The effort to execute the exploit out of the box, with default settings on known targets is not that high. It’s important to note that to exploit this reliably in atypical scenarios you need to know a bit more detail of the target, including what hypervisor it may be running on.

Like some others have said, this requires an understanding of your targets Host devices in order to generate a reliable exploit. This involves identifying the Start address of the NonPageedPool and plugging this into the existing metasploit module.

With a large number of cloud-based resources this is perhaps a little easier to exploit than enterprise desktops.

An example against AWS hosted windows appliances works something like this.

• Spin up your own AWS Instance.
  
• Use Memory Dump tool like WinPMem to grab a memory image.
  
• Transfer mem dump to a machine running the rekall memory forensics tool
  
• Run the pools plugin to get the address.
  

This offset will work against any instance in this region started from that same base AMI.

What a pain to make it work generally across different versions! The work put into this will be foundational for future exploit development around RDP and Windows kernel exploitation in general.

It is a scary vuln, and you should patch immediately. As no PoC is out, don’t trust the patch entirely and limit exposure to critical systems.

This vuln is important to focus attention to. Pre-auth RCE on a likely large target base is very dangerous.

This vulnerability may seem very useful, it is probably as interesting as other RCEs affecting Microsoft Windows OSes, however public exploits rely on the existence of a registry key (fDisableCam) not being present by default (it has to be manually created) thus not found in enterprise networks.

Watch this one for details. In the meantime, if you can’t patch, then block TCP/3389 (or whatever port you might be mapping RDP to), enable Network Level Authentication (NLA), or disable RDP.

This exploit is critical. RDP is ubiquitous in corporate settings, which are the most likely to have older Operating Systems deployed. That issue is complicated by the general reasoning that most older Operating systems are there to support legacy equipment and are less likely to receive automated patching.

EDIT (24-July-2019): Welp, we’ve heard lots of researchers say they’re privately holding onto PoCs, but now PoCs and details are starting to surface. It won’t be long until this one is easily weaponized, and I’m willing to bet it’s being used in the wild, if only in selected cases.

Some of the gotchas on patching this vuln:

• Not restarting the vulnerable asset, even after you apply the patch, keeps the asset vulnerable. Must restart.
  
• There have been cases where even with the patch reported as being installed, files on disk were vulnerable, manually checking termdd.sys, the file is normally located at C:\Windows\System32\drivers and the version retrieved with this powershell command:
  

get-item -Path ‘C:\Windows\System32\drivers\termdd.sys’ | Format-List -Force

Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.

The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.

The damage potential is astronomical as there are so many machines that expose RDP to the internet.

CVE-2019-0708 has supposively been exploited in the wild by Chinese state actors according to the NSA announcement at https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

Exploited by North Korean state-sponsored attackers according to a July 2024 bulletin from multiple U.S. government agencies: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a