7bc51e89410165eb0e593029e7f8329a3b072a**  MichaelLevine
4cb905042c8b4d879729df7b5c233297cf027fec  ShirleyDouglas

I think this is also probably the reason why we have so many empty files (and also missing sha1 entries in the mapping file).

@xshill xshill changed the title The RDPDR intercepter creates empty files that never get deleted. RDPDR File close responses are not handled properly by the MITM Nov 17, 2020
@obilodeau obilodeau mentioned this issue Nov 18, 2020
Closed
@xshill xshill added the waiting-merge A fix for this exists but hasn't been merged yet label Nov 25, 2020
@xshill xshill added this to the v1.1.0 milestone Nov 26, 2020
@xshill xshill mentioned this issue Dec 23, 2020
Merged
@xshill xshill closed this as completed in 8c09864 Jan 4, 2021
@obilodeau obilodeau removed the waiting-merge A fix for this exists but hasn't been merged yet label Jan 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xshill xshill

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.1.0
Development

No branches or pull requests
2 participants
@obilodeau @xshill