Shulou(Shulou.com)06/02 Report--

I. description of loopholes

On May 15, 2019, Microsoft released a security patch to fix the remote code execution vulnerability of Windows remote Desktop Service (RDP) with CVE number CVE-2019-0708, which can be triggered remotely without authentication.

At present, the EXP code has been publicly released to metasploit-framework 's Pull requests on Sept. 7, and can be executed remotely after testing.

Second, the vulnerability affects the version

Windows 7

Windows server 2008 R2

Windows server 2008

Windows 2003

Windows xp

Note: Windows 8 and windows10 and later versions are not affected by this vulnerability

Third, the construction of vulnerability environment

Attack plane: kali 2018.2

Target aircraft: win7 sp1 7061

IV. Recurrence of loopholes

1. Update msf

Apt-get update

Apt-get install metasploit-framework

2. Download the attack suite

Wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rbwget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rbwget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rbwget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/ Scanner/rdp/cve_2019_0708_bluekeep.rb

3. Replace the corresponding files in msf

Cve_2019_0708_bluekeep_rce.rb add / usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rbrdp.rb replace / usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rbrdp_scanner.rb replace / usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rbcve_2019_0708_bluekeep.rb replace / usr/share/metasploit-framework/modules/auxiliary / scanner/rdp/cve_2019_0708_bluekeep.rb

4. Start msf and load files

5. Search 0708, and you can see that the file is loaded successfully.

6. Set rhosts, target and payload by exploiting vulnerabilities

7. Start the execution of exp and successfully obtain shell

V. loophole defense

1. Download the hot patch repair tool at https://www.qianxin.com/other/CVE-2019-0708

Note: CVE-2019-0708 Hot Patch tool is a hot patch repair tool aimed at "remote code execution vulnerability CVE-2019-0708 of Windows remote Desktop Service". It can provide a temporary solution to the vulnerability in an environment that cannot be patched directly.

Download the file and extract it. 2. Use the win+R shortcut key or the start menu to select "run" and enter cmd. Adjust the command line tool. 3, in the command line tool, execute the command to the folder where the tool is located, enter the corresponding function of the command, enable the hot patch command: QKShield.exe/ enable; disable the hot patch command: QKShield.exe/disable. 5. After restarting the system, you need to rerun the command line to enable hot patches

2. Enable hot patches

3. Check whether there is a loophole again. You can see that there is no loophole after the hot patch.

4. Patch and download the vulnerability repair tool at https://www.qianxin.com/other/CVE-2019-0708.

5. Click "repair now". After the installation is complete, restart the computer.

6. Use the vulnerability scanning tool to detect whether there are vulnerabilities. Download address of the scanning tool: https://www.qianxin.com/other/CVE-2019-0708

Summary

The above is the recurrence of Windows CVE-2019-0708 remote desktop code execution vulnerabilities introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

If you think this article is helpful to you, you are welcome to reprint it, please indicate the source, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.