-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-0708 "BlueKeep" auxiliary scanner module #11869
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty good from what I can see, but I have yet to test it. Also a name change suggestion: cve_2019_0708.rb --> (bluekeep.rb || cve_2019_0708_bluekeep.rb)
(TL;DR: 4b786e2 works great against 7 and XP. I'll circle back to test your latest commits. Is NLA supported?)Thanks @zerosum0x0! I know this was no small undertaking. Several of us are testing this, and it's looking great so far! Is there a way to detect and report if the target uses Network Level Authentication, even if it's just to report Win7 SP1 x86 (6.1.7601, 32-bit)With RDP disabled:
Unpatched, with RDP enabled (without NLA):
Unpatched, with RDP enabled (with NLA):
Patched, with RDP enabled (without NLA):
Patched, with RDP enabled (with NLA):
Win7 SP1 x64 (6.1.7601, 64-bit)Unpatched, with RDP enabled (without NLA):
Unpatched, with RDP enabled (with NLA):
Patched, with RDP enabled (without NLA):
WinXP SP2 x86Unpatched, with RDP enabled (without NLA):
WinXP SP3 x86Unpatched, with RDP enabled (without NLA):
Patched, with RDP enabled (without NLA):
Win2k3 x64 (Standard, 5.2.3790)Unpatched, with RDP enabled (without NLA):
Patched, with RDP enabled (without NLA):
|
Win10 Pro 1809, RDP Enabled
|
@asoto-r7 NLA is a 100% confirmed mitigation. We don't have any specific checks for it atm but is something we have discussed to do. Looks like adding detected should be easy enough. We've also discussed adding authenticated NLA scanning, but that is a different beast entirely. And there are already authenticated scanners which can check driver versions. |
If you need inspiration :) |
All tests without NLA or patch: Windows 2008x64:
Windows 2008x64 R2 SP1
Windows 2008x86 SP1
|
All tests without NLA or patch: Windows 2003x64 SP1
Win 2003x86 R2 SP1
Win 2003x86 R2 SP2
Win 2003x86 SP0
Win 2003x86 SP1
|
Windows Server 2003 Enterprise SP2 x86 (5.2.3790)
Windows 2000 Server SP4 (5.0.2195)
|
|
I cleaned up parts of the exception nesting and check codes to make the output more useful when scanning large ranges.
In order:
I'm happy with it if there isn't any TODO outstanding or suggestions for status codes? |
With the latest version in this PR, I have the following error for a few machines: The error is in
The numbers stay the same for each run for the same machine |
@cnotin Could you please set verbose to 1 and check for line "RSA Magic: RSA1"? It turns out some machines don't use RSA certs and we don't yet support that scenario. I just now added a check for it, but waiting for @zerosum0x0 to accept it. |
@zeroSteiner, @asoto-r7, @busterb: PR posted and linked above. Please ensure no regressions. Should be zero functional difference. |
Add metadata and style fixes
Good, still working. Positive test against Windows Server 2008 R2 x64 and negative test against Win10.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(TL;DR: Good!) Windows Server 2016 (x64)Unpatched, with RDP enabled (no NLP):
Windows Server 2016 is not supported, but does not crash, leave logs, or disrupt existing RDP connections. |
It's good to see |
@zerosum0x0 @jagotu: It's absolutely not a blocker, but to update, my Vista environment refuses to patch.
That said, it sounds like the patch is applying correctly for you guys, and I'm happy to trust your testing. Especially if it means I don't have to argue with Vista. :-P |
TL;DR: We've collectively tested the code, including the latest commits for any regressions, against a variety of hosts. I'm happy to get this landed, as soon as I'm done writing some documentation. Thanks everyone! 😄 |
No, sir. In my testing, it did not: #11869 (comment) |
Yeah, I misread your comment so I deleted mine. Sorry about that. |
@asoto-r7 |
(TL;DR: Still good!) Windows Server 2012 R2 (x64)
As with 2016, Windows Server 2012 is also not supported. The scanner does not crash, leave logs, or disrupt existing RDP connections. 👍 |
Module doc in fa70461. Thanks, everyone. |
Release Notes
|
Add an exploit module for full RCE with in depth analysis of the allocation of the shellcode with heap spraying you can find here: https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf At the end of the week, I'll do a pull request and add the missing part myself but it is your work, so you should finish it? |
Hi @TormentedSoul666, the Metasploit team is currently developing an exploit module based on @zerosum0x0's work (see: https://twitter.com/zerosum0x0/status/1156608483166343169). Stability is the priority for us, so we'll PR the module when we're confident it's ready—it's unlikely that we'll put up the exploit PR this week, in part because of DEF CON in the U.S. If you have exploit code ready and want to collaborate privately, @busterb and I would be happy to chat about it. I'm catc0n on Keybase, Brent's busterb. |
I wanted to use the PoC of Ekultek to develop a working RCE PoC but a working Metasploit module would be even better in terms of full disclosure mindset and also forcing the users with the last unpatched systems to finally handle. I'm not using Github much due do being more native to other repository hosters, because my clients usually prefer them over GitHub (especially after what happened with all the stupid stuff of people keeping their own Shodan API keys in their code, the hacked and ransomed repositories and so on). |
@ccondon-r7, just to explain my motivation: I'm disgusted by the so called white-hats and anti-virus company shrinks, which are bragging with their stupid "open calc.exe" PoC videos, without revealing details. Those so called PenTester shrinks even make fun about the hard work of zeroxum, Ekultek and the others, because they didn't implement the heap spraying part but released DoS instead, by shifting the EIP into the desert instead of spraying the heap and then allocating the shellcode at the stack position where it actually is. I'll expose later an especially disgusting Twitter post of someone of the mentioned clientel, who even made fun of the work of Zeroxum and Ekultek, even tho he has no proof of a working PoC other than a stupid video with this public "open calc.exe" shellcode which works on basically every windows version and architecture, despite of ASLR and DEP (of course that piece of code is not the work of those so called professionals and I highly doubt, that most of them actually managed to finish a working RCE PoC and were just showing of with stupid videos without any information disclosure). Best practice should be to not let participate those specific assholes at Blackhat Con and related events with full disclosure mentality, because they only steal what they need and feel very proud afterwards, when they show their stupid little YouTube videos of supposedly working RCE PoCs, which are in reality most likely prepared fakes. Meanwhile CANVAS and other asshole companies like Core Impact release working RCE exploits for BlueKeep for their unnecessary and ridiculously overpriced software, so some richer cybercriminals can make use of it, while the risk doesn't take the risk serious, because those alleged whiny "white-hats" keep their supposedly working stuff for themselves. Sorry for the full rage mode but this is a perfect example of what is going wrong with the PenTest scene and I really would like to see that those people and especially companies with ridiculously expensive products like CANVAS and Core Impact get a ban for conferences and also don't get access to full disclosure information anymore. I'm coming from a time, where people like house0fdabus where coding masterpieces of pocs for all kinds of exploits and released them to the public in a good full disclosure manner. The result is that state sponsored APTs, state intelligence service and even military affiliated groups can use the stuff to undermine civil rights and perform attacks against other states. After my full rage I want to remind what one of the best and to this day active upholders of full disclosure policy still has in one of the most established and most used RedTeaming tools of the world, which is THC Hydra: "Please do not use in military or secret service organizations, or for illegal purposes". One big shout out to THC VanHauser aka Marc Heuse, you were and still are one of my big idols since the 90s. |
@busterb @ccondon-r7 drop me a mail to tormented.soul@tuta.io if you want to chat about the module, there is not much to add to the sequence to finish it (just the heap spraying, as you very likely know yourself). I'd like to contribute what I can, if you find time and have interest. We can discuss via mail, which channel of communication would be appropriate. |
JaGoTu and I created this MSF module to detect CVE-2019-0708.
It should work on XP and 7, x86 and x64. I'd also be curious if anyone has NT4/Win2000 terminal services. There may be false negatives, but VULNERABLE == VULNERABLE.
Please test and offer any suggestions.
Reference: https://github.com/zerosum0x0/CVE-2019-0708
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
RHOST
RHOST
Windows Versions: