MS12-020, The saga continues: exploit code published for the RDP chinese worm leaked from Microsoft?

I was sent this link which is hilarious: http://istherdpexploitoutyet.com/

Has some really short information on the exploit and PoC and obviously who bought it (yes kids ZDI bought this one, gave it to Microsoft and then one of them managed to leak it) but apparently the original exploit code was leaked (complete article HERE)

From the article:

“Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.”

Well I’m not fluent on Chinese at all, BUT when I went into the website it clearly says on the top:

“0day discount
This BLOG from time to time the market of 0day of exp”

Errr I’m sorry but that does not tell ANYONE to go and patch as the article says, they actually even go further on saying: “Thanks to 360 friends to provide the EXP.” Well apparently 360 guys managed to grab that exploit which apparently has a special signature from the reseracher Luigi Auriemma (@luigi_auriemma)

That is a good practice and I hope it starts out again, watermarking the PoCs so you can see where the leak is, the interesting part is … Who is owned by the chinese? ZDI? or Microsoft? if they leaked that, which others have been leaked?

This bug will end up showing more flaws of handling them and the leaking of it’s PoC than the bug itself!

UPDATE:

On this tweet (https://twitter.com/#!/luigi_auriemma/status/180646548395401216) Luigi Auriemma confirms it was Microsoft the leak.

Luigi Auriemma ‏ @luigi_auriemma
in case isn’t clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak

His Advisory can be seen HERE

If you like it, Share!

4 Comments  to  MS12-020, The saga continues: exploit code published for the RDP chinese worm leaked from Microsoft?

  1. hey there, this is my site, thx for the mention ;)

  2. Saman Fatahpour says:

    i’m programmer of this awesome tool(rdpcrash) based on ms12-020 vulnerability, which works on almost all mobile phones, supports a list of ip addresses and it can crash a powerful microsoft server with a simple java phone, take a look at attached images and rdpcrash.jar file, please test it and publish a post about this tool
    http://dl.dropbox.com/s/fvpwadae0rphiok/c.JPG?dl=1
    http://www.dropbox.com/s/bzrrfg5glupm296/rdpcrash.jar?dl=1
    http://www.dropbox.com/s/m6icclmdcpq1e6i/rdpcrash.jad?dl=1
    http://www.dropbox.com/s/jh42x197mzfsuyf/a.jpg?dl=1
    http://www.dropbox.com/s/x8sgfs5fl9ny5cp/b.jpg?dl=1

  3. All links are dead tho, maybe you want to update them?

  4. I have read a few excellent stuff here. Certainly value
    bookmarking for revisiting. I wonder how a lot attempt you place to make this kind of wonderful informative
    web site.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>