Windows: Bluekeep Metasploit released in the wild

[German]The day that software vendors and security researchers have been waiting for for months has arrived. A metasploid for the Bluekeep vulnerability in Windows is publicly available.


I had been warning about the BlueKeep vulnerability for months and waiting for an exploit every day (see BlueKeep warning: Exploit might come soon?). Now it seems to have happened, as you can see in the following tweet. Exploit for wormable Bluekeep Windows bug released into the wild.

The exploit is ‘wormable’, i.e. the infection of a computer is enough to spread the malware over the network. Some information is also available from Bleeping Computer .

Work of Programm on GitHub

On GitHub the code for a BlueKeep exploit was published as ‘Work in Progress’. The exploit exploits the vulnerability CVE-2019-0708, alias BlueKeep, via RDP in the Windows kernel. The author of the exploit writes that the RDP driver termdd.sys handles bindings to the internal channel MS_T120 improperly. Thus a faulty Disconnect Provider Indication message can trigger a use-after-free error. With a controllable Data/Size Remote nonpaged Pool Spray, an indirect call gadget of the enabled channel is used to achieve arbitrary code execution.

The module currently works with 64-bit versions of Windows 7 and Windows Server 2008 R2. However, for Windows Server 2008 R2, a registry entry must be changed to allow heap grooming over the RDPSND channel. The author writes that there are other ways to use alternative channels that are enabled by default on all Windows operating systems.


The module is currently classified as manual because the user must enter additional target information. Otherwise, there is a risk of the target host crashing. The module implements a default TARGET option that only searches for a vulnerable host and displays some initial information about the specific target operating system. However, an attack requires the user to specify a more specific target. Later or further improvements in this module could allow a more accurate determination of the target system’s memory layout at runtime.

Background to the BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet (see BlueKeep warning: Exploit might come soon?).In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *