Advertisement
Guest User

MS12-020 remote checker

a guest
Mar 26th, 2012
1,778
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. #
  4. # MS12-020 remote safe checker (no BSOD)
  5. #
  6. # Use DoS bug (CVE-2012-0152) for check
  7. #
  8. # by Worawit Wang (sleepya)
  9. #
  10.  
  11. import sys
  12. import socket
  13. from struct import pack,unpack
  14.  
  15. host = sys.argv[1]
  16.  
  17. def make_tpkt(data):
  18.     return pack("!BBH", 3, 0, 4+len(data)) + data
  19.  
  20. def make_x224(type, data):
  21.     return pack("!BB", 1+len(data), type) + data
  22.  
  23. def make_rdp(type, flags, data):
  24.     return pack("<BBH", type, flags, 4+len(data)) + data
  25.  
  26.  
  27. sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  28. sk.settimeout(10)
  29. sk.connect((host,3389))
  30.  
  31. # connection request
  32. # x224 type 0xe0 (dst_ref, src_ref, class_opts, data)
  33. rdp = make_rdp(1, 0, pack("!I", 0))
  34. x224_1 = make_x224(0xe0, pack("!HHB", 0, 0, 0) + rdp)
  35. sk.send(make_tpkt(x224_1))
  36. data = sk.recv(8192)
  37. if data != "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00":
  38.     print "Cannot check"
  39.     sys.exit()
  40.  
  41. # x224 type 0xf0 (Data TPDU)
  42. # - EOT (0x80)
  43. x224_2 = make_x224(0xf0, pack("!B", 0x80))
  44.  
  45. # craft connect-initial with gcc
  46. target_params = (""
  47.     + "\x02\x01\x22" # maxChannelIds
  48.     + "\x02\x01\x20" # maxUserIds
  49.     + "\x02\x01\x00" # maxTokenIds
  50.     + "\x02\x01\x01" # numPriorities
  51.     + "\x02\x01\x00" # minThroughput
  52.     + "\x02\x01\x01" # maxHeight
  53.     + "\x02\x02\xff\xff" # maxMCSPDUSize
  54.     + "\x02\x01\x02" # protocolVersion
  55. )
  56. min_params = (""
  57.     + "\x02\x01\x01" # maxChannelIds      
  58.     + "\x02\x01\x01" # maxUserIds          
  59.     + "\x02\x01\x01" # maxTokenIds        
  60.     + "\x02\x01\x01" # numPriorities      
  61.     + "\x02\x01\x00" # minThroughput      
  62.     + "\x02\x01\x01" # maxHeight          
  63.     + "\x02\x01\xff" # maxMCSPDUSize
  64.     + "\x02\x01\x02" # protocolVersion
  65. )
  66. max_params = (""
  67.     + "\x02\x01\xff" # maxChannelIds          
  68.     + "\x02\x01\xff" # maxUserIds              
  69.     + "\x02\x01\xff" # maxTokenIds            
  70.     + "\x02\x01\x01" # numPriorities          
  71.     + "\x02\x01\x00" # minThroughput          
  72.     + "\x02\x01\x01" # maxHeight              
  73.     + "\x02\x02\xff\xff" # maxMCSPDUSize
  74.     + "\x02\x01\x02" # protocolVersion
  75. )
  76. mcs_data = (""
  77.     + "\x04\x01\x01" # callingDomainSelector
  78.     + "\x04\x01\x01" # calledDomainSelector
  79.     + "\x01\x01\xff" # upwardFlag
  80.     + "\x30" + pack("B", len(target_params)) + target_params
  81.     + "\x30" + pack("B", len(min_params)) + min_params
  82.     + "\x30" + pack("B", len(max_params)) + max_params
  83.     + "\x04\x00" # userData
  84. )
  85.  
  86. # \x7f\x65  BER: APPLICATION 101 = Connect-Initial (MCS_TYPE_CONNECTINITIAL)
  87. mcs = "\x7f\x65" + pack("!B", len(mcs_data))
  88. sk.send(make_tpkt(x224_2 + mcs + mcs_data))
  89.  
  90. # attach user request
  91. sk.send(make_tpkt(x224_2 + "\x28"))
  92. data = sk.recv(8192)
  93. user1 = unpack("!H", data[9:11])[0]
  94.  
  95. sk.send(make_tpkt(x224_2 + "\x28"))
  96. data = sk.recv(8192)
  97. user2 = unpack("!H", data[9:11])[0]
  98.  
  99. # join its own channel (prevent BSOD)
  100. sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user2, user2+1001)))
  101. data = sk.recv(8192)
  102.  
  103. # channel join request
  104. sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user1, user2+1001)))
  105. data = sk.recv(8192)
  106. if data[7:9] == "\x3e\x00":
  107.     print "!!! VULN !!!"
  108. else:
  109.     print "patched"
  110.  
  111. sk.close()
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement