Timeline :

Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Metasploit PoC provided the 2012-03-19
Details of the vulnerability published by Luigi Auriemma the 2012-05-16

PoC provided by :

Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck

Reference(s) :

CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3

Description :

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Commands :

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
SET RHOST 192.168.178.22
exploit