Comments (23)
use python3
from bluekeep_cve-2019-0708_poc_to_exploit.
I am. The point I am making removing the supposed sending of the shellcode, you will get the same result as with it.
from bluekeep_cve-2019-0708_poc_to_exploit.
read the source...
from bluekeep_cve-2019-0708_poc_to_exploit.
I did.
It looks to me like what he is printing out in the readme:
[ + ] <socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.137.1', 64251), raddr=('192.168.137.201', 3389)>
is the socket that is initially created for starting the exploit (i.e. line 297). Which has nothing to do with a payload actually being sent.
This can be confirmed by commenting out any lines that have anything to do with sending payload/shellcode.
@terrafying, or the author, I'd love to see a screen cap of an actual connect back (using this code)--if by "read the source..." you mean you have it working.
from bluekeep_cve-2019-0708_poc_to_exploit.
Oh i interpreted what you said wrong, then. That's exactly what it does; the print is kinda meaningless.
Anyway, all I can do is BsOD it by sending tons of garbage in that last packet.
from bluekeep_cve-2019-0708_poc_to_exploit.
Also I don't get what the author even means by using the unicorn framework, which gives you powershell output that would be used to inject shellcode into memory, which is what we're already doing.
from bluekeep_cve-2019-0708_poc_to_exploit.
Also I don't get what the author even means by using the unicorn framework, which gives you powershell output that would be used to inject shellcode into memory, which is what we're already doing.
This vulnerability could execute arbitrary code on the target system, I was using the unicorn framework to do the job. That's all, nothing special.
from bluekeep_cve-2019-0708_poc_to_exploit.
Research Needed
from bluekeep_cve-2019-0708_poc_to_exploit.
So you're saying kernel pool/heap spraying isn't a thing?
from bluekeep_cve-2019-0708_poc_to_exploit.
It is.
from bluekeep_cve-2019-0708_poc_to_exploit.
Have you successfully executed any code?
from bluekeep_cve-2019-0708_poc_to_exploit.
I have tried to supply the code through both plaintext and various encoded versions. No luck so far.
from bluekeep_cve-2019-0708_poc_to_exploit.
It won't ever work as you need to spray etc, you can't just paste in shellcode.
from bluekeep_cve-2019-0708_poc_to_exploit.
So far, I probably don't posses the skill of doing so. However, I'll do some research on this topic. Thanks for your guidance.
from bluekeep_cve-2019-0708_poc_to_exploit.
I messed w/it for several days...and yea, from what I read--you aren't going to get anywhere pasting shellcode. Regardless if its encoded correctly etc. I think the shellcode has to be specifically crafted for THIS vulnerability ...so that it 'hits' (I'm super newb), the right process/dll/whatever that the exploit has granted it access to.
I think just sending the shellcode puts it in memory (maybe), but doesn't really do anything with it. I took n1xbyte/CVE-2019-0708, update, and looked at his code....looked at the differences between x32 bit and 64 bit, took what was the 'same', and then added the shellcode on to that--hoping maybe he had some idea what he was doing, and the beginning of that code was hitting what it needed to...
but anyways, I guess my point is, ...theres a good chance you probably need to know what you are doing (beyond programming skills), to be able to take advantage of the exploit and get a shell.
[edit]
also, you do:
tls.sendall(bytes(allpacl2, "latin-1"))
and then info(results) (line 411), which is still defined as the socket that was created to start executing the original code, line 302:
results = socket_connection(tpkt.getData(), ip, receive_size=1024)
(Which really doesn't tell you anything).
In the original POC, it suggests doing something like, results = tls.sendall(bytes(allpacl2, "latin-1")), and then printing out THAT 'results', so you can get the actual response of what you just sent...
but to avoid confusion, imho, I'd do something like:
my_test = tls.sendall(bytes(allpacl2, "latin-1"))
or whatever. Use another name other than results. You have line 412 commented out, but if you would do results = tls.sendall, ...then when it trys to close the socket (line 412), it's no longer referencing the socket, and you'll get an error saying something about a string.
from bluekeep_cve-2019-0708_poc_to_exploit.
I messed w/it for several days...and yea, from what I read--you aren't going to get anywhere pasting shellcode. Regardless if its encoded correctly etc. I think the shellcode has to be specifically crafted for THIS vulnerability ...so that it 'hits' (I'm super newb), the right process/dll/whatever that the exploit has granted it access to.
I think just sending the shellcode puts it in memory (maybe), but doesn't really do anything with it. I took n1xbyte/CVE-2019-0708, update, and looked at his code....looked at the differences between x32 bit and 64 bit, took what was the 'same', and then added the shellcode on to that--hoping maybe he had some idea what he was doing, and the beginning of that code was hitting what it needed to...
but anyways, I guess my point is, ...theres a good chance you probably need to know what you are doing (beyond programming skills), to be able to take advantage of the exploit and get a shell.
[edit]
also, you do:
tls.sendall(bytes(allpacl2, "latin-1"))
and then info(results) (line 411), which is still defined as the socket that was created to start executing the original code, line 302:
results = socket_connection(tpkt.getData(), ip, receive_size=1024)
(Which really doesn't tell you anything).
In the original POC, it suggests doing something like, results = tls.sendall(bytes(allpacl2, "latin-1")), and then printing out THAT 'results', so you can get the actual response of what you just sent...
but to avoid confusion, imho, I'd do something like:
my_test = tls.sendall(bytes(allpacl2, "latin-1"))
or whatever. Use another name other than results. You have line 412 commented out, but if you would do results = tls.sendall, ...then when it trys to close the socket (line 412), it's no longer referencing the socket, and you'll get an error saying something about a string.
Thanks for your information. It is not an easy task. I am working on several different version of this PoC, and it's easy to confuse between each of them. I will refine my code and see what the actual response is. Much appreciated.
from bluekeep_cve-2019-0708_poc_to_exploit.
Some additional techinacl details about this CVE
https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html
from bluekeep_cve-2019-0708_poc_to_exploit.
I have used the unicorn to generate my own shellcode, and use the msf to listen the port. The poc is running successfully, but i don't get the reverse shell !!! Can you help me ?
from bluekeep_cve-2019-0708_poc_to_exploit.
@0x0kasaku, the POC is not running successfully. Even though it informs you that it is 'infected', indeed, it is not.
from bluekeep_cve-2019-0708_poc_to_exploit.
@0x0kasaku, the POC is not running successfully. Even though it informs you that it is 'infected', indeed, it is not.
info(infected) is executed through the execution of the program. However, at this stage, it does not indicate the success of the exploit. I would comment it out to avoid confusion.
from bluekeep_cve-2019-0708_poc_to_exploit.
I have used the unicorn to generate my own shellcode, and use the msf to listen the port. The poc is running successfully, but i don't get the reverse shell !!! Can you help me ?
This is not some simple exploit templates where you can just pop in your payload and expect it to work. We are still researching the correct method of delivery, and please (x10) do some research yourself before posting comments like "It doesn't work". Script kiddies looking for easy exploit is not welcomed.
from bluekeep_cve-2019-0708_poc_to_exploit.
People are confused because you're contradicting yourself.
The README literally says "working shell code", but that's wrong. Then you said you have to generate your own payloads with unicorn, which is also wrong. Then when you run the code, you get the "infected" message, which is meaningless because there's no check for success.
from bluekeep_cve-2019-0708_poc_to_exploit.
People are confused because you're contradicting yourself.
The README literally says "working shell code", but that's wrong. Then you said you have to generate your own payloads with unicorn, which is also wrong. Then when you run the code, you get the "infected" message, which is meaningless because there's no check for success.
Apology for causing confusions. the README has been updated and the "info(infected!)" which was used as a programming trace was also removed.
from bluekeep_cve-2019-0708_poc_to_exploit.
Related Issues (20)
- What after successful run? HOT 5
- error HOT 1
- can u show more info about this exp? HOT 1
- Working Shellcode HOT 5
- how to modify the content of method 'client_active_confirmation_pdu' HOT 1
- client logs HOT 2
- Impacket issue HOT 2
- 报错 “远程主机强迫关闭了一个现有连接” error ”The remote host forced an existing connection to close" HOT 2
- wtf is that HOT 1
- Shelcode generation seems useless HOT 17
- Party Foul
- Some help with shell HOT 2
- Some random guy tried to exploit our peaceful community here on github HOT 2
- why the local port is random HOT 3
- Why don't you just add "bytes = os.system"? 👎 HOT 1
- why your shellcode not involved ASLR HOT 2
- i just use the tool to generate a shellcode ,but nothing happend HOT 9
- unable to connect: (10054, 'WSAECONNRESET') HOT 1
- unable to connect: str() takes at most 1 argument (2 given) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluekeep_cve-2019-0708_poc_to_exploit.