BlueKeep is numbered CVE-2019-0708, a high-risk vulnerability discovered in May this year. It is a worm that can exploit Windows Remote Desktop Services (RDS) to spread malicious programs in a similar way to 2017 with the WannaCry ransomware. An attacker could exploit the vulnerability to execute arbitrary code and send a specially crafted request via Remote Desktop Protocol (RDP) to control the computer without user interaction.
Previously reported that nearly 1 million devices have BlueKeep high-risk vulnerability security risks, and currently according to BinaryEdge scanning, there are still 700,000 devices at risk. Metasploit, the strongest penetration testing framework, now releases its BlueKeep exploit code, which means that with this code module, the average person can also exploit the BlueKeep vulnerability. Metasploit’s BlueKeep module is different from dozens of BlueKeep PoCs that have been streamed before, and this Metasploit module enables code execution. The BlueKeep Metasploit module is currently only available for 64-bit Windows 7 and Windows 2008 R2 with a limited range of uses. Next, the developer’s improvement plan includes:
- Detect more OS specifics / obtain memory leak to determine Windows NPP start address
- Write the XP/2003 portions grooming MS_T120.
- Add detection for whether RDPSND channel-based grooming will work?
- Expand channels besides RDPSND/MS_T120 for grooming.