关联漏洞
标题:
Microsoft Remote Desktop Services 资源管理错误漏洞
(CVE-2019-0708)
描述:Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。Remote Desktop Services是其中的一个远程桌面服务组件。 Microsoft Remote Desktop Services中存在资源管理错误漏洞。该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。以下
描述
CVE-2019-0708 - BlueKeep (RDP)
介绍
## CVE-2019-0708 - BlueKeep (RDP)
**RDP Connection Sequence:** https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/023f1e69-cfe8-4ee6-9ee0-7e759fb4e4ee
**Analysis of RDP Service Vulnerability:** https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability
Please, check the above two link to understand the how rdp connectioin sequence work and vabout vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)
**Windows Kernel Debugging:** https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6
## My approach:
I am n00bs in kernel exploitation and debugging :)
**Day 1:**
Initially gone through the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC script - [cve_2019_0708_bluekeep.rb](https://github.com/zerosum0x0/CVE-2019-0708/blob/master/cve_2019_0708_bluekeep.rb) to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let's implemented the same poc in python.
**Day 2:**
I have written the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(
**Note:** `cve_2019_0708_bluekeep.py` is Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC, not actual exploit.
**Day 4:**
I realized where i made mistake :) Instead of using existing poc script, I started writing POC from scratch with TLS to make task easy in sending rdp packets.
Note: Please read the MSDN documentation properly, everything is very clear
**Day 5:**
Finally i got the crash, Check the Demo Video :)
## Demo
[](https://www.youtube.com/watch?v=gk6H3viG8K4)
## :octocat:Credits:
* Umar Farook: [OSCE | Technology Security Analyst | DevSecops | Researcher](https://www.linkedin.com/in/Umar-Farook)
* FOS Team : [Fools of Security](https://www.youtube.com/channel/UCEBHO0kD1WFvIhf9wBCU-VQ)
* [zerosum0x0](https://twitter.com/zerosum0x0)
* [JaGoTu](https://twitter.com/JaGoTu)
## Support !
Email address: umarfarookmech712@gmail.com or pingus@foolsofsecurity.com <br/>
Youtube: [Fools Of Security](https://www.youtube.com/channel/UCEBHO0kD1WFvIhf9wBCU-VQ)<br/>
Website: [Fools Of Security Community](https://foolsofsecurity.com) <br/>
## Reference:
- [Zero Day Initiative](https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability)
- [Debugging Primer with CVE-2019–0708](https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6)
文件快照
[4.0K] /data/pocs/a533131aa3806a681f894ae7c9773fc91bf6b9fb
├── [ 19K] cve_2019_0708_bluekeep.py
├── [4.0K] Images
│ └── [170K] cve-2019-0708-pyscanner.png
└── [2.8K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。