BlueKeep Exploit Added to Metasploit

BlueKeep Exploit Added to Metasploit

An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7’s Metasploit framework.

Tracked as CVE-2019-0708, the targeted vulnerability was addressed by Microsoft with its May 2019 Patch Tuesday updates. Within weeks, security researchers observed the first scans for the flaw, and it didn’t take long for attacks targeting it to emerge.

Industrial and medical products were also found to be at risk. Security researchers also discovered that the rate at which admins were patching systems had diminished significantly after just several months, with over 750,000 systems still vulnerable in mid-August.

Commonly referred to as BlueKeep, the vulnerability is a remote kernel use-after-free bug that impacts Windows’ Remote Desktop Protocol. The flaw could be abused by attackers to execute arbitrary code and take over a vulnerable machine by sending specially crafted requests via RDP.

“The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution,” Rapid7 explains.
Available in open source, the newly added Metasploit module was ported from a Python external module to a native Ruby one to take advantage of the RDP and other library enhancements in the framework.

At the moment, the module targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For the latter, a “registry entry needs to be modified to enable heap grooming via the RDPSND channel,” but alternate channels enabled by default on Windows might also be used, if researched.

At the moment, the user needs to supply additional target information to use the module, otherwise the target host might crash.

“The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime,” Rapid7 notes.

While there are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, additional variables in target environments may shift the base address for grooming, the company also says.