RDP Connection Sequence: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/023f1e69-cfe8-4ee6-9ee0-7e759fb4e4ee
Analysis of RDP Service Vulnerability: https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability
Please, check the above two link to understand the how rdp connectioin sequence work and vabout vulnerability exists in Microsoft Windows RDP kernel driver - termdd.sys (MS_T120)
Windows Kernel Debugging: https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6
I am n00bs in kernel exploitation and debugging :)
Day 1:
Initially gone through the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC script - cve_2019_0708_bluekeep.rb to understand how they implemented the poc script. So i enabled the verbose mode in metasploit datastore and started analysis output. But it was too hard to understand. I thought let's implemented the same poc in python.
Day 2:
I have written the Unauthenticated CVE-2019-0708 "BlueKeep" Scanner in python, which help me lot in understanding the RDP Connection Sequence and packets. Then started playing with rdp packets to figure out the crash for 2 days, I Failed :(
Note: cve_2019_0708_bluekeep.py
is Unauthenticated CVE-2019-0708 "BlueKeep" Scanner PoC, not actual exploit.
Day 4:
I realized where i made mistake :) Instead of using existing poc script, I started writing POC from scratch with TLS to make task easy in sending rdp packets.
Note: Please read the MSDN documentation properly, everything is very clear
Day 5:
Finally i got the crash, Check the Demo Video :)
- Umar Farook: OSCE | Technology Security Analyst | DevSecops | Researcher
- FOS Team : Fools of Security
- zerosum0x0
- JaGoTu
Email address: [email protected] or [email protected]
Youtube: Fools Of Security
Website: Fools Of Security Community