Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC

Sep 8, 2019 | Vulnerabilities

Bluekeep is a security vulnerability that was discovered on the remote desktop protocol. It was discovered by the UK National cyber center and reported on May 14, 2019, as a security vulnerability. The name Bluekeep was given by the security researcher Kevin Beaumont. The vulnerability is present in all unpatched NT-based versions of windows from Win 2000 – Windows 7 / Winsrv 2008. The remote desktop protocol has to be activated in the operative system in order to be vulnerable. According to shodan 71297 systems are still vulnerable in the US and over a million systems in the world. We can estimate that this will give a new breakout of a Wannacry type of mass attack on the internet, exploiting the vulnerability. A lot of organizations are opening RDP to the internet, not like SMB which is less used because it requires a share to be opened. So we can for sure expect a more serious attack in the nearest future. The Wannacry ransomware estimated to have infected over 200,000 computers across 150 countries with damages ranging between millions to billions. One attack example was the Tai

On the 6th of September, a Metasploit exploit was released to the public. The exploit is not yet 100% stable but does work at least on Windows 7. We believe that an exploit with higher quality will be developed in the nearest future that will be able to exploit systems from Win 2000 – Windows 2008 R2. 

Short Explanation of the Vulnerability

The RDP protocol uses “virtual channels”, configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.

So how does the exploitation of the vulnerability work? 

  • You create an RDP connection with the “MS_T120” virtual channel (which there is no legitimate reason for a client to connect to)
  • Heap Spray
  • Invoke Allocations
  • Control the EIP
  • Cause the UAF heap corruption and execute the ring 0 shellcode

!NOTE the exploit is not 100% stable and may cause the remote host to crash and enter bluescreen mode. 

How to mitigate the vulnerability 

  • RDP should really not be used as a protocol listening on the internet. This protocol can be exploited not only with this exploit but also by guessing user credentials or potential phishing chained attacks. As a general rule, it is recommended to not use RDP externally. We recommend using a secure VPN connection instead if you have to connect to your organization
  • Patch your windows with the latest windows security updates. You can do this from the following link: If you are still using Windows XP or Windows 2003 which is not recommended you can patch them with the following update:
  • You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
  • If you don’t use RDP we still recommend blocking port 3389 and RDP connection in your firewall/security system to be sure that there is no way to connect to RDP to or from your organization’s network.

It is illegal to use this exploit on any computer without the owner’s permission. This blog post is written for educational purposes only and to show how the vulnerability is exploited and how to mitigate against it. 

Share This