MS12-020 Microsoft Remote Desktop Checker

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS12-020 Microsoft Remote Desktop Checker',  
'Description' => %q{  
This module checks a range of hosts for the MS12-020 vulnerability.  
This does not cause a DoS on the target.  
},  
'References' =>  
[  
[ 'CVE', '2012-0002' ],  
[ 'MSB', 'MS12-020' ],  
[ 'URL', 'https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-020' ],  
[ 'EDB', '18606' ],  
[ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ]  
],  
'Author' =>  
[  
'Royce Davis "R3dy" <rdavis[at]accuvant.com>',  
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'  
],  
'License' => MSF_LICENSE  
))  
  
register_options(  
[  
OptPort.new('RPORT', [ true, 'Remote port running RDP', 3389 ])  
])  
end  
  
def check_rdp  
# code to check if RDP is open or not  
vprint_status("Verifying RDP protocol...")  
  
# send connection  
sock.put(connection_request)  
  
# read packet to see if its rdp  
res = sock.get_once(-1, 5)  
  
# return true if this matches our vulnerable response  
( res and res.match("\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00") )  
end  
  
def report_goods  
report_vuln(  
:host => rhost,  
:port => rport,  
:proto => 'tcp',  
:name => self.name,  
:info => 'Response indicates a missing patch',  
:refs => self.references  
)  
end  
  
def connection_request  
"\x03\x00" + # TPKT Header version 03, reserved 0  
"\x00\x0b" + # Length  
"\x06" + # X.224 Data TPDU length  
"\xe0" + # X.224 Type (Connection request)  
"\x00\x00" + # dst reference  
"\x00\x00" + # src reference  
"\x00" # class and options  
end  
  
def connect_initial  
"\x03\x00\x00\x65" + # TPKT Header  
"\x02\xf0\x80" + # Data TPDU, EOT  
"\x7f\x65\x5b" + # Connect-Initial  
"\x04\x01\x01" + # callingDomainSelector  
"\x04\x01\x01" + # callingDomainSelector  
"\x01\x01\xff" + # upwardFlag  
"\x30\x19" + # targetParams + size  
"\x02\x01\x22" + # maxChannelIds  
"\x02\x01\x20" + # maxUserIds  
"\x02\x01\x00" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\xff\xff" + # maxMCSPDUSize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x18" + # minParams + size  
"\x02\x01\x01" + # maxChannelIds  
"\x02\x01\x01" + # maxUserIds  
"\x02\x01\x01" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x01\xff" + # maxMCSPDUSize  
"\x02\x01\x02" + # protocolVersion  
"\x30\x19" + # maxParams + size  
"\x02\x01\xff" + # maxChannelIds  
"\x02\x01\xff" + # maxUserIds  
"\x02\x01\xff" + # maxTokenIds  
"\x02\x01\x01" + # numPriorities  
"\x02\x01\x00" + # minThroughput  
"\x02\x01\x01" + # maxHeight  
"\x02\x02\xff\xff" + # maxMCSPDUSize  
"\x02\x01\x02" + # protocolVersion  
"\x04\x00" # userData  
end  
  
def user_request  
"\x03\x00" + # header  
"\x00\x08" + # length  
"\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)  
"\x28" # PER encoded PDU contents  
end  
  
def channel_request  
"\x03\x00\x00\x0c" +  
"\x02\xf0\x80\x38"  
end  
  
  
def check_rdp_vuln  
# check if rdp is open  
unless check_rdp  
vprint_status "Could not connect to RDP."  
return Exploit::CheckCode::Unknown  
end  
  
# send connectInitial  
sock.put(connect_initial)  
  
# send userRequest  
sock.put(user_request)  
res = sock.get_once(-1, 5)  
return Exploit::CheckCode::Unknown unless res # nil due to a timeout  
user1 = res[9,2].unpack("n").first  
chan1 = user1 + 1001  
  
# send 2nd userRequest  
sock.put(user_request)  
res = sock.get_once(-1, 5)  
return Exploit::CheckCode::Unknown unless res # nil due to a timeout  
user2 = res[9,2].unpack("n").first  
chan2 = user2 + 1001  
  
# send channel request one  
sock.put(channel_request << [user1, chan2].pack("nn"))  
res = sock.get_once(-1, 5)  
return Exploit::CheckCode::Unknown unless res # nil due to a timeout  
if res[7,2] == "\x3e\x00"  
# send ChannelRequestTwo - prevent BSoD  
sock.put(channel_request << [user2, chan2].pack("nn"))  
  
report_goods  
return Exploit::CheckCode::Vulnerable  
else  
return Exploit::CheckCode::Safe  
end  
  
# Can't determine, but at least I know the service is running  
return Exploit::CheckCode::Detected  
end  
  
def check_host(ip)  
# The check command will call this method instead of run_host  
  
status = Exploit::CheckCode::Unknown  
  
begin  
connect  
status = check_rdp_vuln  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
bt = e.backtrace.join("\n")  
vprint_error("Unexpected error: #{e.message}")  
vprint_line(bt)  
elog(e)  
ensure  
disconnect  
end  
  
status  
end  
  
def run_host(ip)  
# Allow the run command to call the check command  
status = check_host(ip)  
if status == Exploit::CheckCode::Vulnerable  
print_good("#{ip}:#{rport} - #{status[1]}")  
else  
print_status("#{ip}:#{rport} - #{status[1]}")  
end  
end  
end  
`