CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Description
The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.
Author(s)
- Sean Dillon <sean.dillon@risksense.com>
- Ryan Hanson
- OJ Reeves <oj@beyondbinary.io>
- Brent Cook <bcook@rapid7.com>
Platform
Windows
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf exploit(cve_2019_0708_bluekeep_rce) > show targets
...targets...
msf exploit(cve_2019_0708_bluekeep_rce) > set TARGET < target-id >
msf exploit(cve_2019_0708_bluekeep_rce) > show options
...show and set options...
msf exploit(cve_2019_0708_bluekeep_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security
