Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-0708 PoC — Microsoft Remote Desktop Services 资源管理错误漏洞

Source
https://github.com/umarfarook882/CVE-2019-0708
Associated Vulnerability
Title:Microsoft Remote Desktop Services 资源管理错误漏洞 (CVE-2019-0708)
Description:A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
Description
CVE-2019-0708 - BlueKeep (RDP)
Readme
## CVE-2019-0708 - BlueKeep (RDP)

**RDP Connection Sequence:** https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/023f1e69-cfe8-4ee6-9ee0-7e759fb4e4ee

**Analysis of RDP Service Vulnerability:** https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability

Please, check the above two link to understand the how rdp connectioin sequence work and vabout vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)

**Windows Kernel Debugging:** https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6


## My approach:

I am n00bs in kernel exploitation and debugging :)

**Day 1:**

Initially gone through the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC script - [cve_2019_0708_bluekeep.rb](https://github.com/zerosum0x0/CVE-2019-0708/blob/master/cve_2019_0708_bluekeep.rb) to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let's implemented the same poc in python.

**Day 2:**

I have written the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(


![cve-2019-0708](./Images/cve-2019-0708-pyscanner.png)

**Note:** `cve_2019_0708_bluekeep.py` is Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC, not actual exploit.

**Day 4:**

I realized where i made mistake :) Instead of using existing poc script,  I started writing POC from scratch with TLS to make task easy in sending rdp packets.

Note: Please read the MSDN documentation properly, everything is very clear

**Day 5:**

Finally i got the crash, Check the Demo Video :)


 
## Demo
 
[![Alt text](https://img.youtube.com/vi/gk6H3viG8K4/0.jpg)](https://www.youtube.com/watch?v=gk6H3viG8K4)


## :octocat:Credits:
* Umar Farook: [OSCE | Technology Security Analyst | DevSecops | Researcher](https://www.linkedin.com/in/Umar-Farook)
* FOS Team : [Fools of Security](https://www.youtube.com/channel/UCEBHO0kD1WFvIhf9wBCU-VQ)
* [zerosum0x0](https://twitter.com/zerosum0x0)
* [JaGoTu](https://twitter.com/JaGoTu)

## Support !
  
Email address: umarfarookmech712@gmail.com  or pingus@foolsofsecurity.com <br/>
Youtube: [Fools Of Security](https://www.youtube.com/channel/UCEBHO0kD1WFvIhf9wBCU-VQ)<br/>
Website: [Fools Of Security Community](https://foolsofsecurity.com) <br/>

## Reference:

- [Zero Day Initiative](https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability)
- [Debugging Primer with CVE-2019–0708](https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →