Shulou(Shulou.com)05/31 Report--

How to Microsoft RDP RCE CVE-2019-0708 loophole reproduction, many novices are not very clear, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

I. introduction of loopholes

On May 15, 2019, Windows series servers were exposed with high-risk vulnerabilities, which affected a wide range of systems, such as windows2003, windows2008, windows2008 R2, and windows xp. The server was exploited through the remote desktop port 3389. This vulnerability is the most serious vulnerability in 2019, similar to the previous blackmail, the Eternal Blue virus. The CVE-2019-0708 vulnerability is that by checking the user's authentication, it is possible to bypass the authentication without any interaction, directly connect through the rdp protocol and send malicious code execution commands to the server. If exploited by an attacker, it can lead to server intrusions, viruses, and large-scale infections like WannaCry's Eternal Blue vulnerability. Around 1: 00 a. M. on September 7, 2019, metaspolit updated its exploit program. In May 2019, Microsoft released a patch update for remote code execution vulnerability CVE-2019-0708, also known as "BlueKeep", which lies in the code of remote desktop services. This vulnerability is pre-authentication and does not require user interaction, so there is a potential risk of weaponized worm exploitation. If this vulnerability is successfully exploited, arbitrary code can be executed with system privileges. The recommendations of the Microsoft Security response Center indicate that this vulnerability can also become a worm attack, similar to attacks such as Wannacry and EsteemAudit. Due to the severity of this vulnerability and its potential impact on users, Microsoft took a rare early warning step to release patches for Windows XP operating systems that are no longer supported to protect Windows users.

The cause of the vulnerability is that the MS_T120 channel is bound twice (once created and bound by RDPserver, and the second time we send packet binding). Since the channel is bound under two different ID, we get two separate references. When one of the references is used to close the channel, the reference is deleted and the channel object is released. However, another reference still exists. If we can obtain the ability to fill custom data in the channel object through kernel POOL injection after the first release of the channel object space, when we call IcaFreeChannel () for space release the second time, because the function will refer to the controlled kernel object, there is a chance to read and write any kernel address to achieve the purpose of arbitrary code execution.

Impact system: windows2003, windows2008, windows2008 R2, windows xp, win7

Second, the recurrence of loopholes

Environmental material:

Windows 7 sp1 system vulnerability exploitation tool Metasploit1, use vmware to build a target machine to install Windows 7 sp1, and view version information after installation

2. Check the target machine ip

3. The leak scanning tool nessus is used to scan the system, and the vulnerability of CVE-2019-0708 is found.

4. Use kali's metaspolit to exploit the vulnerability. 1) start metasploit

2) search for related vulnerabilities exp and use the

3) check the items that need to be set, followed by those of yes that need to be configured

4) set it according to the options prompt. The targets parameter is the architecture of the target machine. The vmware we use here is built, so it is set to 3.

5) start to use it and successfully establish a connection to get the shell

Ps: this vulnerability has a certain probability of failure, and sometimes the target machine will hit the blue screen, such as:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.