This presents in all unpatched windows NT based versions windows 2000, Windows server
R2 and windows 7 Microsoft is given patch for this on 13th august 2019(found it on 14th
may 2019) Even related blue keep vulnerabilities are name “Dejakeep” effected windows 7
and windows 10 newer versions also.

Blue keep vulnerability is reported by UK national cyber security team on 14th may 2019.
Kevin Beaumont is named this vulnerability as a #bluekeep in this twitter page ( reference: ) you can tract this officially
with CVE-2019-0708.
Microsoft says that attackers can use this vulnerability to actively propagate the worms,
similar to be eternal blue and WannaCry. Microsoft is estimated nearly 1 million devices are
vulnerable for this.

Technically The RDP protocol uses “virtual channels” configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.

Microsoft released patches for the vulnerability on 13th august 2019

How to test?
Open terminal
Lunch msfconsole in kali Linux

Search for blue keep related modules

Search for blue keep related modules in Metasploit by search command as below

We got one auxiliary scanner to check / identify the vulnerable/ infected system Load that module to console by using command use 0 Once it is loaded it will appear in red colour. Give show options to check available options

Give rhost(target) details that is in my case in your case it may be different.
It will identify vulnerable system.

Sai Teja B
IT security consultant – Trainer
Triad square infosec pvt ltd

WhatsApp WhatsApp us