BlueKeep

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a working proof-of-concept exploit for CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in Microsoft Windows Remote Desktop Services. The repository includes two main Python scripts: one for targeting Windows systems (CVE-2019-0708-windows.py) and one for Linux (CVE-2019-0708-linux.py). Both scripts are heavily obfuscated using zlib compression and base64 encoding, and must be run with Python 3. The README indicates that the exploit spawns a remote shell on the target system if successful. The exploit requires the attacker to specify the target IP address as a command-line argument. No hardcoded network endpoints or IPs are present in the visible code, but the exploit is designed to be used against vulnerable RDP services over the network. The repository is structured simply, with the two exploit scripts and a README file explaining usage and purpose.

This repository provides a proof-of-concept (PoC) for exploiting the BlueKeep vulnerability (CVE-2019-0708) in Microsoft Windows RDP services. The main code files are 'bluekeep_dos.py' and 'bluekeep_poc.py', both written in Python. 'bluekeep_dos.py' is designed to perform a denial-of-service (DoS) attack against vulnerable RDP servers by sending specially crafted packets to TCP port 3389, potentially crashing the service. 'bluekeep_poc.py' demonstrates the ability to interact with and verify the presence of the BlueKeep vulnerability, and includes code for establishing RDP connections and sending protocol-specific packets. The PoC does not include a remote code execution payload, but the code structure and comments indicate it can be extended for that purpose. The repository also contains a list of potentially vulnerable IP addresses in 'research/vulnerable_targets.txt' and research notes with protocol documentation links. The exploit targets legacy Windows systems (XP, Vista, 7, Server 2003, 2008, 2008 R2) with RDP enabled. No framework is used; the code is standalone Python. The repository is well-structured for research and demonstration purposes, but not weaponized.

This repository contains a Python proof-of-concept exploit for CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in Microsoft Windows Remote Desktop Services (RDP) affecting Windows Server 2008 R2 and related systems. The main file, '0708.py', is a standalone script that takes a list of target IPs and attempts to connect to each on TCP port 3389, sending specially crafted RDP protocol packets to test for the vulnerability. The script does not include a full remote code execution payload or a shell; instead, it demonstrates the ability to reach and interact with the vulnerable code path. The README notes that the part of the exploit that would crash the system (BSOD) has been intentionally removed, making this a non-destructive proof-of-concept. The repository is structured simply, with one main Python script and a README file. No hardcoded IPs, URLs, or other fingerprintable endpoints are present beyond the standard RDP port. The exploit is not part of a larger framework and is intended for research and testing purposes.

This repository provides 'ispy', a Bash-based automation tool for scanning and exploiting Windows systems vulnerable to EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708). The main entry point is the 'ispy' Bash script, which presents a menu-driven interface for scanning targets using the included Python scripts ('scanners/bluekeep_scanner.py' and 'scanners/eternalblue_scanner.py') and for launching Metasploit modules to exploit detected vulnerabilities. The exploitation phase uses Metasploit's 'windows/smb/ms17_010_eternalblue', 'windows/smb/ms17_010_psexec', 'windows/smb/ms17_010_eternalblue_win8', and 'windows/rdp/cve_2019_0708_bluekeep_rce' modules to deliver a Meterpreter reverse shell payload. The tool is operational, automating both detection and exploitation, and is intended for use on Linux systems with Metasploit installed. The repository includes setup scripts and documentation, and targets a wide range of Windows versions susceptible to these vulnerabilities. No hardcoded IPs or domains are present; the user supplies target IPs at runtime.

This repository contains a set of Metasploit modules for detecting and exploiting the BlueKeep vulnerability (CVE-2019-0708) in Microsoft Windows RDP services. The main files are: - `cve_2019_0708_bluekeep.rb`: An auxiliary scanner module that checks if a target is vulnerable to BlueKeep, and can optionally trigger a denial of service (DoS) condition. - `cve_2019_0708_bluekeep_rce.rb`: The main exploit module that achieves remote code execution in the Windows kernel by exploiting a use-after-free in the RDP termdd.sys driver. It supports custom payloads and includes detailed exploitation logic and caveats for different Windows versions. - `rdp.rb`: A shared library providing RDP protocol interaction primitives for the modules. - `rdp_scanner.rb`: An auxiliary scanner module to identify RDP endpoints and gather version information, including NLA (Network Level Authentication) requirements. The modules are designed to be used within the Metasploit Framework (version 5.0.4 or higher). The exploit targets unpatched Windows systems running RDP on TCP port 3389. For Windows Server 2008 R2, a specific registry key (`fDisableCam=0`) may need to be set for successful exploitation. The exploit can deliver custom shellcode payloads, resulting in remote code execution with kernel privileges. The repository also provides detection and scanning capabilities for identifying vulnerable systems and RDP endpoints.

This repository contains two Python proof-of-concept (POC) exploit scripts targeting the Microsoft RDP (Remote Desktop Protocol) service vulnerability CVE-2019-0708, also known as 'BlueKeep'. The main files are 'MS12-002-POC.py' and 'cve-2019-0708-poc.py'. Both scripts craft and send custom RDP protocol packets to a specified target host on TCP port 3389, attempting to trigger the vulnerability. The exploits are designed for use against Windows Server 2003 and 2008 systems with RDP enabled. The payloads do not provide remote code execution or a shell; instead, they are intended to demonstrate the vulnerability by causing a crash or denial of service on the target system. The README.md provides additional context, including usage instructions and references to related tools for detection and scanning. No hardcoded IP addresses or domains are present; the scripts require the user to specify the target host as a command-line argument. The overall structure is typical for POC exploits, with clear separation between the exploit logic and documentation.

This repository contains a weaponized exploit for CVE-2019-0708 (BlueKeep), targeting Microsoft Windows XP and Windows Server 2003 systems running the RDP service. The exploit is implemented as a modified version of the open-source 'rdesktop' RDP client (version 1.5.0), with additional code in 'heap_spray.c' and related files to perform a heap spray attack against the target's RDP service. The exploit works by first configuring the attacker's IP and port in the 'config' file, compiling the code, and then running the heap spray executable against the target. The payload is a custom kernel shellcode (provided as a binary file) that is injected into the target's memory, which then executes a reverse TCP shell (Meterpreter) back to the attacker's machine. The exploit is operational and provides a full remote shell if successful. The codebase is primarily in C, with build scripts and keymaps for the rdesktop client. The exploit is not part of a framework but is a standalone adaptation of rdesktop for exploitation purposes. The README provides detailed usage instructions, including configuration for both Windows XP and Windows 2003 targets, and notes on memory requirements and shellcode customization. The main attack vector is network-based, exploiting the RDP service over TCP port 3389. The repository includes several fingerprintable endpoints, such as the attacker's and target's IP addresses, the configuration file, and the shellcode binary.

This repository contains two Python proof-of-concept (PoC) exploit scripts (crashpoc.py and poc.py) and a README.md. Both scripts are designed to exploit a vulnerability in the Microsoft Windows Remote Desktop Protocol (RDP) service, specifically targeting TCP port 3389. The scripts use the impacket and pyOpenSSL libraries to craft and send a series of RDP protocol packets over a TLS connection to the target host. The goal is to trigger a crash (denial of service) in the RDP service by sending malformed or specially crafted packets, with some logic to repeat the attack multiple times for reliability. The README indicates the exploit is for educational purposes and hints at possible adaptation for older Windows versions. No explicit CVE is mentioned, but the exploit is relevant to RDP vulnerabilities on Windows systems. No hardcoded IPs or domains are present; the target is specified via command-line arguments. The overall structure is typical for a network-based DoS PoC, with clear entry points in both Python scripts.

This repository is a comprehensive set of Python scripts and libraries for researching and exploiting CVE-2019-0708 (BlueKeep), a critical RDP remote code execution vulnerability affecting Windows 7 and Windows Server 2008/2008 R2. The repo includes: - Core RDP protocol and ASN.1 handling libraries (myrdp.py, myasn1.py, rdp4mppc.py) - Multiple PoC scripts for heap spraying and kernel pool filling via different RDP virtual channels (RDPSND, RDPDR, MS_T120, REFRESHRECT) - A detection script (rdp_detect_info.py) to fingerprint the target OS, architecture, and channel availability - Detailed exploitation notes (NOTE.md) and a summary (README.md) The main exploit capability is remote code execution in kernel context by manipulating RDP virtual channels and exploiting the BlueKeep vulnerability. The PoCs demonstrate both memory manipulation (heap spraying, pool filling) and actual code execution (with custom shellcode) on vulnerable systems. The scripts require a target IP/hostname and connect to TCP port 3389 (RDP). The code is operational and can be adapted for further weaponization, but is not part of a framework. The repository is well-structured for research and offensive security testing of BlueKeep.

This repository provides Proof-of-Concept (PoC) exploit code for the BlueKeep vulnerability (CVE-2019-0708), which affects Microsoft Windows systems running Remote Desktop Protocol (RDP) on TCP port 3389. The repository contains exploit scripts in four programming languages: Python (bluekeep_exploit.py), Java (BlueKeepExploit.java), C++ (bluekeep_exploit.cpp), and Ruby (bluekeep_exploit.rb). Each script is structured to connect to a specified target IP address and port (default 3389), send a specially crafted RDP packet containing shellcode, and attempt to trigger remote code execution on the vulnerable system. The shellcode is intended to open a reverse shell on the target. The Python and Ruby scripts include example shellcode, while the Java and C++ scripts use placeholders for the shellcode. The README provides usage instructions, indicating that users should replace the '[TARGET_IP]' placeholder with the actual target address. The repository is clearly intended for educational and research purposes, demonstrating the exploitability of BlueKeep across multiple languages. No hardcoded real-world endpoints are present; all scripts require user-supplied target information.

This repository contains a Metasploit module and supporting code for exploiting CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in the Microsoft Windows RDP service (termdd.sys). The main exploit file is 'cve_2019_0708_bluekeep_rce.rb', a Metasploit module that leverages a use-after-free in the RDP channel management to achieve kernel-level code execution. The exploit performs a full RDP handshake, manipulates internal RDP channels (notably MS_T120 and RDPSND), and grooms kernel memory to inject and execute shellcode. The module supports automatic and manual targeting, with options for payload selection and advanced memory grooming. The repository also includes 'rdp.rb' (Metasploit RDP library), 'rdp_bluekeep.py' (a standalone Python implementation of the exploit logic), and 'rdp_scanner.rb' (an auxiliary Metasploit scanner for RDP endpoints). The exploit is weaponized, allowing for customizable payloads and reliable exploitation on unpatched Windows 7 SP1 and Server 2008 R2 systems. The main attack vector is network-based, targeting TCP port 3389 (RDP). The exploit may require a specific registry key to be set on some targets for successful exploitation.

This repository contains a working proof-of-concept exploit for CVE-2019-0708 (BlueKeep), a critical pre-authentication remote code execution vulnerability in Microsoft Windows Remote Desktop Services (RDP). The exploit is implemented in Python (exploit.py) and leverages the PyRDP library to craft and send malicious RDP protocol messages to a vulnerable Windows 7 SP1 x64 target. The exploit works by abusing the RDP virtual channel binding process, specifically targeting the MS_T120 channel, to achieve arbitrary code execution in kernel context. The included shellcode (shellcode.s, written in x64 assembly) is injected into the target and establishes a reverse shell connection back to the attacker's machine. The attacker must specify the target RDP server's IP and port, as well as their own IP and desired port for the reverse shell. The README provides detailed technical background on the vulnerability, usage instructions, and affected versions. The exploit is operational and demonstrates full remote code execution, but is not weaponized for mass exploitation (e.g., no automatic scanning or payload customization).

This repository contains a working proof-of-concept exploit for CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in Microsoft Windows' Remote Desktop Services. The repository includes two main Python scripts: 'CVE-2019-0708-linux.py' and 'CVE-2019-0708-windows.py', both of which are heavily obfuscated using zlib compression and base64 encoding. The README.md provides basic usage instructions, indicating that the exploit spawns a remote shell on a vulnerable target and requires Python 3. The scripts are designed to be run against a specified target IP address, exploiting the RDP service. The exploit is operational, providing a shell if successful, and targets unpatched Windows systems vulnerable to BlueKeep. No hardcoded IPs or domains are present; the target is specified at runtime.

This repository contains a single Python exploit script ('cve 2019-0708.py') and a README. The script is designed as a POC for CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in Microsoft Remote Desktop Services (RDP) affecting older Windows systems (XP, Server 2003, Server 2008, Server 2008 R2, Windows 7). The exploit is implemented as a pocsuite3 module, leveraging the framework's POCBase class. It attempts to connect to a specified RDP endpoint (default port 3389/tcp), sends crafted protocol messages, and checks for signs of vulnerability. The script also includes basic OS fingerprinting for the target. No post-exploitation payload or shell is provided; the script is intended for vulnerability verification and demonstration purposes only. The README provides installation instructions for pocsuite3 and clarifies that the code is for educational use.

This repository is a functional exploit for CVE-2019-0708 (BlueKeep), a critical remote code execution vulnerability in Microsoft Windows RDP (Remote Desktop Protocol) service. The main exploit logic is implemented in 'win7_32_poc.py', which orchestrates the attack by establishing an RDP connection to the target, performing protocol handshakes, and then executing a pool spray and object allocation technique to trigger the vulnerability. The exploit uses custom kernel-mode shellcode (provided in 'bluekeep_kshellcode_x86.asm') to escalate privileges from ring 0 to ring 3, and then executes user-supplied shellcode (default is a reverse shell) with SYSTEM privileges. Supporting files include 'rdp.py' and 'rdp_crypto.py' for handling the RDP protocol and cryptography, and 'rc4.py' for RC4 encryption. The user is expected to modify the 'host' variable in 'win7_32_poc.py' to point to their target and replace the 'buf' variable with their own shellcode payload. The exploit is operational and has been tested against Windows 7 32-bit systems, with an estimated 80% success rate in the author's environment. No hardcoded external endpoints are present beyond the default local IP and RDP port, and the exploit is not part of a larger framework.