Skip to content

/ BlueHat-2019-Seattle

All the materials in BlueHat 2019 Seattle will be realeased here.
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Pool Fengshui in Windows RDP Vulnerability Exploitation - submission.pdf BlueHat 2019 Seattle Slides and Video Dec 2, 2019
README.md Update README.md Dec 2, 2019
bluekeep_demo_for_bluehat.mp4 BlueHat 2019 Seattle Slides and Video Dec 2, 2019

README.md

BlueHat-2019-Seattle

All the materials in BlueHat 2019 Seattle will be realeased here.

Pool Fengshui in Windows RDP Vulnerability Exploitation

Abstract:

Heap Fengshui is one of the most important techniques in userland vulnerability exploitations under modern mitigations, seemingly Pool Fengshui plays the same role in Windows RDP vulnerability exploitations. In this topic, we will not only introduce three inovative methods for Pool Fengshui with RDP PDUs, but also introduce the idea about how to find those Pool-Fengshui-Friendly PDUs in tons of legitimate PDUs from massive RDP documents. Details from how to construct three different PDUs in the RDP client to how to parse these PDUs and what these PDUs looks like in the kernel memory in the RDP server will all be discussed. Besides, we will also use BlueKeep (CVE-2019-0708) as an example to show how useful and universal these techniques are in Windows RDP vulnerability exploitations. At last, we will show the BlueKeep exploit demo.

You can’t perform that action at this time.