module
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
| Disclosed | Created |
|---|---|
| 05/14/2019 | 09/23/2019 |
Disclosed
05/14/2019
Created
09/23/2019
Description
The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,
allowing a malformed Disconnect Provider Indication message to cause use-after-free.
With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
the freed channel is used to achieve arbitrary code execution.
Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.
Windows 7 SP1 should be exploitable in its default configuration, assuming your target
selection is correctly matched to the system's memory layout.
HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam
*needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.
This is a non-standard configuration for normal servers, and the target will crash if
the aforementioned Registry key is not set!
If the target is crashing regardless, you will likely need to determine the non-paged
pool base in kernel memory and set it as the GROOMBASE option.
allowing a malformed Disconnect Provider Indication message to cause use-after-free.
With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
the freed channel is used to achieve arbitrary code execution.
Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.
Windows 7 SP1 should be exploitable in its default configuration, assuming your target
selection is correctly matched to the system's memory layout.
HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam
*needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.
This is a non-standard configuration for normal servers, and the target will crash if
the aforementioned Registry key is not set!
If the target is crashing regardless, you will likely need to determine the non-paged
pool base in kernel memory and set it as the GROOMBASE option.
Authors
Sean Dillon Ryan HansonOJ Reeves Brent Cook
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.