Watch out! A working, free BlueKeep (CVE-2019-0708) exploit is now available in Metasploit
There’s been a lot of discussion about BlueKeep, a security hole in the Windows Remote Desktop Protocol that allows a remote attacker to access your machine.
According to this article by Brent Cook on the Rapid7 site:
Today, Metasploit is releasing an initial public exploit module for CVE-2019-0708, also known as BlueKeep, as a pull request on Metasploit Framework. The initial PR of the exploit module targets 64-bit versions of Windows 7 and Windows 2008 R2. The module builds on proof-of-concept code from Metasploit contributor @zerosum0x0, who also contributed Metasploit’s BlueKeep scanner module and the scanner and exploit modules for EternalBlue. Metasploit’s exploit makes use of an improved general-purpose RDP protocol library, as well as enhanced RDP fingerprinting capabilities, both of which will benefit Metasploit users and contributors well beyond the context of BlueKeep scanning and exploitation.
It's a full working exploit, but has still room for improvements:
By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.
The module currently targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For Windows Server 2008 R2, a registry entry needs to be modified to enable heap grooming via the RDPSND channel, though there remain other possibilities to explore for using alternate channels that are enabled by default on all Windows OSes.
The module is currently ranked asManual
, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.
So, if you have Remote Dekstop turned on and accessible directly from the internet, and you must instal the last Windows updates!