bluekeep

package

v0.0.193 Latest Latest Go to latest Published: Jun 17, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Method-Security/networkscan

Links

Open Source Insights

Documentation ¶

Overview ¶

Package bluekeep implements the CVE-2019-0708 (BlueKeep) precondition validation against Windows RDP servers.

This is NOT an exploit — it only checks whether the server accepts a Channel-Join-Request for a non-default channel ID that the BlueKeep vulnerability requires. A vulnerable server accepts the rebind; a patched server sends a Disconnect-Provider-Ultimatum or rejects the channel join.

References:

MS-RDPBCGR: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/
rdpscan by Robert Graham: https://github.com/robertdavidgraham/rdpscan
MSRC ADV190005: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708

Index ¶

type Evidence
type Outcome
type Result
- func RunCheck(ctx context.Context, target string, port int, timeoutMs int) *Result

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Evidence ¶

type Evidence struct {
	X224ConnectionEstablished    bool    `json:"x224ConnectionEstablished"`
	TlsUpgraded                  bool    `json:"tlsUpgraded"`
	McsConnectResponseReceived   bool    `json:"mcsConnectResponseReceived"`
	AttachUserConfirmReceived    bool    `json:"attachUserConfirmReceived"`
	IoChannelJoinConfirmReceived bool    `json:"ioChannelJoinConfirmReceived"`
	MsT120RebindAccepted         bool    `json:"msT120RebindAccepted"`
	ServerDisconnected           bool    `json:"serverDisconnected"`
	DisconnectReason             *string `json:"disconnectReason,omitempty"`
}

Evidence records which steps of the BlueKeep handshake completed. JSON tags use camelCase so that json.Marshal produces the same key names that signal fixtures and downstream consumers expect.

type Outcome ¶

type Outcome string

Outcome classifies the result of a single BlueKeep precondition check.

const (
	// OutcomeVulnerable indicates the server accepted the MS_T120 channel rebind
	// on the non-default channel ID (1005) — the BlueKeep pre-auth use-after-free
	// condition is present.
	OutcomeVulnerable Outcome = "VULNERABLE"

	// OutcomePatched indicates the server rejected the channel rebind (via
	// Disconnect-Provider-Ultimatum, a non-zero ChannelJoinConfirm result,
	// or TCP close), indicating the BlueKeep patch is applied.
	OutcomePatched Outcome = "PATCHED"

	// OutcomeIndeterminate indicates the probe did not produce a definitive
	// accept or reject (e.g. timeout, early connection drop before MCS).
	OutcomeIndeterminate Outcome = "INDETERMINATE"
)

type Result ¶

type Result struct {
	Target           string
	Port             int
	Outcome          Outcome
	ErrorMessage     *string
	SelectedProtocol *string
	LastPduHex       *string
	Evidence         *Evidence
}

Result is the per-target output of RunCheck.

func RunCheck ¶

func RunCheck(ctx context.Context, target string, port int, timeoutMs int) *Result

RunCheck performs the CVE-2019-0708 precondition validation against a single target. Returns a populated Result.

timeoutMs is the per-target budget in milliseconds. The check does NOT send any exploit payload; it only observes whether the server accepts the MS_T120 channel rebind request.

Source Files ¶

View all Source files

bluekeep.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL