This project has been archived as actual exploits have been developed elsewhere with better success.
https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/
[]() []() []() []()
bluekeep_CVE-2019-0708_poc_to_exploit
Please read the through theissues (both closed and open beofre posting stuff like "It doesn't work", "Nothing happened after I ran the script", or "Error (without being specific), please help me".
============================================================================
============================================================================
============================================================================ This is not some off-the-shelf exploits which you can just grab and check out.
Furthermore, the methods of delivery is also important to make sure your codes will execute on the remote machine.
So far we still aren't able to succesfully to pop a shell and achieved RCE.
Most of the scanners and PoCs out there work by only analyzing the responses from the targeted hosts and determine if the hosts are vulnerable or not. (As all of you should know, patched and unpatched versions return different reponses, as well as O.S that are not affected). They don't actually "exploit" the targeted hosts. In order to achieve RCE, first we should try to trigger the vulnerability by sending specially crafted packets (refer to RDP MSDN for protocol specifications). After the vulnerabiliy is triggered, the second step is to analyze the crashed or memory dumps to figure out how our codes can fit in. It's not as simple as most of us think it is.
Some useful resources:
You can use the Magic Unicorn from @trustedsec for generating shell codes. https://github.com/trustedsec/unicorn
**Note: Please use Python 3
The RDP client initiates the connection when the user provides the name of the remote desktop to connect to. The RDP client initiates a connection to the RD Session Host by sending an X.224 Connection Request protocol data unit (PDU)
The RD Session Host responds with an X.224 Connection Confirm PDU.
The RDP client sends a Multipoint Communication Service (MCS) Connect Initial PDU with GCC Conference Create Request. --> Vulnerability is related to this request.
The RD Session Host responds with an MCS Connect Response PDU with GCC Conference Create Response.
The RDP client sends an MCS Erect Domain Request PDU.
The RDP client sends an MCS Attach User Request PDU.
The RD Session Host responds with an MCS Attach User Confirm PDU.
The RDP client sends multiple (in this case six) MCS Channel Join Request PDUs.
The RD Session Host sends multiple (in this case six) MCS Channel Join Confirm PDUs.
The RDP client sends a Security Exchange PDU.
The RDP client sends a Client Info PDU.
The RD Session Host sends a License Error PDU-Valid Client.
The RD Session Host sends a Demand Active PDU.
The RDP client responds with a Confirm Active PDU.
The RDP client sends a Synchronize PDU.
The RDP client sends a Control PDU-Cooperate.
The RDP client sends a Control PDU-Request Control.
The RDP client sends zero or more Persistent Key List PDUs. In this case, zero PDUs are sent.
The RDP client sends a Font List PDU.
The RD Session Host sends a Synchronize PDU.
The RD Session Host sends a Control PDU-Cooperate.
The RD Session Host sends a Control PDU-Granted Control.
The RD Session Host sends a Font Map PDU..