Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial exploit for CVE-2019-0708, BlueKeep #12283

Merged
merged 53 commits into from Sep 23, 2019
Merged

Add initial exploit for CVE-2019-0708, BlueKeep #12283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
6b4e067
Add rdp_bluekeep.py and needs work
Jul 31, 2019
5ae1c8e
Payload shellcode for Bluekeep from zerosum
Jul 31, 2019
9e235ed
chmod +x so it loads as an external module
wvu Jul 31, 2019
b9cb6d8
Allow specifying TLS version via 'SSLVersion' opt
busterb Aug 2, 2019
eb9088a
Refactor RDP mixin to hide socket details
OJ Aug 8, 2019
1d6e319
Refactor of RDP mixin to make it more configurable
OJ Aug 9, 2019
edcc423
Lots more RDP mixin changes, and first pass of ruby exploit
OJ Aug 14, 2019
8412ff3
Fix disconnect PDU message and start work on payloads
OJ Aug 14, 2019
c76e773
Another attempt to get bluekeep working
OJ Aug 17, 2019
121e337
fix incorrect bytes in kernel shellcode
busterb Aug 20, 2019
4edf91d
add debug writes (to be removed later)
busterb Aug 20, 2019
6225c5c
skip payload encoding, be a bit more self-documenting
busterb Aug 20, 2019
a529866
first working metasm shellcode
busterb Aug 21, 2019
4976208
minor cleanup of debug code and remove some fixed encodings (still ne…
busterb Aug 21, 2019
725bff5
Add CheckScanner and ForceExploit
wvu Aug 21, 2019
f479ed2
Small refactors, comments and tidying up
OJ Aug 21, 2019
6522866
specify short jump opcodes explicitly
busterb Aug 22, 2019
9150ab4
add pre/post processor phase to address metasm limits
busterb Aug 22, 2019
9e321dc
move hack into fixup code
busterb Aug 22, 2019
5599018
add PR ref
busterb Aug 22, 2019
49cb620
explicit short jump no longer needed with relative address fixes
busterb Aug 22, 2019
b860caf
remove 'COMPACT' mode since it's not needed here
busterb Aug 22, 2019
855281b
add auto-target by default, only scan and show a user message for now
busterb Aug 22, 2019
f3a9af2
rename for consistency with scanner module
busterb Aug 22, 2019
e243e1a
add a more likely arch with the default fingerprint target
busterb Aug 23, 2019
35e3704
add current caveats and notes from zerosum0x0
busterb Aug 23, 2019
15ce66c
adjust to ManualRanking
busterb Aug 23, 2019
f2c4754
tag targets for Virtualbox, add Windows 2008R2
busterb Aug 23, 2019
ab63104
adjust rdp fingerprint code to match self.rdp_sock changes in exploit…
busterb Aug 24, 2019
e32409b
merge Win 7/2008 targets
busterb Aug 26, 2019
cdd3378
Clean up BlueKeep exploit
wvu Aug 24, 2019
de34bc4
Ensure rdp_disconnect in rdp_scanner
wvu Aug 24, 2019
fec749d
perform fingerprinting in scanner
busterb Aug 26, 2019
4677e0f
include internal OS version in target names
busterb Aug 26, 2019
02ba21a
remove WinVer
busterb Aug 26, 2019
fb729b5
add bare metal target
busterb Aug 29, 2019
5b91fa8
add initial module documentation stub
busterb Sep 6, 2019
51c0c24
add and update documentation from original PoC
busterb Sep 6, 2019
7e4a996
remove separate PoC and shellcode files, replaced with new integrated…
busterb Sep 6, 2019
0a05ee6
Use the rdp connect/disconnect methods for WinXP
zeroSteiner Aug 30, 2019
c405fba
name module docs properly
busterb Sep 6, 2019
d80ad89
resolve msftidy error
busterb Sep 6, 2019
d2da56b
use specified RDP_CLIENT_NAME
busterb Sep 11, 2019
458dc59
move kernel shellcode comments to the correct place
busterb Sep 11, 2019
8138e2f
remove email
busterb Sep 19, 2019
67ee46e
add additional target, set default target GROOMSIZE to 100M (thanks a…
busterb Sep 19, 2019
3174af0
add initial license packet handler
busterb Sep 19, 2019
acb351a
add a few more vmware targets (emphasising the fragility here)
busterb Sep 19, 2019
963489e
add further license PDU parsing
busterb Sep 20, 2019
0d34de7
support sending license requests
busterb Sep 22, 2019
0715b76
use client_random, add notes
busterb Sep 22, 2019
5b36b6e
add docs, simplify some areas
busterb Sep 23, 2019
c0be631
tweak groombase for vmware 15.1
busterb Sep 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
32 changes: 32 additions & 0 deletions documentation/modules/exploit/windows/rdp/cve_2019-0708_bluekeep_rce.md
View file
Open in desktop
@@ -0,0 +1,32 @@
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

## Vulnerable Application

This exploit should work against a vulnerable RDP service from one of these Windows systems:

* Windows 2000 x86 (All Service Packs))
* Windows XP x86 (All Service Packs))
* Windows 2003 x86 (All Service Packs))
* Windows 7 x86 (All Service Packs))
* Windows 7 x64 (All Service Packs)
* Windows 2008 R2 x64 (All Service Packs)

This exploit module currently targets these Windows systems running on several virtualized and physical targets.

* Windows 7 x64 (All Service Packs)
* Windows 2008 R2 x64 (All Service Packs)

## Verification Steps

- [ ] Start `msfconsole`
- [ ] `use exploit/windows/rdp/cve_2019_0708_bluekeep_rce`
- [ ] `set RHOSTS` to Windows 7/2008 x64
- [ ] `set TARGET` based on target host characteristics
- [ ] `set PAYLOAD`
- [ ] `exploit`
- [ ] **Verify** that you get a shell
- [ ] **Verify** that you do not crash

## Options