search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.15k stars 13.97k forks source link

Suggestion: Add module for CVE-2019-0708 #11852

Closed FilterUnfiltered closed 5 years ago

FilterUnfiltered commented 5 years ago

Just recently patched, I feel like this could be useful in a penetration test if they have outdated Windows servers.

cbrnrd commented 5 years ago

I would if I could. The POC isn't public (yet, hopefully) so nobody is able to write a module for it.

ccondon-r7 commented 5 years ago

What @cbrnrd said :)

FilterUnfiltered commented 5 years ago

My friend is looking into how it works and trying to make his own PoC xD so I don't think it will be long before a PoC is public

ghost commented 5 years ago

I spent some free time this weekend digging a little deeper and strongly suspect it's a use after free. Which means making it RCE should be some epic level pwnage. What the hell do you alloc in its place?

I hadn't touched the RDP stack at all til last Tuesday so it's not unreasonable that people digging at the code for years might know a few tricks.

https://twitter.com/zerosum0x0/status/1130395426358620160

edit:

DoS confirmed UAF.

ghost commented 5 years ago

We have PoC that can detect if patch is installed without DoS. I'll work on porting to Ruby/MSF tonight.

ccondon-r7 commented 5 years ago

That's fantastic news! Best notification I've gotten all day. Looking forward to it, @zerosum0x0.

ghost commented 5 years ago

As you (might not) know, MSF doesn't have RDP library. I'm implementing it, terrible code that should rewrite/move into a lib at some point. Hit some time sinking bugs but I think it's coming along now. I hope to wrap it up soon.

cbrnrd commented 5 years ago

@zerosum0x0 Refs for how it's (sort of) been done before:

ghost commented 5 years ago

Yea, that bug happened in the early stages so they never had to implement the bizarre 90's MS style crypto packets.

ghost commented 5 years ago

I've added our C code scanner, and the Ruby work in progress to a repo.

https://github.com/zerosum0x0/CVE-2019-0708

cbrnrd commented 5 years ago

@zerosum0x0 McAfee made a pretty in-depth blog post about this. Seems like it could be useful for creating a working PoC

ghost commented 5 years ago

PR @ https://github.com/rapid7/metasploit-framework/pull/11869

wvu commented 5 years ago

Closing, as we've landed the scanner. We'll see when an exploit rolls in. Thanks, everyone.