How to Exploit BlueKeep Vulnerability with Metasploit (security research)

Published in

Pentest-Tools.com

5 min readSep 12, 2019

The Pentest-Tools.com security team has tested the recently announced Metasploit module for BlueKeep, the critical Remote Code Execution vulnerability in Microsoft’s RDP service.

We show how to obtain a Meterpreter shell on a vulnerable Windows 2008 R2 machine by adjusting the Metasploit module code (GROOMBASE and GROOMSIZE values) because the exploit does not currently work out-of-the-box.

Further on, we explain the steps we took to make the module work properly on our target machine:

1. Background

BlueKeep is a critical Remote Code Execution vulnerability in Microsoft’s RDP service. Since the vulnerability is wormable, it has caught a great deal of attention from the security community, being in the same category with EternalBlue MS17–010 and Conficker MS08–067. You can read an in-depth analysis of the BlueKeep vulnerability on our blog post.

A few days ago, a Metasploit contributor — zerosum0x0 — has submitted a pull request to the framework containing an exploit module for BlueKeep(CVE-2019–0708). The Rapid7 team has also published an article about this exploit on their blog.

As of now, the module is not yet integrated into the main Metasploit branch (it’s still a pull request) and it only targets Windows 2008 R2 and Windows 7 SP1, 64-bit versions. Furthermore, the module is now ranked as Manual since the user needs to provide additional information about the target, otherwise, it risks of crashing it with BSOD.

2. Prerequisites

For this scenario to work, we used the following:

VirtualBox 6 for hosting the target Windows VM
An outdated Windows 2008 R2 64bit .iso image; the latest Hotfixes installed on our target VM were: KB2888049 and KB976902
A Linux machine where to setup Metasploit (it can be virtual machine or physical)

3. Installing the Bluekeep exploit module in Metasploit

On the Linux machine, first we need to clone the Metasploit project:

$ git clone https://github.com/rapid7/metasploit-framework.git
$ cd metasploit-framework

Then we need to get the branch with the pull request mentioned above:

$ git fetch origin pull/12283/head:bluekeep
$ git checkout bluekeep

After that, we have to install the dependencies needed for Metasploit:

$ gem install bundler && bundle

During this step you may encounter errors like this: An error occurred while installing pg (0.21.0), and Bundler cannot continue. Make sure that `gem install pg -v '0.21.0' --source 'https://rubygems.org/'` succeeds before Bundling.

To fix it, you need to install the development library for PostgreSQL:

apt-get install libpq-dev

Another error that we encountered was: An error occurred while installing pcaprub (0.13.0), and Bundler cannot continue. Make sure that `gem install pcaprub -v '0.13.0' --source 'https://rubygems.org/'` succeeds before bundling.

And we fixed it with:

apt-get install libpcap-dev

At this point the Metasploit dependencies were installed correctly and we were able to use the BlueKeep exploit module with:

$ ./msfconsole
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

4. Setting up the target machine

Our target was an outdated Windows 2008 R2 64bit machine installed on Virtual Box 6.

Here is its systeminfo output:

The target VM had the following properties:

2GB RAM
1 Core processor
30 GB HDD storage size

As stated in the exploit comments, for Windows Server 2008 we have to set the following registry key HKLM\\SYSTEM\\CurrentControlSet\\ Control\\TerminalServer\\ WinStations\\RDP-Tcp\\fDisableCam to 0. This is not a default setting for this target OS but it is needed for the RDPSND channel to work:

The exploit did not work out of the box. We obtained several BSODs, but not a shell.

5. Adjusting the BlueKeep exploit (GROOMBASE)

The bluescreen text says that we have a page fault issue, meaning that some memory addresses were not properly set.

What we need for our exploit is the correct GROOMBASE value which is the start address of the Non Paged Pool area (NPP).

We need to extract the NPP Address from a memory dump of the target machine.

Getting the memory dump of the target machine

This operation can be easily done with VirtualBox. The target machine needs to be started in VirtualBox and you need to run the following command (on your Windows host) to get the memory dump:

cmd> C:\Program Files\Oracle\VirtualBox\VBoxManage.exe debugvm "vm_name" dumpvmcore --filename=vm.memdump

The same can be done if you are using VirtualBox on a Linux host, using the command:

$ VBoxManage debugvm <uuid|vmname> dumpvmcore [--filename=name]

Note: The free VMWare Workstation Player 15 version doesn’t allow for memory dumps, thus we recommend using VirtualBox.

Extracting the NPP Address

We use rekall in a Docker container for this operation. Here is how we download the Docker image with rekall on our host machine:

$ docker pull remnux/rekall

Now we copy the memory dump into our home directory and we need to make it accessible from within the docker container. For this you need to run the docker container with the following commands:

$ cp dump_location/vm.memdump ~/bluekeep
$ docker run --rm -it -v ~/bluekeep:/home/nonroot/files remnux/rekall bash

Now run rekall by typing:

$ rekall -f files/dump_blue.memdump pools

The output should be something like this:

This shows the start address of NPP on your virtual machine, which will be placed in the GROOMBASE variable of the exploit.

Editing the exploit module

The code of the exploit is located in modules/exploits/windows/rdp/ cve_2019_0708_bluekeep_rce.rb and you need to set the GROOMBASE variable under the “Virtualbox 6” section by replacing it with the extracted NPP Start Address. In our case it was: 0xfa8001804000.