0xeb-bp / bluekeep Goto Github PK

What should I use to generate shellcode?
thx.

Can you please provide assistance to address this error:
python3 win7_32_poc.py
[+] initializing connection
[+] sending basic settings exchange
[+] sending erect domain and attach user
[+] sending channel join requests
[+] sending security exchange

Traceback (most recent call last):
File "win7_32_poc.py", line 156, in <module>
       main()
File "win7_32_poc.py", line 40, in main
        crypter = rdp.connect(s)
File "/root/Documents/scripts/bluekeep_32bit/rdp.py", line 469, in connect
       s.sendall(sec_exchange(pub_key, bit_len))
File "/root/Documents/scripts/bluekeep_32bit/rdp.py", line 113, in sec_exchange
        enc_client_ran = pubkey.encrypt(b'A'*32, None)[0]
File "/usr/local/lib/python3.6/dist-packages/Crypto/PublicKey/RSA.py", line 375, in encrypt
       raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead

Want to see how to use 2003 for stable utilization

└─# python3 win7_32_poc.py 130 ⨯
[+] initializing connection
[+] sending basic settings exchange
[+] sending erect domain and attach user
[+] sending channel join requests
[+] sending security exchange
Traceback (most recent call last):
File "win7_32_poc.py", line 175, in
main()
File "win7_32_poc.py", line 40, in main
crypter = rdp.connect(s)
File "/home/kali/bluekeep/rdp.py", line 469, in connect
s.sendall(sec_exchange(pub_key, bit_len))
File "/home/kali/bluekeep/rdp.py", line 113, in sec_exchange
enc_client_ran = pubkey.encrypt(b'A'*32, None)[0]
File "/usr/local/lib/python3.8/dist-packages/Crypto/PublicKey/RSA.py", line 375, in encrypt
raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead

This is what I get after running -> python3 win7_32_poc.py

Hi I tried to use the exploit and put my own shellcode inside. Unfortunetelly no matter what shellcode there is, it allways kills the victims PC. I think it may be due to function free_32 in rdp.py file.

Can you add users directly?

Hello there , i just run this code against one of my lab targets and nothing happend !

i mean no crash , no RCE , nothing !

If I'm correct, it uses the 'cliprdr' channel to groom the heap? If so, will that work for 2008 R2? I haven't gotten any success with it on a 2008 R2 VM.

'RDPSND' channel requires registry modification, and I don't think rapid-7's module has proper code for using MS_T120, apparently doesn't pop the correct number of args from the stack...

The virt_chan_data parameter in the function write_virtual_channel is the code we want to overflow?