Vulnerability Overview
Note: Please, check the above two link to understand the how rdp connectioin sequence work and also about the vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)
My approach:
I am n00bs in kernel exploitation and debugging :)
Day 1:
Initially gone through the Unauthenticated CVE-2019-0708 “BlueKeep” Scanner PoC script - cve_2019_0708_bluekeep.rb to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let’s implemented the same poc in python.
Day 2:
I have written the Unauthenticated CVE-2019-0708 “BlueKeep” Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(
Figure 1 : cve_2019_0708_bluekeep.py
Note: cve_2019_0708_bluekeep.py is Unauthenticated CVE-2019-0708 “BlueKeep” Scanner PoC, not actual exploit.
Day 4:
I realized where i made mistake :) Instead of using existing poc script, I started writing POC from scratch with TLS to make task easy in sending rdp packets.
Note: Please read the MSDN documentation properly, everything is very clear
Day 5:
Finally i got the crash, Check the Demo Video :)