algo7 / bluekeep_CVE-2019-0708_poc_to_exploit

An Attempt to Port BlueKeep PoC from @Ekultek to actual exploits
GNU General Public License v3.0
344 stars 127 forks source link

Note:

This project has been archived as actual exploits have been developed elsewhere with better success.

https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

Badges

[]() []() []() []()

bluekeep_CVE-2019-0708_poc_to_exploit

Porting BlueKeep PoC from @Ekultek & @umarfarook882 to actual exploits.

Script kiddies are not welcomed here as at anywhere else.

Please read the through theissues (both closed and open beofre posting stuff like "It doesn't work", "Nothing happened after I ran the script", or "Error (without being specific), please help me".

Welcome to Join our Discord Server

! Please note that this is not yet an exploit but rather an attempt to port existing PoCs to actual exploits.

============================================================================

The project is not being actively maintained, but please feel free to give suggestions or open new issues.

============================================================================

I am just like anyone of you who enjoy solving complex problems and learn from the process. I am here just to share my progress while at the same time get some opinions from the public. Sharing is caring :)

============================================================================ This is not some off-the-shelf exploits which you can just grab and check out.

Furthermore, the methods of delivery is also important to make sure your codes will execute on the remote machine.

So far we still aren't able to succesfully to pop a shell and achieved RCE.

FYI:

Most of the scanners and PoCs out there work by only analyzing the responses from the targeted hosts and determine if the hosts are vulnerable or not. (As all of you should know, patched and unpatched versions return different reponses, as well as O.S that are not affected). They don't actually "exploit" the targeted hosts. In order to achieve RCE, first we should try to trigger the vulnerability by sending specially crafted packets (refer to RDP MSDN for protocol specifications). After the vulnerabiliy is triggered, the second step is to analyze the crashed or memory dumps to figure out how our codes can fit in. It's not as simple as most of us think it is.

Some useful resources:

  1. CVE-2019-0708: A COMPREHENSIVE ANALYSIS OF A REMOTE DESKTOP SERVICES VULNERABILITY | Client-side (mostly)

  2. RDP Connection Sequence

  3. Analysis of CVE-2019-0708 (BlueKeep) | Server-side

You can use the Magic Unicorn from @trustedsec for generating shell codes. https://github.com/trustedsec/unicorn

**Note: Please use Python 3

RDP Connection Sequence:

The RDP client initiates the connection when the user provides the name of the remote desktop to connect to. The RDP client initiates a connection to the RD Session Host by sending an X.224 Connection Request protocol data unit (PDU)

The RD Session Host responds with an X.224 Connection Confirm PDU.

The RDP client sends a Multipoint Communication Service (MCS) Connect Initial PDU with GCC Conference Create Request. --> Vulnerability is related to this request.

The RD Session Host responds with an MCS Connect Response PDU with GCC Conference Create Response.

The RDP client sends an MCS Erect Domain Request PDU.

The RDP client sends an MCS Attach User Request PDU.

The RD Session Host responds with an MCS Attach User Confirm PDU.

The RDP client sends multiple (in this case six) MCS Channel Join Request PDUs.

The RD Session Host sends multiple (in this case six) MCS Channel Join Confirm PDUs.

The RDP client sends a Security Exchange PDU.

The RDP client sends a Client Info PDU.

The RD Session Host sends a License Error PDU-Valid Client.

The RD Session Host sends a Demand Active PDU.

The RDP client responds with a Confirm Active PDU.

The RDP client sends a Synchronize PDU.

The RDP client sends a Control PDU-Cooperate.

The RDP client sends a Control PDU-Request Control.

The RDP client sends zero or more Persistent Key List PDUs. In this case, zero PDUs are sent.

The RDP client sends a Font List PDU.

The RD Session Host sends a Synchronize PDU.

The RD Session Host sends a Control PDU-Cooperate.

The RD Session Host sends a Control PDU-Granted Control.

The RD Session Host sends a Font Map PDU..