Land #12283, Add exploit module for CVE-2019-0708 / BlueKeep

rapid7 · Sep 23, 2019 · b668e1f · b668e1f
2 parents 5b8c97c + c0be631
commit b668e1f
Show file tree

Hide file tree

Showing 5 changed files with 1,805 additions and 184 deletions.
diff --git a/documentation/modules/exploit/windows/rdp/cve_2019-0708_bluekeep_rce.md b/documentation/modules/exploit/windows/rdp/cve_2019-0708_bluekeep_rce.md
@@ -0,0 +1,32 @@
+CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
+
+The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free.  With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.
+
+## Vulnerable Application
+
+This exploit should work against a vulnerable RDP service from one of these Windows systems:
+
+* Windows 2000 x86 (All Service Packs))
+* Windows XP x86 (All Service Packs))
+* Windows 2003 x86 (All Service Packs))
+* Windows 7 x86 (All Service Packs))
+* Windows 7 x64 (All Service Packs)
+* Windows 2008 R2 x64 (All Service Packs)
+
+This exploit module currently targets these Windows systems running on several virtualized and physical targets.
+
+* Windows 7 x64 (All Service Packs)
+* Windows 2008 R2 x64 (All Service Packs)
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/windows/rdp/cve_2019_0708_bluekeep_rce`
+- [ ] `set RHOSTS` to Windows 7/2008 x64
+- [ ] `set TARGET` based on target host characteristics
+- [ ] `set PAYLOAD`
+- [ ] `exploit`
+- [ ] **Verify** that you get a shell
+- [ ] **Verify** that you do not crash
+
+## Options