TeamCity: Correctly encrypt UTF-8 codepoints

Author: sjanusz-r7

lib/metasploit/framework/login_scanner/teamcity.rb

@@ -16,36 +16,47 @@ def pkcs1pad2(text, n)
             raise ArgumentError, "Cannot pad the text: '#{text.inspect}'" unless text.is_a?(String)
             raise ArgumentError, "Invalid message length: '#{n.inspect}'" unless n.is_a?(Integer)
 
-            if n < text.length + 11
+            bytes_per_char = two_byte_chars?(text) ? 2 : 1
+            if n < ((bytes_per_char * text.length) + 11)
               raise ArgumentError, 'Message too long'
             end
 
-            r = Array.new(n, 0)
+            ba = Array.new(n, 0)
             n -= 1
-            r[n] = text.length
+            ba[n] = text.length
 
             i = text.length - 1
 
             while i >= 0 && n > 0
-              c = text[i].ord
+              char_code = text[i].ord
               i -= 1
-              n -= 1
-              r[n] = c % 0x100
+
+              num_bytes = bytes_per_char
+
+              while num_bytes > 0
+                next_byte = char_code % 0x100
+                char_code >>= 8
+
+                n -= 1
+                ba[n] = next_byte
+
+                num_bytes -= 1
+              end
             end
             n -= 1
-            r[n] = 0
+            ba[n] = 0
 
             while n > 2
               n -= 1
-              r[n] = rand(1..255) # Can't be a null byte.
+              ba[n] = rand(1..255) # Can't be a null byte.
             end
 
             n -= 1
-            r[n] = 2
+            ba[n] = 2
             n -= 1
-            r[n] = 0
+            ba[n] = 0
 
-            r.pack("C*").unpack1("H*").to_i(16)
+            ba.pack("C*").unpack1("H*").to_i(16)
           end
 
           # @param [String] modulus
@@ -66,7 +77,11 @@ def rsa_encrypt(modulus, exponent, text)
           def two_byte_chars?(str)
             raise ArgumentError, 'Unable to check char size for non-string value' unless str.is_a?(String)
 
-            str.bytesize > str.length
+            str.each_codepoint do |codepoint|
+              return true if codepoint >> 8 > 0
+            end
+
+            false
           end
 
           def max_data_size(str)
@@ -85,13 +100,14 @@ def encrypt_data(text, public_key)
 
             exponent = '10001'
             e = []
-            g = max_data_size(text)
+            utf_text = text.dup.force_encoding(::Encoding::UTF_8)
+            g = max_data_size(utf_text)
 
             c = 0
-            while c < text.length
-              b = [text.length, c + g].min
+            while c < utf_text.length
+              b = [utf_text.length, c + g].min
 
-              a = text[c..b]
+              a = utf_text[c..b]
 
               encrypt = rsa_encrypt(public_key, exponent, a)
               e.push(encrypt)

spec/modules/auxiliary/scanner/teamcity/teamcity_login_spec.rb

@@ -12,8 +12,9 @@
     [
       { input: 'abc', expected: false },
       { input: '', expected: false },
-      { input: 'ççç', expected: true },
-      { input: 'メタスプライトが大好きです', expected: true } # I love metasploit
+      { input: 'ççç', expected: false }, # has2byteChars('ç') -> false
+      # I love metasploit
+      { input: 'メタスプライトが大好きです', expected: true } # has2byteChars('メタスプライトが大好きです') -> true
     ].each do |scenario|
       it 'returns the correct value' do
         expect(subject.two_byte_chars?(scenario[:input])).to eq(scenario[:expected])
@@ -36,7 +37,7 @@
     [
       { input: 'abc', expected: 116 },
       { input: '', expected: 116 },
-      { input: 'ççç', expected: 58 }, # TODO: In the browser, this is reported as 118.
+      { input: 'ççç', expected: 116 },
       { input: 'メタスプライトが大好きです', expected: 58 } # I love metasploit
     ].each do |scenario|
       it 'returns the correct maximum message length' do
@@ -58,16 +59,16 @@
 
   describe '#pkcs1pad2' do
     [
-      { input: 'abc', expected: '0061626303' },
-      { input: '', expected: '0000' },
-      { input: 'ççç', expected: '00e7e7e703' }, # 3 chars, E7 codepoint
-      { input: 'メタスプライトが大好きです', expected: '0030e130bf30b930d730e930a430c8304c5927597d304d3067305913' } # I love metasploit
+      { input: 'abc', expected: /0061626303$/ },
+      { input: '', expected: /0000$/ },
+      { input: 'ççç', expected: /00e7e7e703$/ }, # 3 chars, E7 codepoint
+      { input: 'メタスプライトが大好きです', expected: /0030e130bf30b930d730e930a430c8304c5927597d304d306730590d$/ } # I love metasploit
     ].each do |scenario|
       it 'correctly pads text' do
         n = (teamcity_public_key.bit_length + 7) >> 3
         padded_as_big_int = subject.pkcs1pad2(scenario[:input], n)
         padded_hex = padded_as_big_int.to_s(16)
-        expect(padded_hex.end_with?(scenario[:expected])).to eql(true)
+        expect(padded_hex).to match(scenario[:expected])
       end
     end