Rapid7 Vulnerability & Exploit Database

CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

Back to Search

CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free



The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.


  • Sean Dillon <sean.dillon@risksense.com>
  • Ryan Hanson
  • OJ Reeves <oj@beyondbinary.io>
  • Brent Cook <bcook@rapid7.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf exploit(cve_2019_0708_bluekeep_rce) > show targets
msf exploit(cve_2019_0708_bluekeep_rce) > set TARGET < target-id >
msf exploit(cve_2019_0708_bluekeep_rce) > show options
    ...show and set options...
msf exploit(cve_2019_0708_bluekeep_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security