CVE-2019-0708 - BLUEKEEP (RDP)

Vulnerability Overview

Note: Please, check the above two link to understand the how rdp connectioin sequence work and also about the vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)

My approach:

I am n00bs in kernel exploitation and debugging :)

Day 1:

Initially gone through the Unauthenticated CVE-2019-0708 “BlueKeep” Scanner PoC script - cve_2019_0708_bluekeep.rb to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let’s implemented the same poc in python.

Day 2:

I have written the Unauthenticated CVE-2019-0708 “BlueKeep” Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(

Figure 1 :

Note: is Unauthenticated CVE-2019-0708 “BlueKeep” Scanner PoC, not actual exploit.

Day 4:

I realized where i made mistake :) Instead of using existing poc script, I started writing POC from scratch with TLS to make task easy in sending rdp packets.

Note: Please read the MSDN documentation properly, everything is very clear

Day 5:

Finally i got the crash, Check the Demo Video :)