Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Msf::Exploit::Remote::RDP mixin and refactor BlueKeep (CVE-2019-0708) scanner #12171

Merged
merged 7 commits into from Aug 7, 2019

Conversation

@TomSellers
Copy link
Contributor

commented Aug 7, 2019

This PR is a WIP and refactors RDP protocol code into a Msf::Exploit::Remote mixin. The intent is for this to serve as a point of discussion during the process. If it reaches a usable state a new PR will be created against the current master branch.

This PR will be noisy as I iterate over the changes and address feedback.

Desired for #12170.

TomSellers added some commits Aug 7, 2019

TomSellers added some commits Aug 7, 2019

Show resolved Hide resolved lib/msf/core/exploit/rdp.rb Outdated
@wvu-r7

wvu-r7 approved these changes Aug 7, 2019

Copy link
Contributor

left a comment

Haven't tested it, but this looks good enough from a code standpoint. Thanks for doing this!

@OJ

OJ approved these changes Aug 7, 2019

Copy link
Contributor

left a comment

Nice work Tom :)

@wvu-r7 wvu-r7 self-assigned this Aug 7, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

Vuln Win7 SP1 x64 with NLA disabled

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.117:3389   - Verifying RDP protocol...
[*] 192.168.56.117:3389   - Attempting to connect using TLS security
[*] 192.168.56.117:3389   - Sending erect domain request
[*] 192.168.56.117:3389   - Sending client info PDU
[*] 192.168.56.117:3389   - Received License packet
[*] 192.168.56.117:3389   - Waiting for Server Demand packet
[*] 192.168.56.117:3389   - Received Server Demand packet
[*] 192.168.56.117:3389   - Sending client confirm active PDU
[*] 192.168.56.117:3389   - Sending client synchronize PDU
[*] 192.168.56.117:3389   - Sending client control cooperate PDU
[*] 192.168.56.117:3389   - Sending client control request control PDU
[*] 192.168.56.117:3389   - Sending client input sychronize PDU
[*] 192.168.56.117:3389   - Sending client font list PDU
[*] 192.168.56.117:3389   - Sending patch check payloads
[+] 192.168.56.117:3389   - The target is vulnerable.
[*] 192.168.56.117:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

Vuln Win7 SP1 x64 with NLA enabled

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.117:3389   - Verifying RDP protocol...
[*] 192.168.56.117:3389   - Attempting to connect using TLS security
[*] 192.168.56.117:3389   - Server requires NLA (CredSSP) security which mitigates this vulnerability.
[*] 192.168.56.117:3389   - The target is not exploitable.
[*] 192.168.56.117:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

Not vuln Win10 x64 with NLA disabled

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.112:3389   - Verifying RDP protocol...
[*] 192.168.56.112:3389   - Attempting to connect using TLS security
[*] 192.168.56.112:3389   - Sending erect domain request
[*] 192.168.56.112:3389   - Sending client info PDU
[*] 192.168.56.112:3389   - Received License packet
[*] 192.168.56.112:3389   - Waiting for Server Demand packet
[*] 192.168.56.112:3389   - Received Server Demand packet
[*] 192.168.56.112:3389   - Sending client confirm active PDU
[*] 192.168.56.112:3389   - Sending client synchronize PDU
[*] 192.168.56.112:3389   - Sending client control cooperate PDU
[*] 192.168.56.112:3389   - Sending client control request control PDU
[*] 192.168.56.112:3389   - Sending client input sychronize PDU
[*] 192.168.56.112:3389   - Sending client font list PDU
[*] 192.168.56.112:3389   - Sending patch check payloads
[*] 192.168.56.112:3389   - The target is not exploitable.
[*] 192.168.56.112:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

Not vuln Win10 x64 with NLA enabled

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.112:3389   - Verifying RDP protocol...
[*] 192.168.56.112:3389   - Attempting to connect using TLS security
[*] 192.168.56.112:3389   - Server requires NLA (CredSSP) security which mitigates this vulnerability.
[*] 192.168.56.112:3389   - The target is not exploitable.
[*] 192.168.56.112:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

@wvu-r7 wvu-r7 merged commit 2d5e9cb into rapid7:master Aug 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Aug 7, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2019

Release Notes

This moves code from the BlueKeep (CVE-2019-0708) scanner into an Msf::Exploit::Remote::RDP mixin for consolidation and reuse.

msjenkins-r7 added a commit that referenced this pull request Aug 7, 2019

@TomSellers TomSellers deleted the TomSellers:rdp_library branch Aug 8, 2019

@wvu-r7 wvu-r7 changed the title [WIP] RDP: Refactor protocol code Add Msf::Exploit::Remote::RDP mixin and refactor BlueKeep (CVE-2019-0708) scanner Aug 8, 2019

@TomSellers TomSellers referenced this pull request Aug 8, 2019

Merged

Add DoS action to BlueKeep (CVE-2019-0708) scanner #12170

7 of 7 tasks complete

@wvu-r7 wvu-r7 added the library label Aug 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.