CVE-2019-0708 "BlueKeep" auxiliary scanner module

[ghost]

JaGoTu and I created this MSF module to detect CVE-2019-0708.

It should work on XP and 7, x86 and x64. I'd also be curious if anyone has NT4/Win2000 terminal services. There may be false negatives, but VULNERABLE == VULNERABLE.

Please test and offer any suggestions.

Reference: https://github.com/zerosum0x0/CVE-2019-0708

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
• Scan a vulnerable RHOST
• Verify the module reports host is vulnerable (report false negative conditions below)
• Scan a patched RHOST
• Verify the module reports host is patched (false positive should NOT happen)

Windows Versions:

• Windows NT 4.0 Terminal Server ?
• Windows 2000 ?
• Windows XP x86
• Windows XP x64
• Windows Vista x86
• Windows Vista x64
• Windows Server 2008 x86
• Windows Server 2008 x64
• Windows 7 x86
• Windows 7 x64
• Windows Server 2008 R2 x86
• Windows Server 2008 R2 x64

[cbrnrd]

Pretty good from what I can see, but I have yet to test it. Also a name change suggestion: cve_2019_0708.rb --> (bluekeep.rb || cve_2019_0708_bluekeep.rb)

[asoto-r7]

(TL;DR: 4b786e2 works great against 7 and XP. I'll circle back to test your latest commits. Is NLA supported?)

Thanks @zerosum0x0! I know this was no small undertaking. Several of us are testing this, and it's looking great so far!

Is there a way to detect and report if the target uses Network Level Authentication, even if it's just to report CheckCode::Detected? For that matter, do we yet know if NLA mitigates the vuln?

Win7 SP1 x86 (6.1.7601, 32-bit)

With RDP disabled:

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - Cannot reliably check exploitability.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is vulnerable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is not exploitable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win7 SP1 x64 (6.1.7601, 64-bit)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is vulnerable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Unpatched, with RDP enabled (with NLA):

[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is not exploitable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP2 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP3 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is not exploitable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win2k3 x64 (Standard, 5.2.3790)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is vulnerable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)

Patched, with RDP enabled (without NLA):

[*] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is not exploitable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[cbrnrd]

Win10 Pro 1809, RDP Enabled

[-] 192.168.1.4:3389      - Error communicating RDP protocol.
[*] 192.168.1.4:3389      - 192.168.1.4:3389 - Cannot reliably check exploitability.
[*] 192.168.1.4:3389      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[ghost]

@asoto-r7 NLA is a 100% confirmed mitigation. We don't have any specific checks for it atm but is something we have discussed to do. Looks like adding detected should be easy enough.

We've also discussed adding authenticated NLA scanning, but that is a different beast entirely. And there are already authenticated scanners which can check driver versions.

[cnotin]

If you need inspiration :)
https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl#L272

[bwatters-r7]

All tests without NLA or patch:

Windows 2008x64:

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.142:3389  - 192.168.134.142:3389 - The target is vulnerable.
[*] 192.168.134.142:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Windows 2008x64 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.144:3389  - 192.168.134.144:3389 - The target is vulnerable.
[*] 192.168.134.144:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2008x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.194:3389  - 192.168.134.194:3389 - The target is vulnerable.
[*] 192.168.134.194:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

[bwatters-r7]

All tests without NLA or patch:

Windows 2003x64 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.195:3389  - 192.168.134.195:3389 - The target is vulnerable.
[*] 192.168.134.195:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.190:3389  - 192.168.134.190:3389 - The target is vulnerable.
[*] 192.168.134.190:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP2

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.181:3389  - 192.168.134.181:3389 - The target is vulnerable.
[*] 192.168.134.181:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP0

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.175:3389  - 192.168.134.175:3389 - The target is vulnerable.
[*] 192.168.134.175:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.176:3389  - 192.168.134.176:3389 - The target is vulnerable.
[*] 192.168.134.176:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[bcoles]

Windows Server 2003 Enterprise SP2 x86 (5.2.3790)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 172.16.191.171:3389   - 172.16.191.171:3389 - The target is vulnerable.
[*] 172.16.191.171:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2000 Server SP4 (5.0.2195)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 172.16.191.123:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[blockchainguard]

• Error communicating RDP protocol.

[ghost]

I cleaned up parts of the exception nesting and check codes to make the output more useful when scanning large ranges.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.1.238:3389    - The target service is running, but could not be validated.
[*] Scanned 1 of 5 hosts (20% complete)
[*] 192.168.4.20:3389     - The target service is not running, or refused our connection.
[*] Scanned 2 of 5 hosts (40% complete)
[+] 192.168.1.161:3389    - The target is vulnerable.
[*] Scanned 3 of 5 hosts (60% complete)
[*] 192.168.1.72:3389     - The target is not exploitable.
[*] Scanned 4 of 5 hosts (80% complete)
[*] 192.168.1.12:3389     - Cannot reliably check exploitability.
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed

In order:

1. The target service is running, but could not be validated. Seen with NLA enabled, or service is not RDP
2. The target service is not running, or refused our connection. Nonexistent host/closed port (connect timeout)
3. The target is vulnerable. Unpatched
4. The target is not exploitable. Patched
5. Cannot reliably check exploitability. Something went haywire during RDP comms (generally, this will be like Windows 8+... not sure if we can differentiate this vs. general failure)

I'm happy with it if there isn't any TODO outstanding or suggestions for status codes?

[cnotin]

With the latest version in this PR, I have the following error for a few machines:
/root/tools/msf_modules/auxiliary/cve_2019_0708.rb:521: warning: in a**b, b may be too big

The error is in rsa_encrypt.
Here are the numbers for different machines:

Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 813730072

Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 820009571

The numbers stay the same for each run for the same machine

[jagotu]

@cnotin Could you please set verbose to 1 and check for line "RSA Magic: RSA1"?

It turns out some machines don't use RSA certs and we don't yet support that scenario. I just now added a check for it, but waiting for @zerosum0x0 to accept it.

[wvu]

@zeroSteiner, @asoto-r7, @busterb: PR posted and linked above. Please ensure no regressions. Should be zero functional difference.

[wvu]

Good, still working. Positive test against Windows Server 2008 R2 x64 and negative test against Win10.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.105:3389   - Verifying RDP protocol...
[*] 192.168.56.105:3389   - header: 010c len 12
[*] 192.168.56.105:3389   - header: 030c len 20
[*] 192.168.56.105:3389   - header: 020c len 428
[*] 192.168.56.105:3389   - security header
[*] 192.168.56.105:3389   - modulus_old 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2
[*] 192.168.56.105:3389   - RSA magic: RSA1
[*] 192.168.56.105:3389   - RSA bitlen: 256
[*] 192.168.56.105:3389   - modulus_new 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_MODULUS: 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_EXPONENT: 01000100
[*] 192.168.56.105:3389   - SERVER_RANDOM: 92957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178cf7de0a0d5f98245
[*] 192.168.56.105:3389   - Sending security exchange PDU
[*] 192.168.56.105:3389   - Encrypted client random: 0e22dfc8f4cae4934eaff236ac596a44990246757527f5b643653fb431205cbbdb8fba05603a2f5c372407bf56ca61bfbaeef6c6bac4cc854d00b9ee1f87d4d3352eef95671b29d4ecf57402941e69739fb3796bdf5fa0c09263d3dc04c2bb76ee54d17d779fb8ca84db87f49beb9d2c88982c151e27e4322df20ec9cdb8f22e8b4f950b5bb3b22f4c605ae971ba5cce4b1238ff7c15838b0e5c75b4f212beb730c0b18b353ab34256482ef674b0bd9537066f406c7f76fcc464522b4076d487c769ade6673bab978481a291f4d245b5655e19557b18461abc3679323ae645c11d51b7d0dda555363e7a715504592f581287efc0a8b82f35472f41f76f651662
[*] 192.168.56.105:3389   - PreMasterSecret = 41414141414141414141414141414141414141414141414192957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178
[*] 192.168.56.105:3389   - MasterSecret = f504ace0b9f8cccfcd32cc376c650b31149f51f7c41154622f32f2f5eb8588f54bdfbfc6d3c70ac0bd9bccc45013a703
[*] 192.168.56.105:3389   - sessionKeyBlob = 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - macKey = 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - initialClientDecryptKey128 = 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - initialClientEncryptKey128 = def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_ENC_KEY: def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_DEC_KEY: 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - HMAC_KEY: 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - SESS_BLOB: 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - Sending encrypted client info PDU
[*] 192.168.56.105:3389   - Received License packet: 0300002202f08068000103eb701480020000ff031000070000000200000004000000
[*] 192.168.56.105:3389   - Received Server Demand packet: 030001c502f08068000103eb7081b60800000011628713e0b81b1802bb064162e98b8bb4f3cb62d9a376335aa5172e8e4d8b38048b8476c6f9bf7b4a605b5f16b4893003cf0c421a7174b9132bc218eb8daec848731178ed22e6c7bfe64b21b0562a562482e0a0247260204c81e45c62a4b9a3abbb0e639470794439c3fe5b5d448937a2efeddb1cf5d46e04f27d7016e976402e3882643acbb05821b2acb012870b55c7a30eeb8656e98a28978c9b5f2db263b2e4acec47a4a029a72661107985ac8d5f537cc0e98c78e5db1d760d609f3e04a1fd83265d6d1029d43d7ea2e62b8b8c9acf1d0492f45026c48c075034206c2bf9befa8f7902e44fe9cab93e912987a177fecddf80a0217a586836277faf2e032933a7fb57815cba2793d640a7e5614f4b7d2b4354ce6fbd13f059570a9bd3451415522b2b342bfd1003c90279cf0c11ba0d8a61d271fcb924e68e736f1555268811cfae984a315e0ccd0c0462eb215fbdddd3abf6b584fa98ef70906505b738340b67fc2448f7d82ebc7239b6cad543ece14f549b96ef0fcad930cd155b68f4bf923d452a6a4c4eda5382948de04a81d1ccef054936727b274a42c6dff65dc7edb5624742086ae1531f045374f4091d357f
[*] 192.168.56.105:3389   - Sending client confirm active PDU
[*] 192.168.56.105:3389   - Sending client synchronize PDU
[*] 192.168.56.105:3389   - Sending client control cooperate PDU
[*] 192.168.56.105:3389   - Grea2t!
[*] 192.168.56.105:3389   - Sending client control request control PDU
[*] 192.168.56.105:3389   - Sending client persistent key list PDU
[*] 192.168.56.105:3389   - Sending client font list PDU
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.101:3389   - Verifying RDP protocol...
[-] 192.168.56.101:3389   - Error communicating RDP protocol.
[*] 192.168.56.101:3389   - Cannot reliably check exploitability.
[*] 192.168.56.101:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >

[wvu]

[asoto-r7]

(TL;DR: Good!)

Windows Server 2016 (x64)

Unpatched, with RDP enabled (no NLP):

[*] 192.168.220.139:3389  - Cannot reliably check exploitability.
[*] 192.168.220.139:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2016 is not supported, but does not crash, leave logs, or disrupt existing RDP connections.

[wvu]

It's good to see CheckCode being used outside of exploits, btw.

[asoto-r7]

@zerosum0x0 @jagotu: It's absolutely not a blocker, but to update, my Vista environment refuses to patch. termdd is not being updated after applying KB4499180. The patch executes, says it installs successfully, doesn't ask to reboot (unlike other OSes), and doesn't touch termdd.sys. Even after multiple reboots, termdd.sys hasn't been updated:

C:\windows\system32\drivers\termdd.sys
SHA1: 986514517f05ccf4c0e0988f2aa2b464be459e19
FileVersion: 6.0.6000.16386
Timestamp: 11/2/2006 7:03 AM

That said, it sounds like the patch is applying correctly for you guys, and I'm happy to trust your testing. Especially if it means I don't have to argue with Vista. :-P

[asoto-r7]

TL;DR: We've collectively tested the code, including the latest commits for any regressions, against a variety of hosts. I'm happy to get this landed, as soon as I'm done writing some documentation. Thanks everyone! 😄

[asoto-r7]

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

[tsellers-r7]

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

Yeah, I misread your comment so I deleted mine. Sorry about that.

[jagotu]

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

[asoto-r7]

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

@jagotu: Oh, good call! I hadn't realized and apparently the patch still reports success on SP0. 😬

[asoto-r7]

(TL;DR: Still good!)

Windows Server 2012 R2 (x64)

[*] 192.168.220.130:3389  - The target is not exploitable.
[*] 192.168.220.130:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As with 2016, Windows Server 2012 is also not supported. The scanner does not crash, leave logs, or disrupt existing RDP connections. 👍

[wvu]

Module doc in fa70461. Thanks, everyone.

[asoto-r7]

Release Notes

auxiliary/scanner/rdp/cve_2019_0708_bluekeep scans Windows workstations and servers against CVE-2019-0708 ("BlueKeep") to report the vulnerable state of Microsoft Windows targets running the Remote Desktop Protocol.

[TormentedSoul666]

Add an exploit module for full RCE with in depth analysis of the allocation of the shellcode with heap spraying you can find here: https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf

At the end of the week, I'll do a pull request and add the missing part myself but it is your work, so you should finish it?

[ccondon-r7]

Hi @TormentedSoul666, the Metasploit team is currently developing an exploit module based on @zerosum0x0's work (see: https://twitter.com/zerosum0x0/status/1156608483166343169). Stability is the priority for us, so we'll PR the module when we're confident it's ready—it's unlikely that we'll put up the exploit PR this week, in part because of DEF CON in the U.S. If you have exploit code ready and want to collaborate privately, @busterb and I would be happy to chat about it. I'm catc0n on Keybase, Brent's busterb.

[TormentedSoul666]

@ccondon-r7

I wanted to use the PoC of Ekultek to develop a working RCE PoC but a working Metasploit module would be even better in terms of full disclosure mindset and also forcing the users with the last unpatched systems to finally handle.

I'm not using Github much due do being more native to other repository hosters, because my clients usually prefer them over GitHub (especially after what happened with all the stupid stuff of people keeping their own Shodan API keys in their code, the hacked and ransomed repositories and so on).
So can you contact me in any preferred way and I'll tell you what I know and we can work on it?

[TormentedSoul666]

@ccondon-r7, just to explain my motivation: I'm disgusted by the so called white-hats and anti-virus company shrinks, which are bragging with their stupid "open calc.exe" PoC videos, without revealing details.
I thought that we went over this period, where we keep stuff private, which is especially hazardous after what have happened with the NSA stuff after TSB leak.

Those so called PenTester shrinks even make fun about the hard work of zeroxum, Ekultek and the others, because they didn't implement the heap spraying part but released DoS instead, by shifting the EIP into the desert instead of spraying the heap and then allocating the shellcode at the stack position where it actually is.
This is not because zeroxum and Ekultek are dump or not capable but simply because this is a non-trivial thing and people who are not "professional PenTest er" shrinks usually lack the time to dive deep into this materia.

I'll expose later an especially disgusting Twitter post of someone of the mentioned clientel, who even made fun of the work of Zeroxum and Ekultek, even tho he has no proof of a working PoC other than a stupid video with this public "open calc.exe" shellcode which works on basically every windows version and architecture, despite of ASLR and DEP (of course that piece of code is not the work of those so called professionals and I highly doubt, that most of them actually managed to finish a working RCE PoC and were just showing of with stupid videos without any information disclosure). Best practice should be to not let participate those specific assholes at Blackhat Con and related events with full disclosure mentality, because they only steal what they need and feel very proud afterwards, when they show their stupid little YouTube videos of supposedly working RCE PoCs, which are in reality most likely prepared fakes.

Meanwhile CANVAS and other asshole companies like Core Impact release working RCE exploits for BlueKeep for their unnecessary and ridiculously overpriced software, so some richer cybercriminals can make use of it, while the risk doesn't take the risk serious, because those alleged whiny "white-hats" keep their supposedly working stuff for themselves.

Sorry for the full rage mode but this is a perfect example of what is going wrong with the PenTest scene and I really would like to see that those people and especially companies with ridiculously expensive products like CANVAS and Core Impact get a ban for conferences and also don't get access to full disclosure information anymore.

I'm coming from a time, where people like house0fdabus where coding masterpieces of pocs for all kinds of exploits and released them to the public in a good full disclosure manner.
Those shrinks working for the av companies are mostly just coming from university, have no history in the PenTesting scene and still open their big mouthes with their stupid videos of running scripts which open Calc.exe, which easily can be faked.

The result is that state sponsored APTs, state intelligence service and even military affiliated groups can use the stuff to undermine civil rights and perform attacks against other states.

After my full rage I want to remind what one of the best and to this day active upholders of full disclosure policy still has in one of the most established and most used RedTeaming tools of the world, which is THC Hydra: "Please do not use in military or secret service organizations, or for illegal purposes". One big shout out to THC VanHauser aka Marc Heuse, you were and still are one of my big idols since the 90s.

[TormentedSoul666]

@busterb @ccondon-r7 drop me a mail to [email protected] if you want to chat about the module, there is not much to add to the sequence to finish it (just the heap spraying, as you very likely know yourself). I'd like to contribute what I can, if you find time and have interest. We can discuss via mail, which channel of communication would be appropriate.