#
#   RDP file upload utility via Keyboard emulation.
# Uploads specified input file or directory, encodes it and retypes encoded contents
# by emulating keyboard keypresses into previously focused RDP session window.
# That will effectively transmit contents of the file onto the remote host without use
# of any sort of built-in file upload functionality. Remote desktop protocols such as
# RDP/VNC could be abused in this way by smuggling to the connected host implant files, etc.
#
# In case a directory was specified on input, will recursively add every file from that directory
# and create a Zip archive that will be later uploaded.
#
# Mouse movements will suspend file upload process.
#
# Average transfer bandwidths largely depend on your connectivity performance and system utilization.
# I've experienced following:
#   - transfer to the Citrix Receiver RDP session: 40-60 bytes/s
#   - transfer to LAN RDP session RDP session: 400-800 bytes/s
#
# Requirements:
#   - pyautogui
#   - tqdm
#
# Author:
#   Mariusz B. / mgeeky (@mariuszbit), '20
#   <mb [at] binary-offensive.com>
#

import os
import sys
import time
import hashlib
import base64
import zipfile
import argparse
from io import BytesIO

try:
    import pyautogui
except ImportError:
    print('[!] Module "pyautogui" not found. Install it using: pip3 install pyautogui')
    sys.exit(1)

try:
    import tqdm
except ImportError:
    print('[!] Module "tqdm" not found. Install it using: pip3 install tqdm')
    sys.exit(1)

config = {
	'debug': True,
	'verbose': True,
    'wait' : 10,
    'interval' : 5,
    'delay' : 0.5,
    'base64' : 10,
    'zip' : 10,
    'chunk' : 256,

    # Specifies what's the maximum mouse cursor position offset deviation (in pixels)
    # that will be tolerated and won't interrupt file upload/retype loop.
    # If mouse cursor will leave the N x N rectangle, we'll stop uploading/retyping.
    'maxMouseDeviationInPixels' : 50,

    'file' : '',
    'format': '',
}

outputFormats = {
    'raw',
    'certutil',
}

fileWasEncoded = False
progressBar = None

class Logger:
    @staticmethod
    def _out(x): 
        sys.stdout.write(x + '\n')

    @staticmethod
    def verbose(x): 
        if config['verbose']:
            Logger._out('[*] ' + x)
    
    @staticmethod
    def info(x):
        Logger._out('[.] ' + x)

    @staticmethod
    def dbg(x):
        if config['debug']:
            Logger._out('[dbg] ' + x)
    
    @staticmethod
    def err(x): 
        sys.stdout.write('[!] ' + x + '\n')
    
    @staticmethod
    def fail(x):
        Logger._out('[-] ' + x)
    
    @staticmethod
    def ok(x):  
        Logger._out('[+] ' + x)

class InMemoryZip(object):
    # Source: 
    #   - https://www.kompato.com/post/43805938842/in-memory-zip-in-python
    #   - https://stackoverflow.com/a/2463818

    def __init__(self):
        self.in_memory_zip = BytesIO()

    def append(self, filename_in_zip, file_contents):
        zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False)
        zf.writestr(filename_in_zip, file_contents)
        for zfile in zf.filelist:
            zfile.create_system = 0

        return self

    def read(self):
        self.in_memory_zip.seek(0)
        return self.in_memory_zip.read()

def fetch_files(rootdir):
    imz = InMemoryZip()
    for folder, subs, files in os.walk(rootdir):
        for filename in files:
            real_path = os.path.join(folder, filename)
            with open(real_path, 'rb') as src:
                zip_path = real_path.replace(rootdir + '/', '')
                imz.append(zip_path, src.read())

    return imz.read()

def reformatOutput(contents):
    out = contents
    if config['format'] == 'certutil':
        out = b'-----BEGIN CERTIFICATE-----\r\n'
        for chunk in [contents[i:i + 64] for i in range(0, len(contents), 64)]:
            out += chunk + b'\r\n'

        out += b'-----END CERTIFICATE-----\r\n'

    try:
        Logger.dbg(f'''After reformatting output, data looks as follows:
----------------------------------------------------------------
{out}
----------------------------------------------------------------

''')
    except: pass

    return out

def checkChar(a):
    if a >= 0x20 or a <= 0x7f:
        return True

    if a in [0x0a, 0x0d, 9]:
        return True

    return False

def encodeFile(filePath, contents, dontZip):
    global fileWasEncoded
    encoded = contents

    if config['zip'] and not dontZip:
        imz = InMemoryZip()
        imz.append(os.path.basename(filePath), contents)
        encoded = imz.read()

    if config['base64'] or config['format'] == 'certutil':
        encoded = base64.b64encode(encoded)

    try:
        Logger.dbg(f'''After encoding data:
----------------------------------------------------------------
{encoded}
----------------------------------------------------------------

''')
    except: pass

    out = reformatOutput(encoded)

    for a in out:
        if not checkChar(a):
            Logger.err(f'After encoding file/directory contents we resulted with binary data ({a}). That\'s not supported.')
            return None

    fileWasEncoded = contents != out
    return out.decode('utf-8', 'ignore')

def splitFile(contents, chunkSize):
    for i in range(0, len(contents), chunkSize):
        yield contents[i:i+chunkSize]

def flush():
    time.sleep(2)
    sys.stdout.flush()
    sys.stderr.flush()

def progress(pos, total):
    t = tqdm.tqdm(total=total, unit='characters')
    if pos > 0: t.update(pos)
    return t

def retypeFile(contents):
    global progressBar

    retypeMousePos = pyautogui.position()
    pyautogui.click()

    Logger.verbose(f'Mouse position of assumed RDP session window: {retypeMousePos}')
    Logger._out('')

    progressBar = progress(0, len(contents))

    for chunk in splitFile(contents, config['chunk']):
        prevPos = pyautogui.position()

        if abs(prevPos.x - retypeMousePos.x) > config['maxMouseDeviationInPixels'] or \
            abs(prevPos.y - retypeMousePos.y) > config['maxMouseDeviationInPixels']:

            msg = "[?] Mouse cursor was moved away from initially focused position. File upload PAUSED.\n"
            msg += "    Press ENTER to resume upload or Ctrl-C to interrupt.\n"

            progressBar.write(msg)

            input('')

            progressBar.clear()
            progressBar.write(f"\n[?] Position your mouse cursor at the end of written text. Waiting {config['wait']} seconds to resume...\n")
            if config['wait'] > 0: time.sleep(config['wait'])

            retypeMousePos = pyautogui.position()
            pyautogui.click()
            progressBar.clear()
            progressBar.unpause()
            progressBar.refresh()
            
        pyautogui.write(chunk, interval = (float(config['interval']) / 1000.0))
        progressBar.update(len(chunk))

        if config['delay'] > 0: time.sleep(config['delay'])

    flush()
    Logger._out('')

def printInstructions(hash1, hash2, filePath):
    additional = ''
    basename = os.path.basename(filePath)
    inputFile = basename + '.txt' if fileWasEncoded else basename
    output = basename

    if config['zip']:
        output = basename + '.zip'

    if config['format'] == 'certutil':
        inputFile = basename + '.b64'
        additional = f'''
        *) Base64 decode file using certutil:
            cmd> certutil -decode {inputFile} {output}
'''
    
    elif config['format'] != 'certutil' and config['base64']:
        inputFile = basename + '.b64'
        additional = f'''
        *) Base64 decode file:
            $ cat {inputFile} | base64 -d > {output}
              or
            cmd> powershell -c "[IO.File]::WriteAllBytes('{output}', [Convert]::FromBase64String([IO.File]::ReadAllText('{inputFile}')))"
''' 

    if config['zip']:
        additional += f'''
        *) Unzip resulting file:
            $ unzip -d . {output}
              or
            PS> Expand-Archive -Path .\\{output} -Dest .
'''

    if hash1 != hash2:
        additional += f'''
        *) Verify MD5 sum of final form of uploaded file to expected original value {hash1}:
            $ md5sum {output}
              or
            PS> Get-FileHash .\\{output} -Algorithm MD5
'''

    Logger.verbose(f'''
    ================================================================
    B) After file was uploaded, next steps are:

        *) Using your text editor: save the file in a remote system as "{inputFile}"

        *) Verify MD5 sum of retyped file to base value {hash2}:
            $ md5sum {inputFile}
              or
            PS> Get-FileHash .\\{inputFile} -Algorithm MD5
        {additional}
''')

def parseOptions(argv):
    global config

    print('''
    :: RDP file upload utility via Keyboard emulation.
    Takes an input file/folder and retypes it into focused RDP session window.
    That effectively uploads the file into remote host over a RDP channel.

    Mariusz B. / mgeeky '20, (@mariuszbit)
    <mb@binary-offensive.com>
''')

    parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')

    parser.add_argument('inputFile', help='Input file or directory to upload. In case of directory - all files will get zipped recursively and resulting zip file will be uploaded.')

    parser.add_argument('-v', '--verbose', action='store_true', help='Displays verbose output containing field steps to follow.')
    parser.add_argument('-D', '--debug', action='store_true', help='Display debug output.')

    parser.add_argument('-f', '--format', choices=outputFormats, default='raw', help=f'Specifies into which format retype input file. Default: retype the file as is. "certutil" format implies --base64')

    timing = parser.add_argument_group('Timing & Performance', 'Adjusts settings impacting program\'s "upload" efficiency')
    timing.add_argument('-w', '--wait', type=int, default=config['wait'], help=f'Hold on before we start retyping file contents for this long (in seconds). Default: {config["wait"]} seconds.')
    timing.add_argument('-i', '--interval', type=int, default=config['interval'], help=f'Adjusts inter-key press interval (in milliseconds). Default: {config["interval"]} miliseconds.')
    timing.add_argument('-d', '--delay', type=int, default=config['delay'], help=f'Every next chunk (of size {config["chunk"]} bytes) wait this amount of time. Default: {config["delay"]} miliseconds.')

    encoding = parser.add_argument_group('Encoding', 'Controls how to encode the file before retyping it')
    encoding.add_argument('-b', '--base64', action='store_true', help='Encode and then retype base64 encoded file contents.')
    encoding.add_argument('-z', '--zip', action='store_true', help='Zip file contents before retyping them. If used with --base64 will retype results of base64(zip(file))')

    args = parser.parse_args()

    if not hasattr(args, 'inputFile') or args.inputFile is None:
        parser.print_help()
        return None

    config['verbose'] = args.verbose
    config['debug'] = args.debug

    if args.debug: config['verbose'] = True

    config['interval'] = args.interval
    config['format'] = args.format
    config['wait'] = args.wait
    config['zip'] = args.zip
    config['base64'] = args.base64

    if args.interval < 5:
        Logger.fail('WARNING: Setting too low inter-key press interval may result in keys being lost in the transit!')
        Logger.fail('         Be sure to verify uploaded file\'s md5 checksum!\n')

    return args

def main(argv):
    opts = parseOptions(argv)

    if not opts:
        return False

    contents = None
    dontZip = False
    t = 'file'

    try:
        if os.path.isfile(opts.inputFile):
            with open(opts.inputFile, 'rb') as f:
                contents = f.read()

        elif os.path.isdir(opts.inputFile):
            contents = fetch_files(rootdir)

            t = 'directory'
            dontZip = True

        else:
            Logger.err("Specified input file is neither a file nor directory (or it doesn't exist)!")
            return False

    except:
        Logger.err(f'Could not open file for reading: "{opts.inputFile}"')
        return False

    if contents == None or len(contents) == 0:
        Logger.fail("Specified file/directory was empty.")
        return False

    encoded = encodeFile(opts.inputFile, contents, dontZip)

    if encoded == None or len(encoded) == 0:
        Logger.fail("No encoded data to upload.")
        return False

    Logger.ok(f'Will upload {t}\'s contents: "{opts.inputFile}"\n')

    hash1 = hashlib.md5(contents).hexdigest()
    hash2 = hashlib.md5(encoded.encode()).hexdigest()

    Logger.ok('MD5 checksum of file to be uploaded:        ' + hash1)
    Logger.ok('MD5 checksum of encoded data to be retyped: ' + hash2)
    Logger.info(f'Size of input {t}: {len(contents)} - keys to retype: {len(encoded)}')
    Logger.verbose(f'Inter-key press interval: {opts.interval} miliseconds.')
    Logger.verbose(f'Every chunk cooldown delay: {1000*opts.delay} miliseconds.')
    del contents

    Logger.verbose('''
    ================================================================
    A) How to proceed now:

        1) In your RDP session, spawn a text editor (notepad, vim)
        2) Click inside of a text area as you were about to write something.
        3) Leave your mouse cursor in that RDP session window (client) having that window focused
''')

    Logger.info('Do not use your mouse/keyboard until file upload is completed!\n')
    Logger.ok('We\'re about to initiate upload process.')

    try:
        Logger.info(f'Waiting {config["wait"]} seconds before we begin...\n')

        time.sleep(opts.wait)

        Logger.ok('Starting file retype/upload...')

        retypeFile(encoded)

        Logger._out('')
        Logger.ok("FILE UPLOADED.")

        printInstructions(hash1, hash2, opts.inputFile)

    except KeyboardInterrupt:
        progressBar.clear()
        flush()
        Logger._out('')
        Logger.fail("FILE WAS NOT FULLY UPLOADED. User has interrupted file retype/upload process!\n")

        return False

    flush()
    progressBar.clear()
    return True

if __name__ == '__main__':
    main(sys.argv)