# BlueKeep {% embed url="" %} BlueKeep is a critical software vulnerability in the Microsoft Windows Operating System that exploits Microsoft's implementation of Remote Desktop Services. By establishing an RDP connection with the target server while opening an *MS\_T120* channel, an unauthenticated attacker can send crafted data that allows them to execute arbitrary code with system privileges. Here are example steps: 1. A channel is created with the name MS\_T120 in *Slot 11*, which opens the default channel MS\_T120 at *Slot0x1F\[31]* because a function is called and returns a pointer for MS\_T120 at both *Slot11* and *Slot0x1F* 2. An attacker sends crafted data to channel MS\_T120 and *termdd.sys* responds with an error message and closes the channel, freeing the MS\_T120 structure and clearing the pointer at user-controlled *Slot 11* but **not at *****Slot 0x1F***. 3. When the connection is terminated, a function tries to access a freed structure through the pointer at *Slot 0x1F*, leading to a use-after-free condition. Due to how widely spread BlueKeep is, there is a module that allows you to easily exploit it using [Metasploit](https://stuff.weelee.zip/network/c2/metasploit). {% code title="Linux" %} ```fish msfconsole use exploit/windows/rdp/cve_2019_0708_bluekeep_rce set rhosts run ``` {% endcode %}