Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-0708 "BlueKeep" auxiliary scanner module #11869

Merged
merged 18 commits into from
May 24, 2019

Conversation

ghost
Copy link

@ghost ghost commented May 22, 2019

JaGoTu and I created this MSF module to detect CVE-2019-0708.

It should work on XP and 7, x86 and x64. I'd also be curious if anyone has NT4/Win2000 terminal services. There may be false negatives, but VULNERABLE == VULNERABLE.

Please test and offer any suggestions.

Reference: https://github.com/zerosum0x0/CVE-2019-0708

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
  • Scan a vulnerable RHOST
  • Verify the module reports host is vulnerable (report false negative conditions below)
  • Scan a patched RHOST
  • Verify the module reports host is patched (false positive should NOT happen)

Windows Versions:

  • Windows NT 4.0 Terminal Server ?
  • Windows 2000 ?
  • Windows XP x86
  • Windows XP x64
  • Windows Vista x86
  • Windows Vista x64
  • Windows Server 2008 x86
  • Windows Server 2008 x64
  • Windows 7 x86
  • Windows 7 x64
  • Windows Server 2008 R2 x86
  • Windows Server 2008 R2 x64

@ghost ghost changed the title CVE-2018-0708 "BlueKeep" auxiliary scanner module CVE-2019-0708 "BlueKeep" auxiliary scanner module May 22, 2019
@wvu wvu added feature hotness Something we're really excited about module labels May 22, 2019
@wvu wvu assigned wvu and asoto-r7 May 22, 2019
Copy link
Contributor

@cbrnrd cbrnrd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty good from what I can see, but I have yet to test it. Also a name change suggestion: cve_2019_0708.rb --> (bluekeep.rb || cve_2019_0708_bluekeep.rb)

modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated Show resolved Hide resolved
modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated Show resolved Hide resolved
@asoto-r7
Copy link
Contributor

(TL;DR: 4b786e2 works great against 7 and XP. I'll circle back to test your latest commits. Is NLA supported?)

Thanks @zerosum0x0! I know this was no small undertaking. Several of us are testing this, and it's looking great so far!

Is there a way to detect and report if the target uses Network Level Authentication, even if it's just to report CheckCode::Detected? For that matter, do we yet know if NLA mitigates the vuln?

Win7 SP1 x86 (6.1.7601, 32-bit)

With RDP disabled:

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - Cannot reliably check exploitability.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is vulnerable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is not exploitable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win7 SP1 x64 (6.1.7601, 64-bit)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is vulnerable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Unpatched, with RDP enabled (with NLA):

[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is not exploitable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP2 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP3 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is not exploitable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win2k3 x64 (Standard, 5.2.3790)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is vulnerable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)

Patched, with RDP enabled (without NLA):

[*] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is not exploitable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@cbrnrd
Copy link
Contributor

cbrnrd commented May 22, 2019

Win10 Pro 1809, RDP Enabled

[-] 192.168.1.4:3389      - Error communicating RDP protocol.
[*] 192.168.1.4:3389      - 192.168.1.4:3389 - Cannot reliably check exploitability.
[*] 192.168.1.4:3389      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@ghost
Copy link
Author

ghost commented May 22, 2019

@asoto-r7 NLA is a 100% confirmed mitigation. We don't have any specific checks for it atm but is something we have discussed to do. Looks like adding detected should be easy enough.

We've also discussed adding authenticated NLA scanning, but that is a different beast entirely. And there are already authenticated scanners which can check driver versions.

@cnotin
Copy link
Contributor

cnotin commented May 22, 2019

@bwatters-r7
Copy link
Contributor

All tests without NLA or patch:

Windows 2008x64:

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.142:3389  - 192.168.134.142:3389 - The target is vulnerable.
[*] 192.168.134.142:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Windows 2008x64 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.144:3389  - 192.168.134.144:3389 - The target is vulnerable.
[*] 192.168.134.144:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2008x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.194:3389  - 192.168.134.194:3389 - The target is vulnerable.
[*] 192.168.134.194:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

@bwatters-r7
Copy link
Contributor

All tests without NLA or patch:

Windows 2003x64 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.195:3389  - 192.168.134.195:3389 - The target is vulnerable.
[*] 192.168.134.195:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.190:3389  - 192.168.134.190:3389 - The target is vulnerable.
[*] 192.168.134.190:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP2

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.181:3389  - 192.168.134.181:3389 - The target is vulnerable.
[*] 192.168.134.181:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP0

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.175:3389  - 192.168.134.175:3389 - The target is vulnerable.
[*] 192.168.134.175:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.176:3389  - 192.168.134.176:3389 - The target is vulnerable.
[*] 192.168.134.176:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@bcoles
Copy link
Contributor

bcoles commented May 22, 2019

Windows Server 2003 Enterprise SP2 x86 (5.2.3790)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 172.16.191.171:3389   - 172.16.191.171:3389 - The target is vulnerable.
[*] 172.16.191.171:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2000 Server SP4 (5.0.2195)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 172.16.191.123:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@blockchainguard
Copy link

  • Error communicating RDP protocol.

@ghost
Copy link
Author

ghost commented May 23, 2019

I cleaned up parts of the exception nesting and check codes to make the output more useful when scanning large ranges.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.1.238:3389    - The target service is running, but could not be validated.
[*] Scanned 1 of 5 hosts (20% complete)
[*] 192.168.4.20:3389     - The target service is not running, or refused our connection.
[*] Scanned 2 of 5 hosts (40% complete)
[+] 192.168.1.161:3389    - The target is vulnerable.
[*] Scanned 3 of 5 hosts (60% complete)
[*] 192.168.1.72:3389     - The target is not exploitable.
[*] Scanned 4 of 5 hosts (80% complete)
[*] 192.168.1.12:3389     - Cannot reliably check exploitability.
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed

In order:

  1. The target service is running, but could not be validated. Seen with NLA enabled, or service is not RDP
  2. The target service is not running, or refused our connection. Nonexistent host/closed port (connect timeout)
  3. The target is vulnerable. Unpatched
  4. The target is not exploitable. Patched
  5. Cannot reliably check exploitability. Something went haywire during RDP comms (generally, this will be like Windows 8+... not sure if we can differentiate this vs. general failure)

I'm happy with it if there isn't any TODO outstanding or suggestions for status codes?

@cnotin
Copy link
Contributor

cnotin commented May 23, 2019

With the latest version in this PR, I have the following error for a few machines:
/root/tools/msf_modules/auxiliary/cve_2019_0708.rb:521: warning: in a**b, b may be too big

The error is in rsa_encrypt.
Here are the numbers for different machines:

Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 813730072
Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 820009571

The numbers stay the same for each run for the same machine

@jagotu
Copy link
Contributor

jagotu commented May 23, 2019

@cnotin Could you please set verbose to 1 and check for line "RSA Magic: RSA1"?

It turns out some machines don't use RSA certs and we don't yet support that scenario. I just now added a check for it, but waiting for @zerosum0x0 to accept it.

@wvu
Copy link
Contributor

wvu commented May 24, 2019

@zeroSteiner, @asoto-r7, @busterb: PR posted and linked above. Please ensure no regressions. Should be zero functional difference.

wvu and others added 2 commits May 24, 2019 11:41
@wvu
Copy link
Contributor

wvu commented May 24, 2019

Good, still working. Positive test against Windows Server 2008 R2 x64 and negative test against Win10.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.105:3389   - Verifying RDP protocol...
[*] 192.168.56.105:3389   - header: 010c len 12
[*] 192.168.56.105:3389   - header: 030c len 20
[*] 192.168.56.105:3389   - header: 020c len 428
[*] 192.168.56.105:3389   - security header
[*] 192.168.56.105:3389   - modulus_old 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2
[*] 192.168.56.105:3389   - RSA magic: RSA1
[*] 192.168.56.105:3389   - RSA bitlen: 256
[*] 192.168.56.105:3389   - modulus_new 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_MODULUS: 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_EXPONENT: 01000100
[*] 192.168.56.105:3389   - SERVER_RANDOM: 92957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178cf7de0a0d5f98245
[*] 192.168.56.105:3389   - Sending security exchange PDU
[*] 192.168.56.105:3389   - Encrypted client random: 0e22dfc8f4cae4934eaff236ac596a44990246757527f5b643653fb431205cbbdb8fba05603a2f5c372407bf56ca61bfbaeef6c6bac4cc854d00b9ee1f87d4d3352eef95671b29d4ecf57402941e69739fb3796bdf5fa0c09263d3dc04c2bb76ee54d17d779fb8ca84db87f49beb9d2c88982c151e27e4322df20ec9cdb8f22e8b4f950b5bb3b22f4c605ae971ba5cce4b1238ff7c15838b0e5c75b4f212beb730c0b18b353ab34256482ef674b0bd9537066f406c7f76fcc464522b4076d487c769ade6673bab978481a291f4d245b5655e19557b18461abc3679323ae645c11d51b7d0dda555363e7a715504592f581287efc0a8b82f35472f41f76f651662
[*] 192.168.56.105:3389   - PreMasterSecret = 41414141414141414141414141414141414141414141414192957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178
[*] 192.168.56.105:3389   - MasterSecret = f504ace0b9f8cccfcd32cc376c650b31149f51f7c41154622f32f2f5eb8588f54bdfbfc6d3c70ac0bd9bccc45013a703
[*] 192.168.56.105:3389   - sessionKeyBlob = 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - macKey = 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - initialClientDecryptKey128 = 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - initialClientEncryptKey128 = def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_ENC_KEY: def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_DEC_KEY: 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - HMAC_KEY: 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - SESS_BLOB: 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - Sending encrypted client info PDU
[*] 192.168.56.105:3389   - Received License packet: 0300002202f08068000103eb701480020000ff031000070000000200000004000000
[*] 192.168.56.105:3389   - Received Server Demand packet: 030001c502f08068000103eb7081b60800000011628713e0b81b1802bb064162e98b8bb4f3cb62d9a376335aa5172e8e4d8b38048b8476c6f9bf7b4a605b5f16b4893003cf0c421a7174b9132bc218eb8daec848731178ed22e6c7bfe64b21b0562a562482e0a0247260204c81e45c62a4b9a3abbb0e639470794439c3fe5b5d448937a2efeddb1cf5d46e04f27d7016e976402e3882643acbb05821b2acb012870b55c7a30eeb8656e98a28978c9b5f2db263b2e4acec47a4a029a72661107985ac8d5f537cc0e98c78e5db1d760d609f3e04a1fd83265d6d1029d43d7ea2e62b8b8c9acf1d0492f45026c48c075034206c2bf9befa8f7902e44fe9cab93e912987a177fecddf80a0217a586836277faf2e032933a7fb57815cba2793d640a7e5614f4b7d2b4354ce6fbd13f059570a9bd3451415522b2b342bfd1003c90279cf0c11ba0d8a61d271fcb924e68e736f1555268811cfae984a315e0ccd0c0462eb215fbdddd3abf6b584fa98ef70906505b738340b67fc2448f7d82ebc7239b6cad543ece14f549b96ef0fcad930cd155b68f4bf923d452a6a4c4eda5382948de04a81d1ccef054936727b274a42c6dff65dc7edb5624742086ae1531f045374f4091d357f
[*] 192.168.56.105:3389   - Sending client confirm active PDU
[*] 192.168.56.105:3389   - Sending client synchronize PDU
[*] 192.168.56.105:3389   - Sending client control cooperate PDU
[*] 192.168.56.105:3389   - Grea2t!
[*] 192.168.56.105:3389   - Sending client control request control PDU
[*] 192.168.56.105:3389   - Sending client persistent key list PDU
[*] 192.168.56.105:3389   - Sending client font list PDU
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.101:3389   - Verifying RDP protocol...
[-] 192.168.56.101:3389   - Error communicating RDP protocol.
[*] 192.168.56.101:3389   - Cannot reliably check exploitability.
[*] 192.168.56.101:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@asoto-r7
Copy link
Contributor

asoto-r7 commented May 24, 2019

(TL;DR: Good!)

Windows Server 2016 (x64)

Unpatched, with RDP enabled (no NLP):

[*] 192.168.220.139:3389  - Cannot reliably check exploitability.
[*] 192.168.220.139:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2016 is not supported, but does not crash, leave logs, or disrupt existing RDP connections.

@wvu
Copy link
Contributor

wvu commented May 24, 2019

It's good to see CheckCode being used outside of exploits, btw.

@asoto-r7
Copy link
Contributor

@zerosum0x0 @jagotu: It's absolutely not a blocker, but to update, my Vista environment refuses to patch. termdd is not being updated after applying KB4499180. The patch executes, says it installs successfully, doesn't ask to reboot (unlike other OSes), and doesn't touch termdd.sys. Even after multiple reboots, termdd.sys hasn't been updated:

C:\windows\system32\drivers\termdd.sys
SHA1: 986514517f05ccf4c0e0988f2aa2b464be459e19
FileVersion: 6.0.6000.16386
Timestamp: 11/2/2006 7:03 AM

That said, it sounds like the patch is applying correctly for you guys, and I'm happy to trust your testing. Especially if it means I don't have to argue with Vista. :-P

@asoto-r7
Copy link
Contributor

TL;DR: We've collectively tested the code, including the latest commits for any regressions, against a variety of hosts. I'm happy to get this landed, as soon as I'm done writing some documentation. Thanks everyone! 😄

@asoto-r7
Copy link
Contributor

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

@tsellers-r7
Copy link

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

Yeah, I misread your comment so I deleted mine. Sorry about that.

@jagotu
Copy link
Contributor

jagotu commented May 24, 2019

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

@asoto-r7
Copy link
Contributor

asoto-r7 commented May 24, 2019

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

@jagotu: Oh, good call! I hadn't realized and apparently the patch still reports success on SP0. 😬

@asoto-r7
Copy link
Contributor

(TL;DR: Still good!)

Windows Server 2012 R2 (x64)

[*] 192.168.220.130:3389  - The target is not exploitable.
[*] 192.168.220.130:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As with 2016, Windows Server 2012 is also not supported. The scanner does not crash, leave logs, or disrupt existing RDP connections. 👍

@asoto-r7 asoto-r7 merged commit 82debcb into rapid7:master May 24, 2019
@wvu
Copy link
Contributor

wvu commented May 24, 2019

Module doc in fa70461. Thanks, everyone.

@asoto-r7
Copy link
Contributor

Release Notes

auxiliary/scanner/rdp/cve_2019_0708_bluekeep scans Windows workstations and servers against CVE-2019-0708 ("BlueKeep") to report the vulnerable state of Microsoft Windows targets running the Remote Desktop Protocol.

@ghost ghost deleted the bluekeep branch May 24, 2019 21:33
@gdavidson-r7 gdavidson-r7 added the rn-modules release notes for new or majorly enhanced modules label May 29, 2019
@TormentedSoul666
Copy link

Add an exploit module for full RCE with in depth analysis of the allocation of the shellcode with heap spraying you can find here: https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf

At the end of the week, I'll do a pull request and add the missing part myself but it is your work, so you should finish it?

@ccondon-r7
Copy link
Contributor

Hi @TormentedSoul666, the Metasploit team is currently developing an exploit module based on @zerosum0x0's work (see: https://twitter.com/zerosum0x0/status/1156608483166343169). Stability is the priority for us, so we'll PR the module when we're confident it's ready—it's unlikely that we'll put up the exploit PR this week, in part because of DEF CON in the U.S. If you have exploit code ready and want to collaborate privately, @busterb and I would be happy to chat about it. I'm catc0n on Keybase, Brent's busterb.

@TormentedSoul666
Copy link

@ccondon-r7

I wanted to use the PoC of Ekultek to develop a working RCE PoC but a working Metasploit module would be even better in terms of full disclosure mindset and also forcing the users with the last unpatched systems to finally handle.

I'm not using Github much due do being more native to other repository hosters, because my clients usually prefer them over GitHub (especially after what happened with all the stupid stuff of people keeping their own Shodan API keys in their code, the hacked and ransomed repositories and so on).
So can you contact me in any preferred way and I'll tell you what I know and we can work on it?

@TormentedSoul666
Copy link

TormentedSoul666 commented Aug 6, 2019

@ccondon-r7, just to explain my motivation: I'm disgusted by the so called white-hats and anti-virus company shrinks, which are bragging with their stupid "open calc.exe" PoC videos, without revealing details.
I thought that we went over this period, where we keep stuff private, which is especially hazardous after what have happened with the NSA stuff after TSB leak.

Those so called PenTester shrinks even make fun about the hard work of zeroxum, Ekultek and the others, because they didn't implement the heap spraying part but released DoS instead, by shifting the EIP into the desert instead of spraying the heap and then allocating the shellcode at the stack position where it actually is.
This is not because zeroxum and Ekultek are dump or not capable but simply because this is a non-trivial thing and people who are not "professional PenTest er" shrinks usually lack the time to dive deep into this materia.

I'll expose later an especially disgusting Twitter post of someone of the mentioned clientel, who even made fun of the work of Zeroxum and Ekultek, even tho he has no proof of a working PoC other than a stupid video with this public "open calc.exe" shellcode which works on basically every windows version and architecture, despite of ASLR and DEP (of course that piece of code is not the work of those so called professionals and I highly doubt, that most of them actually managed to finish a working RCE PoC and were just showing of with stupid videos without any information disclosure). Best practice should be to not let participate those specific assholes at Blackhat Con and related events with full disclosure mentality, because they only steal what they need and feel very proud afterwards, when they show their stupid little YouTube videos of supposedly working RCE PoCs, which are in reality most likely prepared fakes.

Meanwhile CANVAS and other asshole companies like Core Impact release working RCE exploits for BlueKeep for their unnecessary and ridiculously overpriced software, so some richer cybercriminals can make use of it, while the risk doesn't take the risk serious, because those alleged whiny "white-hats" keep their supposedly working stuff for themselves.

Sorry for the full rage mode but this is a perfect example of what is going wrong with the PenTest scene and I really would like to see that those people and especially companies with ridiculously expensive products like CANVAS and Core Impact get a ban for conferences and also don't get access to full disclosure information anymore.

I'm coming from a time, where people like house0fdabus where coding masterpieces of pocs for all kinds of exploits and released them to the public in a good full disclosure manner.
Those shrinks working for the av companies are mostly just coming from university, have no history in the PenTesting scene and still open their big mouthes with their stupid videos of running scripts which open Calc.exe, which easily can be faked.

The result is that state sponsored APTs, state intelligence service and even military affiliated groups can use the stuff to undermine civil rights and perform attacks against other states.

After my full rage I want to remind what one of the best and to this day active upholders of full disclosure policy still has in one of the most established and most used RedTeaming tools of the world, which is THC Hydra: "Please do not use in military or secret service organizations, or for illegal purposes". One big shout out to THC VanHauser aka Marc Heuse, you were and still are one of my big idols since the 90s.

@TormentedSoul666
Copy link

@busterb @ccondon-r7 drop me a mail to tormented.soul@tuta.io if you want to chat about the module, there is not much to add to the sequence to finish it (just the heap spraying, as you very likely know yourself). I'd like to contribute what I can, if you find time and have interest. We can discuss via mail, which channel of communication would be appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature hotness Something we're really excited about module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.