Security Experts:

Connect with us

Hi, what are you looking for?



BlueKeep Exploit Added to Metasploit

An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7’s Metasploit framework. 

An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7’s Metasploit framework. 

Tracked as CVE-2019-0708, the targeted vulnerability was addressed by Microsoft with its May 2019 Patch Tuesday updates. Within weeks, security researchers observed the first scans for the flaw, and it didn’t take long for attacks targeting it to emerge.

Industrial and medical products were also found to be at risk. Security researchers also discovered that the rate at which admins were patching systems had diminished significantly after just several months, with over 750,000 systems still vulnerable in mid-August.

Commonly referred to as BlueKeep, the vulnerability is a remote kernel use-after-free bug that impacts Windows’ Remote Desktop Protocol. The flaw could be abused by attackers to execute arbitrary code and take over a vulnerable machine by sending specially crafted requests via RDP. 

“The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution,” Rapid7 explains. 

Available in open source, the newly added Metasploit module was ported from a Python external module to a native Ruby one to take advantage of the RDP and other library enhancements in the framework. 

At the moment, the module targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For the latter, a “registry entry needs to be modified to enable heap grooming via the RDPSND channel,” but alternate channels enabled by default on Windows might also be used, if researched. 

At the moment, the user needs to supply additional target information to use the module, otherwise the target host might crash. 

“The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime,” Rapid7 notes. 

While there are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, additional variables in target environments may shift the base address for grooming, the company also says. 

Related: BlueKeep Patching Efforts Sink: 750,000 Systems Still Vulnerable

Related: DHS Issues Alert for Windows ‘BlueKeep’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.