Module: Metasploit::Framework::LoginScanner::Teamcity::Crypto

Included in:

Metasploit::Framework::LoginScanner::Teamcity

Defined in:

lib/metasploit/framework/login_scanner/teamcity.rb

Instance Method Summary

• #encrypt_data(text, public_key) ⇒ String

  A string blob.

• #max_data_size(str) ⇒ Object
• #pkcs1pad2(text, n) ⇒ Object

  github.com/openssl/openssl/blob/a08a145d4a7e663dd1e973f06a56e983a5e916f7/crypto/rsa/rsa_pk1.c#L125 datatracker.ietf.org/doc/html/rfc3447#section-7.2.1.

• #rsa_encrypt(modulus, exponent, text) ⇒ String
• #two_byte_chars?(str) ⇒ Boolean

Instance Method Details

#encrypt_data(text, public_key) ⇒ String

Returns A string blob.

Parameters:

• text (String) —

  The text to encrypt.

• public_key (String) —

  The hex representation of the public key to use.

Returns:

• (String) —

  A string blob.

Raises:

• (ArgumentError)

# File 'lib/metasploit/framework/login_scanner/teamcity.rb', line 97

def encrypt_data(text, public_key)
  raise ArgumentError, "Cannot encrypt the provided data: '#{text.inspect}'" unless text.is_a?(String)
  raise ArgumentError, "Cannot encrypt data with the public key: '#{public_key.inspect}'" unless public_key.is_a?(String)

  exponent = '10001'
  e = []
  utf_text = text.dup.force_encoding(::Encoding::UTF_8)
  g = max_data_size(utf_text)

  c = 0
  while c < utf_text.length
    b = [utf_text.length, c + g].min

    a = utf_text[c..b]

    encrypt = rsa_encrypt(public_key, exponent, a)
    e.push(encrypt)
    c += g
  end

  e.join('')
end

#max_data_size(str) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/metasploit/framework/login_scanner/teamcity.rb', line 87

def max_data_size(str)
  raise ArgumentError, 'Unable to get maximum data size for non-string value' unless str.is_a?(String)

  # Taken from TeamCity's login page JavaScript sources.
  two_byte_chars?(str) ? 58 : 116
end

#pkcs1pad2(text, n) ⇒ Object

github.com/openssl/openssl/blob/a08a145d4a7e663dd1e973f06a56e983a5e916f7/crypto/rsa/rsa_pk1.c#L125 datatracker.ietf.org/doc/html/rfc3447#section-7.2.1

Raises:

• (ArgumentError)

# File 'lib/metasploit/framework/login_scanner/teamcity.rb', line 15

def pkcs1pad2(text, n)
  raise ArgumentError, "Cannot pad the text: '#{text.inspect}'" unless text.is_a?(String)
  raise ArgumentError, "Invalid message length: '#{n.inspect}'" unless n.is_a?(Integer)

  bytes_per_char = two_byte_chars?(text) ? 2 : 1
  if n < ((bytes_per_char * text.length) + 11)
    raise ArgumentError, 'Message too long'
  end

  ba = Array.new(n, 0)
  n -= 1
  ba[n] = text.length

  i = text.length - 1

  while i >= 0 && n > 0
    char_code = text[i].ord
    i -= 1

    num_bytes = bytes_per_char

    while num_bytes > 0
      next_byte = char_code % 0x100
      char_code >>= 8

      n -= 1
      ba[n] = next_byte

      num_bytes -= 1
    end
  end
  n -= 1
  ba[n] = 0

  while n > 2
    n -= 1
    ba[n] = rand(1..255) # Can't be a null byte.
  end

  n -= 1
  ba[n] = 2
  n -= 1
  ba[n] = 0

  ba.pack("C*").unpack1("H*").to_i(16)
end

#rsa_encrypt(modulus, exponent, text) ⇒ String

Parameters:

• modulus (String)
• exponent (String)
• text (String)

Returns:

• (String)

# File 'lib/metasploit/framework/login_scanner/teamcity.rb', line 66

def rsa_encrypt(modulus, exponent, text)
  n = modulus.to_i(16)
  e = exponent.to_i(16)

  padded_as_big_int = pkcs1pad2(text, (n.bit_length + 7) >> 3)
  encrypted = padded_as_big_int.to_bn.mod_exp(e, n)
  h = encrypted.to_s(16)

  h.length.odd? ? h.prepend('0') : h
end

#two_byte_chars?(str) ⇒ Boolean

Returns:

• (Boolean)

Raises:

• (ArgumentError)

# File 'lib/metasploit/framework/login_scanner/teamcity.rb', line 77

def two_byte_chars?(str)
  raise ArgumentError, 'Unable to check char size for non-string value' unless str.is_a?(String)

  str.each_codepoint do |codepoint|
    return true if codepoint >> 8 > 0
  end

  false
end