A simple scanner to determine system vulnerability to CVE-2019-0708.
This is a Python port of the original metasploit module scanner by JaGoTu and zerosum0x0, available on Github here.
Proof of concept RCE via exploitation of the Bluekeep vulnerability.
- 0xeb-bp Github: bluekeep. Pointed out by zerosum0x0, has code for grooming MS_T120 on XP.
Popular Press Coverage
Research
- Slides. The first "RCE guide" released to the public.
- Three Ways to Write Data into the Kernel with RDP PDU. Potential kernel pool grooming methods.
- Analysis of CVE-2019-0708 from MalwareTechBlog. Goes through the initial reverse-engineering of the MS patch to the point of discovering DoS via manual binding of channel MS_T120.
- BlueKeep: A Journey from DoS to RCE from MalwareTechBlog. Exactly as advertised.
- CVE-2019-0708 from Zero Day Initiative. An in-depth look at the Bluekeep use-after-free condition. Useful supplement to the other resources.
- Bluekeep Exploitation Spotted in the Wild
Writeups
- How to Exploit Bluekeep Vulnerability with Metasploit. Another early post demonstrating the platform-dependent tweaks needed for successful exploitation.
- A Debugging Primer with CVE-2019-0708. A walkthrough of the UAF condition via kernel debugger.
- Playing with the Bluekeep Metasploit Module. An early blog post regarding tweaks needed to get the exploit to work on a particular platform.
The RDPSND Problem
- Registry Keys for Terminal Services. Relating to the non-default registry key that must be set in order to groom via RDPSND virtual channel as in the open-source exploit.
- Windows Security Encyclopedia: Allow Audio and Video Playback. A quick rundown relating to how registry controls audio and video redirection, relating to RDPSND virtual channel.