-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial exploit for CVE-2019-0708, BlueKeep #12283
Conversation
To test, ensure you've copied all four
|
I've tried this on Windows 2008 R2 Enterprise (x64) (2GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040. Exploit failed, but the host didn't crash either. Edit: Looks like it failed at the license packet step. Which makes sense, as the service was configured with no license, within the 120 day license grace period.
Windows 7 SP 1 Professional (x64) (4GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.
|
Thanks @bcoles will take a look at the VMware target. We may be a bit over-broad in which VMWare product we're specifying there, though of course it would be nice to not need these specific targets at the risk of having a combinatorial target explosion. |
Godspeed my friends... let's hope enough people patch their systems before pwning starts. |
@bcoles the different targets mostly have to do with hot-swap memory. When it's enabled, the NT kernel must allocate more PFN table PTE metadata structures before the actual start of the NPP. If hot-swap memory is disabled (nominal) I would expect the default target to work. A full kernel crash dump is required for analysis though, the minidumps don't carry enough info forward. |
|
cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/ rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb |
What is the easiest way to identify the Groombase for other targets - Looking at a Server 2008 R2 on AWS (Uploaded a vulnerable image that had been tested locally with VMware) |
There were changes made to the core rdp library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files) |
This comment has been minimized.
This comment has been minimized.
What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux) [] Started reverse TCP handler on 192.168.11.9:4444 Exploit targets: Id Name 0 Automatic targeting via fingerprinting |
为什么我更新了msf,也没有找到这个利用模块 |
i was successfully able to run this against |
得自己导入4个rb |
大佬有没有找个物理机试试,如果不修改注册表的话是不是就没法复现了。 |
我成功导入后,发现每次攻击都会蓝屏 |
2008 r2要改注册表,不然会GG,你康上面 |
我打的是win7 sp1的 |
黑人问号 |
我攻击的目标是win7 啊,win7不也受影响么,但是每次攻击都会蓝屏 |
我这边也有朋友有这个问题,好像是target的问题 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Thanks for the note @MartinIngesen I was able to reproduce @bcoles crash above with VMWare Fusion 11. |
@DoktorCranium VirtualBox 6.0.10 on Linux and Mac. |
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce): Name Current Setting Required Description RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect Exploit target: Id Name 0 Automatic targeting via fingerprinting msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 154.8.170.33 [] Started reverse TCP handler on 192.168.1.3:4444 give some help |
This comment has been minimized.
This comment has been minimized.
Landing this module now, further improvements will come in new PRs. Thanks everyone for testing and notes! |
i have a windows version |
I keep seeing this error: "Exploit failed: NameError uninitialized constant OpenSSL::SSL::TLS1_VERSION" As far as I can tell all the code is up to date, just pulled it down via git. Any thoughts? OpenSSL should already be required, so.. |
@brandenjlynch I'd run into the same error. It was an issue with my environment, IIRC the OpenSSL gem hadn't installed correctly. I would suggest you verify your version of ruby is correct and then reinstall that gem. I believe it tries to compile from source so make sure you have the development headers available. |
@zeroSteiner Thanks I'll try that! |
Has anyone succeeded with a physical machine? The vmware unpached win 7 worked with a little groomsize tweaqking but can't even get to a 'bluescreen' on my other laptop in a lab test. |
Release NotesThis adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. |
When i try in Kali many problem, almost GROOMSIZE and Target. |
When I tested, I always had the following questions |
Nothing is wrong with you. |
What should I do to restore success? |
I just tried 2008 again, the same question. |
What target did you select? |
I chose VMware, version 15.1.0. |
Не знаю что было изменено, но в virtual box эксплойт отрабатывает, но не создаёт сессию, не выполняет exeс, ничего. В чем дело ? |
I don’t know what has been changed, but in the virtual box, the exploit works, but does not create a session, does not execute exec, nothing. What's the matter ? |
First of all, everyone needs to provide more details. Logs, screenshots, anything. Information about your setup. Version numbers. WinDbg sessions if you have to. The exploit's success is highly dependent on memory layout, specifically NPP base. It is impossible to provide support for this module without details. This is bug reporting 101. Second of all, this is the pull request for the module, not a bug tracker. If you have bugs, please file them as issues. If you have support questions, ask on Slack, IRC, e-mail, or, if you're convinced GitHub is the place to be, ask via an issue. We will label it as Thank you. |
Please read our CONTRIBUTING document. We would be happy to help everyone, just not here. Conversation on this PR is limited to development. ETA: We've updated the document to clearly state where questions shouldn't go. Previously, it was stated where they should go and only implied where they shouldn't go. Thanks. |
This PR adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.
This module was originally developed by @zerosum0x0 and @ryhanson, then further moved along by @OJ, @zeroSteiner, @rickoates, @wvu-r7, @bwatters-r7, @wchen-r7, @tsellers-r7, @todb-r7 and others. The module was ported from a Python external module to a native Ruby module in order to take advantage of the RDP and other library enhancements in Metasploit. The original Python module is in the commit history if you wish to examine and compare it the the current implementation.
The module currently targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For Windows Server 2008 R2, a registry entry needs to be modified to enable heap grooming via the RDPSND channel, though there remain other possibilities to explore for using alternate channels that are enabled by default on all Windows OSes.
The module is currently ranked as
Manual
, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.There are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, though there may be additional variables in your target environment that additionally shift the base address for grooming, so we welcome any ideas from the community for automatically detecting this instead!
Todo
Optional Todo
Verification
msfconsole
use exploit/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS
to target hosts (x64 Windows 7 or 2008 R2)set PAYLOAD
and associated options as desiredset TARGET
to a more specific target based on your environmentExploitation Sample Output