2013-01-25 19:04:20 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-01-25 19:04:20 +00:00
|
|
|
##
|
|
|
|
|
2013-01-25 16:43:43 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'MS12-020 Microsoft Remote Desktop Checker',
|
|
|
|
'Description' => %q{
|
|
|
|
This module checks a range of hosts for the MS12-020 vulnerability.
|
|
|
|
This does not cause a DoS on the target.
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2012-0002' ],
|
|
|
|
[ 'MSB', 'MS12-020' ],
|
|
|
|
[ 'URL', 'http://technet.microsoft.com/en-us/security/bulletin/ms12-020' ],
|
|
|
|
[ 'EDB', '18606' ],
|
|
|
|
[ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ]
|
|
|
|
],
|
|
|
|
'Author' =>
|
|
|
|
[
|
2013-12-26 16:26:01 +00:00
|
|
|
'Royce Davis "R3dy" <rdavis[at]accuvant.com>',
|
|
|
|
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_rdp
|
|
|
|
# code to check if RDP is open or not
|
|
|
|
vprint_status("#{peer} Verifying RDP protocol...")
|
|
|
|
|
|
|
|
# send connection
|
|
|
|
sock.put(connection_request)
|
|
|
|
|
|
|
|
# read packet to see if its rdp
|
|
|
|
res = sock.get_once(-1, 5)
|
|
|
|
|
|
|
|
# return true if this matches our vulnerable response
|
|
|
|
( res and res.match("\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00") )
|
|
|
|
end
|
|
|
|
|
|
|
|
def report_goods
|
|
|
|
report_vuln(
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:name => self.name,
|
|
|
|
:info => 'Response indicates a missing patch',
|
|
|
|
:refs => self.references
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def connection_request
|
|
|
|
"\x03\x00" + # TPKT Header version 03, reserved 0
|
|
|
|
"\x00\x0b" + # Length
|
|
|
|
"\x06" + # X.224 Data TPDU length
|
|
|
|
"\xe0" + # X.224 Type (Connection request)
|
|
|
|
"\x00\x00" + # dst reference
|
|
|
|
"\x00\x00" + # src reference
|
|
|
|
"\x00" # class and options
|
|
|
|
end
|
|
|
|
|
|
|
|
def connect_initial
|
|
|
|
"\x03\x00\x00\x65" + # TPKT Header
|
|
|
|
"\x02\xf0\x80" + # Data TPDU, EOT
|
|
|
|
"\x7f\x65\x5b" + # Connect-Initial
|
|
|
|
"\x04\x01\x01" + # callingDomainSelector
|
|
|
|
"\x04\x01\x01" + # callingDomainSelector
|
|
|
|
"\x01\x01\xff" + # upwardFlag
|
|
|
|
"\x30\x19" + # targetParams + size
|
|
|
|
"\x02\x01\x22" + # maxChannelIds
|
|
|
|
"\x02\x01\x20" + # maxUserIds
|
|
|
|
"\x02\x01\x00" + # maxTokenIds
|
|
|
|
"\x02\x01\x01" + # numPriorities
|
|
|
|
"\x02\x01\x00" + # minThroughput
|
|
|
|
"\x02\x01\x01" + # maxHeight
|
|
|
|
"\x02\x02\xff\xff" + # maxMCSPDUSize
|
|
|
|
"\x02\x01\x02" + # protocolVersion
|
|
|
|
"\x30\x18" + # minParams + size
|
|
|
|
"\x02\x01\x01" + # maxChannelIds
|
|
|
|
"\x02\x01\x01" + # maxUserIds
|
|
|
|
"\x02\x01\x01" + # maxTokenIds
|
|
|
|
"\x02\x01\x01" + # numPriorities
|
|
|
|
"\x02\x01\x00" + # minThroughput
|
|
|
|
"\x02\x01\x01" + # maxHeight
|
|
|
|
"\x02\x01\xff" + # maxMCSPDUSize
|
|
|
|
"\x02\x01\x02" + # protocolVersion
|
|
|
|
"\x30\x19" + # maxParams + size
|
|
|
|
"\x02\x01\xff" + # maxChannelIds
|
|
|
|
"\x02\x01\xff" + # maxUserIds
|
|
|
|
"\x02\x01\xff" + # maxTokenIds
|
|
|
|
"\x02\x01\x01" + # numPriorities
|
|
|
|
"\x02\x01\x00" + # minThroughput
|
|
|
|
"\x02\x01\x01" + # maxHeight
|
|
|
|
"\x02\x02\xff\xff" + # maxMCSPDUSize
|
|
|
|
"\x02\x01\x02" + # protocolVersion
|
|
|
|
"\x04\x00" # userData
|
|
|
|
end
|
|
|
|
|
|
|
|
def user_request
|
|
|
|
"\x03\x00" + # header
|
|
|
|
"\x00\x08" + # length
|
|
|
|
"\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
|
|
|
|
"\x28" # PER encoded PDU contents
|
|
|
|
end
|
|
|
|
|
|
|
|
def channel_request
|
|
|
|
"\x03\x00\x00\x0c" +
|
|
|
|
"\x02\xf0\x80\x38"
|
|
|
|
end
|
|
|
|
|
|
|
|
def peer
|
|
|
|
"#{rhost}:#{rport}"
|
|
|
|
end
|
|
|
|
|
2014-12-15 18:37:36 +00:00
|
|
|
def check_rdp_vuln
|
2013-08-30 21:28:54 +00:00
|
|
|
# check if rdp is open
|
2014-12-15 18:50:59 +00:00
|
|
|
unless check_rdp
|
2013-08-30 21:28:54 +00:00
|
|
|
vprint_status "#{peer} Could not connect to RDP."
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Unknown
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# send connectInitial
|
|
|
|
sock.put(connect_initial)
|
|
|
|
|
|
|
|
# send userRequest
|
|
|
|
sock.put(user_request)
|
|
|
|
res = sock.get_once(-1, 5)
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
|
2013-08-30 21:28:54 +00:00
|
|
|
user1 = res[9,2].unpack("n").first
|
|
|
|
chan1 = user1 + 1001
|
|
|
|
|
|
|
|
# send 2nd userRequest
|
|
|
|
sock.put(user_request)
|
|
|
|
res = sock.get_once(-1, 5)
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
|
2013-08-30 21:28:54 +00:00
|
|
|
user2 = res[9,2].unpack("n").first
|
|
|
|
chan2 = user2 + 1001
|
|
|
|
|
|
|
|
# send channel request one
|
|
|
|
sock.put(channel_request << [user1, chan2].pack("nn"))
|
|
|
|
res = sock.get_once(-1, 5)
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Unknown unless res # nil due to a timeout
|
|
|
|
if res[7,2] == "\x3e\x00"
|
2013-08-30 21:28:54 +00:00
|
|
|
# send ChannelRequestTwo - prevent BSoD
|
|
|
|
sock.put(channel_request << [user2, chan2].pack("nn"))
|
|
|
|
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
2013-08-30 21:28:54 +00:00
|
|
|
report_goods
|
|
|
|
else
|
2014-12-15 18:50:59 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2014-12-15 18:50:59 +00:00
|
|
|
|
|
|
|
# Can't determine, but at least I know the service is running
|
|
|
|
return Exploit::CheckCode::Detected
|
2014-12-15 18:37:36 +00:00
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2014-12-15 18:50:59 +00:00
|
|
|
def check_host(ip)
|
|
|
|
# The check command will call this method instead of run_host
|
|
|
|
|
|
|
|
status = Exploit::CheckCode::Unknown
|
|
|
|
|
2014-12-15 18:37:36 +00:00
|
|
|
begin
|
|
|
|
connect
|
2014-12-15 18:50:59 +00:00
|
|
|
status = check_rdp_vuln
|
2014-12-15 18:37:36 +00:00
|
|
|
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
|
|
|
bt = e.backtrace.join("\n")
|
2014-12-15 18:50:59 +00:00
|
|
|
vprint_error("Unexpected error: #{e.message}")
|
2014-12-15 18:37:36 +00:00
|
|
|
vprint_line(bt)
|
|
|
|
elog("#{e.message}\n#{bt}")
|
|
|
|
ensure
|
|
|
|
disconnect
|
|
|
|
end
|
2014-12-15 18:50:59 +00:00
|
|
|
|
|
|
|
status
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
# Allow the run command to call the check command
|
|
|
|
status = check_host(ip)
|
|
|
|
if status == Exploit::CheckCode::Vulnerable
|
|
|
|
print_good("#{ip}:#{rport} - #{status[1]}")
|
|
|
|
else
|
|
|
|
print_status("#{ip}:#{rport} - #{status[1]}")
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2013-01-25 16:43:43 +00:00
|
|
|
|
|
|
|
end
|