7h3rAm / CVE-2019-0708

CVE-2019-0708 - BlueKeep (RDP)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2019-0708 - BlueKeep (RDP)

RDP Connection Sequence: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/023f1e69-cfe8-4ee6-9ee0-7e759fb4e4ee

Analysis of RDP Service Vulnerability: https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability

Please, check the above two link to understand the how rdp connectioin sequence work and vabout vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)

Windows Kernel Debugging: https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6

My approach:

I am n00bs in kernel exploitation and debugging :)

Day 1:

Initially gone through the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC script - cve_2019_0708_bluekeep.rb to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let's implemented the same poc in python.

Day 2:

I have written the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(

cve-2019-0708

Note: cve_2019_0708_bluekeep.py is Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC, not actual exploit.

Day 4:

I realized where i made mistake :) Instead of using existing poc script, I started writing POC from scratch with TLS to make task easy in sending rdp packets.

Note: Please read the MSDN documentation properly, everything is very clear

Day 5:

Finally i got the crash, Check the Demo Video :)

Hint: Crafted payload which lead to crash is already available in CVE-2019-0708 "BlueKeep" Scanner PoC script which is released by @JaGoTu and @zerosum0x0

Demo

Alt text

:octocat:Credits:

Support !

Email address: umarfarookmech712@gmail.com or pingus@foolsofsecurity.com
Youtube: Fools Of Security
Website: Fools Of Security Community

Reference:

About

CVE-2019-0708 - BlueKeep (RDP)


Languages

Language:Python 100.0%