search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.79k stars 13.9k forks source link

GROOMBASE value in cve_2019_0708_bluekeep_rce for Virtualbox 6.x is wrong #13925

Closed mark0100 closed 3 years ago

mark0100 commented 4 years ago

Steps to reproduce

  1. from msfconsole: use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
  2. set target 2 (Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6))
  3. set RHOSTS
  4. set LHOST
  5. check -> "The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel."
  6. run

The victim:

Were you following a specific guide/tutorial or reading documentation?

The solution to the problem is changing the GROOMBASE address for Virtualbox 6 in the exploit code from 0xfffffa8002407000 to 0xfffffa8001804000 as explained in: https://pentest-tools.com/blog/bluekeep-exploit-metasploit/

Expected behavior

Sending stage (201283 bytes) to [*] Meterpreter session 1 opened

Current behavior

"[*] Exploit completed, but no session was created" and/or the target machine crashes.

Metasploit version

Framework: 5.0.100-dev- Console : 5.0.100-dev-

I installed Metasploit with:

OS

Ubuntu 20.04 Linux ubie 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

smcintyre-r7 commented 4 years ago

What version of VirtualBox 6 are you using? Also what's the host OS? It could be dependent those.

mark0100 commented 4 years ago

Virtualbox version: 6.1 Host OS: Ubuntu 20.04 Linux ubie 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

github-actions[bot] commented 4 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 3 years ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.