Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add initial exploit for CVE-2019-0708, BlueKeep #12283

Open
wants to merge 44 commits into
base: master
from
Open
Changes from all commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
004e8d4
Add rdp_bluekeep.py and needs work
todb-r7 Jul 31, 2019
d393c52
Payload shellcode for Bluekeep from zerosum
todb-r7 Jul 31, 2019
3246308
chmod +x so it loads as an external module
wvu-r7 Jul 31, 2019
cc9bd46
Allow specifying TLS version via 'SSLVersion' opt
busterb Aug 2, 2019
f7f617e
Refactor RDP mixin to hide socket details
OJ Aug 8, 2019
bf89037
Refactor of RDP mixin to make it more configurable
OJ Aug 9, 2019
57f5deb
Lots more RDP mixin changes, and first pass of ruby exploit
OJ Aug 14, 2019
33e2ae0
Fix disconnect PDU message and start work on payloads
OJ Aug 14, 2019
93721ce
Another attempt to get bluekeep working
OJ Aug 17, 2019
bf5c3ba
fix incorrect bytes in kernel shellcode
busterb Aug 20, 2019
830222a
add debug writes (to be removed later)
busterb Aug 20, 2019
aee3697
skip payload encoding, be a bit more self-documenting
busterb Aug 20, 2019
e18c60d
first working metasm shellcode
busterb Aug 21, 2019
eec828b
minor cleanup of debug code and remove some fixed encodings (still ne…
busterb Aug 21, 2019
2a52aaf
Add CheckScanner and ForceExploit
wvu-r7 Aug 21, 2019
f3de42b
Small refactors, comments and tidying up
OJ Aug 21, 2019
f70194c
specify short jump opcodes explicitly
busterb Aug 22, 2019
ed6590f
add pre/post processor phase to address metasm limits
busterb Aug 22, 2019
e14f538
move hack into fixup code
busterb Aug 22, 2019
605dc45
add PR ref
busterb Aug 22, 2019
b1a9c47
explicit short jump no longer needed with relative address fixes
busterb Aug 22, 2019
2b5711b
remove 'COMPACT' mode since it's not needed here
busterb Aug 22, 2019
bb9da6c
add auto-target by default, only scan and show a user message for now
busterb Aug 22, 2019
55562f6
rename for consistency with scanner module
busterb Aug 22, 2019
b968444
add a more likely arch with the default fingerprint target
busterb Aug 23, 2019
0c0e050
add current caveats and notes from zerosum0x0
busterb Aug 23, 2019
af2f5a3
adjust to ManualRanking
busterb Aug 23, 2019
8b38d80
tag targets for Virtualbox, add Windows 2008R2
busterb Aug 23, 2019
e262cd7
adjust rdp fingerprint code to match self.rdp_sock changes in exploit…
busterb Aug 24, 2019
cb1cf13
Clean up BlueKeep exploit
wvu-r7 Aug 24, 2019
ade6582
Ensure rdp_disconnect in rdp_scanner
wvu-r7 Aug 24, 2019
3f18005
merge Win 7/2008 targets
busterb Aug 26, 2019
355c366
perform fingerprinting in scanner
busterb Aug 26, 2019
9619b97
include internal OS version in target names
busterb Aug 26, 2019
ff96f13
remove WinVer
busterb Aug 26, 2019
b0cf458
add bare metal target
busterb Aug 29, 2019
4308505
Use the rdp connect/disconnect methods for WinXP
zeroSteiner Aug 30, 2019
777210d
add initial module documentation stub
busterb Sep 6, 2019
5a0119b
add and update documentation from original PoC
busterb Sep 6, 2019
015057f
remove separate PoC and shellcode files, replaced with new integrated…
busterb Sep 6, 2019
7d0178a
name module docs properly
busterb Sep 6, 2019
edb7e20
resolve msftidy error
busterb Sep 6, 2019
53d19e8
use specified RDP_CLIENT_NAME
busterb Sep 11, 2019
f528d3e
move kernel shellcode comments to the correct place
busterb Sep 11, 2019
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -0,0 +1,32 @@
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

## Vulnerable Application

This exploit should work against a vulnerable RDP service from one of these Windows systems:

* Windows 2000 x86 (All Service Packs))
* Windows XP x86 (All Service Packs))
* Windows 2003 x86 (All Service Packs))
* Windows 7 x86 (All Service Packs))
* Windows 7 x64 (All Service Packs)
* Windows 2008 R2 x64 (All Service Packs)

This exploit module currently targets these Windows systems running on several virtualized and physical targets.

* Windows 7 x64 (All Service Packs)
* Windows 2008 R2 x64 (All Service Packs)

## Verification Steps

- [ ] Start `msfconsole`
- [ ] `use exploit/windows/rdp/cve_2019_0708_bluekeep_rce`
- [ ] `set RHOSTS` to Windows 7/2008 x64
- [ ] `set TARGET` based on target host characteristics
- [ ] `set PAYLOAD`
- [ ] `exploit`
- [ ] **Verify** that you get a shell
- [ ] **Verify** that you do not crash

## Options
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.