exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MS12-020 Microsoft Remote Desktop Checker

MS12-020 Microsoft Remote Desktop Checker
Posted Aug 31, 2024
Authored by Brandon McCann, Royce Davis R3dy | Site metasploit.com

This Metasploit module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target.

tags | exploit
advisories | CVE-2012-0002
SHA-256 | 8af29fc18715a26cabbd8050a6eb7d7d09d6e5b2f6a5c4dbb175fc6d6bd10023

MS12-020 Microsoft Remote Desktop Checker

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'MS12-020 Microsoft Remote Desktop Checker',
'Description' => %q{
This module checks a range of hosts for the MS12-020 vulnerability.
This does not cause a DoS on the target.
},
'References' =>
[
[ 'CVE', '2012-0002' ],
[ 'MSB', 'MS12-020' ],
[ 'URL', 'https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-020' ],
[ 'EDB', '18606' ],
[ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ]
],
'Author' =>
[
'Royce Davis "R3dy" <rdavis[at]accuvant.com>',
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
],
'License' => MSF_LICENSE
))

register_options(
[
OptPort.new('RPORT', [ true, 'Remote port running RDP', 3389 ])
])
end

def check_rdp
# code to check if RDP is open or not
vprint_status("Verifying RDP protocol...")

# send connection
sock.put(connection_request)

# read packet to see if its rdp
res = sock.get_once(-1, 5)

# return true if this matches our vulnerable response
( res and res.match("\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00") )
end

def report_goods
report_vuln(
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => 'Response indicates a missing patch',
:refs => self.references
)
end

def connection_request
"\x03\x00" + # TPKT Header version 03, reserved 0
"\x00\x0b" + # Length
"\x06" + # X.224 Data TPDU length
"\xe0" + # X.224 Type (Connection request)
"\x00\x00" + # dst reference
"\x00\x00" + # src reference
"\x00" # class and options
end

def connect_initial
"\x03\x00\x00\x65" + # TPKT Header
"\x02\xf0\x80" + # Data TPDU, EOT
"\x7f\x65\x5b" + # Connect-Initial
"\x04\x01\x01" + # callingDomainSelector
"\x04\x01\x01" + # callingDomainSelector
"\x01\x01\xff" + # upwardFlag
"\x30\x19" + # targetParams + size
"\x02\x01\x22" + # maxChannelIds
"\x02\x01\x20" + # maxUserIds
"\x02\x01\x00" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x18" + # minParams + size
"\x02\x01\x01" + # maxChannelIds
"\x02\x01\x01" + # maxUserIds
"\x02\x01\x01" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x01\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x19" + # maxParams + size
"\x02\x01\xff" + # maxChannelIds
"\x02\x01\xff" + # maxUserIds
"\x02\x01\xff" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x04\x00" # userData
end

def user_request
"\x03\x00" + # header
"\x00\x08" + # length
"\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
"\x28" # PER encoded PDU contents
end

def channel_request
"\x03\x00\x00\x0c" +
"\x02\xf0\x80\x38"
end


def check_rdp_vuln
# check if rdp is open
unless check_rdp
vprint_status "Could not connect to RDP."
return Exploit::CheckCode::Unknown
end

# send connectInitial
sock.put(connect_initial)

# send userRequest
sock.put(user_request)
res = sock.get_once(-1, 5)
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
user1 = res[9,2].unpack("n").first
chan1 = user1 + 1001

# send 2nd userRequest
sock.put(user_request)
res = sock.get_once(-1, 5)
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
user2 = res[9,2].unpack("n").first
chan2 = user2 + 1001

# send channel request one
sock.put(channel_request << [user1, chan2].pack("nn"))
res = sock.get_once(-1, 5)
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
if res[7,2] == "\x3e\x00"
# send ChannelRequestTwo - prevent BSoD
sock.put(channel_request << [user2, chan2].pack("nn"))

report_goods
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end

# Can't determine, but at least I know the service is running
return Exploit::CheckCode::Detected
end

def check_host(ip)
# The check command will call this method instead of run_host

status = Exploit::CheckCode::Unknown

begin
connect
status = check_rdp_vuln
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
bt = e.backtrace.join("\n")
vprint_error("Unexpected error: #{e.message}")
vprint_line(bt)
elog(e)
ensure
disconnect
end

status
end

def run_host(ip)
# Allow the run command to call the check command
status = check_host(ip)
if status == Exploit::CheckCode::Vulnerable
print_good("#{ip}:#{rport} - #{status[1]}")
else
print_status("#{ip}:#{rport} - #{status[1]}")
end
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close