Jump to content
Sign in to follow this  

How to Exploit BlueKeep Vulnerability with Metasploit

Recommended Posts

How to Exploit BlueKeep Vulnerability with Metasploit

Sep 10, 2019 • Razvan Ionescu, Stefan Bratescu, Cristin Sirbu





In this article we show our approach for exploiting the RDP BlueKeep vulnerability using the recently proposed Metasploit module.

We show how to obtain a Meterpreter shell on a vulnerable Windows 2008 R2 machine by adjusting the Metasploit module code (GROOMBASE and GROOMSIZE values) because the exploit does not currently work out-of-the-box.

Further on, we explain the steps we took to make the module work properly on our target machine:

  1. Background
  2. Prerequisites
  3. Installing the Bluekeep exploit module in Metasploit
  4. Preparing the target machine
  5. Adjusting the BlueKeep exploit
  6. Running the exploit module
  7. Conclusions

1. Background

BlueKeep is a critical Remote Code Execution vulnerability in Microsoft’s RDP service. Since the vulnerability is wormable, it has caught a great deal of attention from the security community, being in the same category with EternalBlue MS17-010 and Conficker MS08-067. You can read an in-depth analysis of the BlueKeep vulnerability on our blog post.

A few days ago, a Metasploit contributor - zerosum0x0 - has submitted a pull request to the framework containing an exploit module for BlueKeep(CVE-2019-0708). The Rapid7 team has also published an article about this exploit on their blog.

As of now, the module is not yet integrated into the main Metasploit branch (it’s still a pull request) and it only targets Windows 2008 R2 and Windows 7 SP1, 64-bit versions. Furthermore, the module is now ranked as Manual since the user needs to provide additional information about the target, otherwise it risks of crashing it with BSOD


Articol complet: https://pentest-tools.com/blog/bluekeep-exploit-metasploit/

  • Upvote 2

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...