Eternal Exploits: Reverse Engineering of FuzzBuncg and MS17-010

Video thumbnail (Frame 0) Video thumbnail (Frame 2102) Video thumbnail (Frame 3577) Video thumbnail (Frame 5232) Video thumbnail (Frame 7480) Video thumbnail (Frame 9362) Video thumbnail (Frame 11047) Video thumbnail (Frame 12307) Video thumbnail (Frame 14506) Video thumbnail (Frame 15867) Video thumbnail (Frame 17026) Video thumbnail (Frame 18800) Video thumbnail (Frame 21155) Video thumbnail (Frame 22778) Video thumbnail (Frame 25522) Video thumbnail (Frame 26562) Video thumbnail (Frame 27822) Video thumbnail (Frame 30380) Video thumbnail (Frame 31792) Video thumbnail (Frame 33107) Video thumbnail (Frame 34392) Video thumbnail (Frame 36483) Video thumbnail (Frame 39227) Video thumbnail (Frame 41153) Video thumbnail (Frame 43367) Video thumbnail (Frame 45261) Video thumbnail (Frame 46484) Video thumbnail (Frame 48276) Video thumbnail (Frame 49505) Video thumbnail (Frame 51192) Video thumbnail (Frame 52494) Video thumbnail (Frame 53837) Video thumbnail (Frame 54833) Video thumbnail (Frame 56738) Video thumbnail (Frame 58269) Video thumbnail (Frame 60482) Video thumbnail (Frame 62165) Video thumbnail (Frame 63530) Video thumbnail (Frame 64822) Video thumbnail (Frame 66243) Video thumbnail (Frame 67709) Video thumbnail (Frame 70438) Video thumbnail (Frame 71946)
Video in TIB AV-Portal: Eternal Exploits: Reverse Engineering of FuzzBuncg and MS17-010

Formal Metadata

Title
Eternal Exploits: Reverse Engineering of FuzzBuncg and MS17-010
Alternative Title
Demystifying MS17 010 Reverse Engineering the ETERNAL Exploits
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
MS17-010 is the most important patch in the history of operating systems, fixing remote code execution vulnerabilities in the world of modern Windows. The ETERNAL exploits, written by the Equation Group and dumped by the Shadow Brokers, have been used in the most damaging cyber attacks in computing history: WannaCry, NotPetya, Olympic Destroyer, and many others. Yet, how these complicated exploits work has not been made clear to most. This is due to the ETERNAL exploits taking advantage of undocumented features of the Windows kernel and the esoteric SMBv1 protocol. This talk will condense years of research into Windows internals and the SMBv1 protocol driver. Descriptions of full reverse engineering of internal structures and all historical background info needed to understand how the exploit chains for ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY work will be provided. This talk will also describe how the MS17-010 patch fixed the vulnerabilities, and identify additional vulnerabilities that were patched around the same time.
Information Weight Ultraviolet photoelectron spectroscopy Exploit (computer security) Exploit (computer security) Word Gastropod shell Video game Right angle Software testing Summierbarkeit Vulnerability (computing) Reverse engineering
Trail Presentation of a group Group action Multiplication sign Exploit (computer security) Bit Dynamic random-access memory Exploit (computer security) Message passing Process (computing) Hooking Hacker (term) Operator (mathematics) Acoustic shadow Nichtlineares Gleichungssystem Service-oriented architecture
Execution unit Building Server (computing) Real number Exploit (computer security) Term (mathematics) Exploit (computer security) Product (business) Neuroinformatik Revision control Data management Integrated development environment Physical law Remote procedure call Block (periodic table) Communications protocol Message passing Communications protocol Window Vulnerability (computing)
Email Dialect Server (computing) Computer file Strut Parameter (computer programming) Field (computer science) Number Attribute grammar Revision control Sign (mathematics) Flag Data structure Error message Dependent and independent variables Block (periodic table) Computer program Parameter (computer programming) Computer network Bit Group action Opcode Exploit (computer security) Unicode Message passing Process (computing) Network topology Block (periodic table) Form (programming)
Slide rule Context awareness Dependent and independent variables Existential quantification Server (computing) Multiplication Thread (computing) Multiplication sign Device driver Bit Type theory Software Different (Kate Ryan album) Computer science Queue (abstract data type) Lastteilung Pattern language Data structure Vulnerability (computing)
Point (geometry) Domain name Dialect Server (computing) Dependent and independent variables Boolean algebra Service (economics) Device driver Maxima and minima Client (computing) Database transaction Connected space Pointer (computer programming) Software Network topology Buffer solution Data structure Message passing Library (computing)
Dependent and independent variables Server (computing) Functional (mathematics) Service (economics) Variety (linguistics) Shared memory Database transaction Bit Mereology RAID Interprozesskommunikation Login Exploit (computer security) Interprozesskommunikation Subset Network topology
Email Addition Server (computing) Functional (mathematics) Block (periodic table) Parameter (computer programming) Database transaction Parameter (computer programming) Number Message passing Different (Kate Ryan album) Bloch wave Remote procedure call Data conversion Block (periodic table) Table (information) Communications protocol
Trail Server (computing) Dependent and independent variables Block (periodic table) Displacement Mapping Displacement Mapping Counting Parameter (computer programming) Database transaction Total S.A. Maxima and minima Parameter (computer programming) Client (computing) Counting Mereology Database transaction Field (computer science) Process (computing) Military operation Buffer solution Hill differential equation Block (periodic table)
Server (computing) Functional (mathematics) Random number generation Computer file Multiplication sign MIDI 1 (number) Maxima and minima Device driver Parameter (computer programming) Client (computing) Field (computer science) Number Semiconductor memory Data structure Resource allocation Error message Information Electronic mailing list Plastikkarte Database transaction Maxima and minima Symbol table Connected space Prime ideal Process (computing) Pointer (computer programming) Network topology Buffer solution Hill differential equation Very long instruction word
Sensitivity analysis Execution unit Computer file Public-key cryptography Metadata Attribute grammar Data stream Exterior algebra Personal digital assistant File system Data structure Extension (kinesiology) Window Physical system
Server (computing) Functional (mathematics) Length Code Valuation (algebra) Client (computing) Field (computer science) Attribute grammar Software bug Word Semiconductor memory String (computer science) File system Flag Data structure Addressing mode Extension (kinesiology) Vulnerability (computing) Electronic mailing list Data storage device Counting Bit Line (geometry) Flow separation Mikroarchitektur Arithmetic mean Word Loop (music) Software Buffer solution Window
Word Validity (statistics) Buffer solution Electronic mailing list Counting Integer
Functional (mathematics) Parsing Code Length Decimal Electronic mailing list Bit 8 (number) Word Crash (computing) Pointer (computer programming) Buffer solution Flag Data conversion Alpha (investment) Buffer overflow Vulnerability (computing) Spacetime Buffer overflow
Default (computer science) Server (computing) Functional (mathematics) Just-in-Time-Compiler Computer file View (database) Electronic mailing list Bit Electronic mailing list Parameter (computer programming) Arm Software bug Attribute grammar Sign (mathematics) Crash (computing) Addressing mode Extension (kinesiology) Error message Buffer overflow
Chord (peer-to-peer) Freeware Table (information) Branch (computer science) Open set Parameter (computer programming) Database transaction Software bug Word Term (mathematics) Semiconductor memory Flag Extension (kinesiology) Resource allocation Information security Vulnerability (computing) Vulnerability (computing) Block (periodic table) Database transaction Exploit (computer security) Connected space Word Convex hull Information security Table (information) Window Extension (kinesiology) Flag
Server (computing) Voltmeter Software bug Expected value Read-only memory Semiconductor memory Buffer solution Intrusion detection system Computer network Data structure Traffic reporting Resource allocation Proxy server Email Block (periodic table) Forcing (mathematics) Electronic mailing list Computer network Database transaction Exploit (computer security) Connected space Process (computing) Resource allocation Software Buffer solution Hill differential equation Convex hull Right angle Buffer overflow Window
Point (geometry) Slide rule Default (computer science) Functional (mathematics) Multiplication sign Programmable read-only memory Memory management Electronic mailing list Dynamic random-access memory Connected space Revision control Virtual memory Pointer (computer programming) Oval Semiconductor memory Buffer solution Gastropod shell Data structure Table (information) Window Address space
Point (geometry) Web page Pulse (signal processing) Group action Functional (mathematics) System call Multiplication sign Patch (Unix) Stack (abstract data type) Magnetic stripe card Hooking Semiconductor memory Befehlsprozessor Operator (mathematics) Memory management Energy level Backdoor (computing) Code Database transaction Multilateration System call Hooking Kernel (computing) Normal (geometry) Table (information) Asynchronous Transfer Mode Library (computing)
Server (computing) Computer file Parameter (computer programming) 8 (number) Database transaction Coprocessor Software bug Revision control Mechanism design Different (Kate Ryan album) Synchronization Single-precision floating-point format Core dump Address space Condition number Information Validity (statistics) Database transaction Bit Leak Exploit (computer security) Kernel (computing) Order (biology) Remote procedure call Communications protocol Window
Personal identification number Validity (statistics) Principal ideal domain MIDI Fitness function Counting Water vapor Database transaction Maxima and minima Mereology Infinity Counting Database transaction Resource allocation Personal digital assistant Buffer solution Queue (abstract data type) Hill differential equation Data buffer
Thread (computing) Information Block (periodic table) Code Multiplication sign Displacement Mapping Civil engineering Database transaction Parameter (computer programming) Mereology Thread (computing) Variable (mathematics) Attribute grammar Pointer (computer programming) Query language Queue (abstract data type) Normal (geometry) Extension (kinesiology) Local ring HTTP cookie Address space
Area Point (geometry) Default (computer science) Code Multiplication sign Displacement Mapping Database transaction Parameter (computer programming) Sequence Exploit (computer security) 2 (number) Query language Queue (abstract data type) Convex hull Address space Condition number Gradient descent
Point (geometry) Ocean current Email Dataflow Functional (mathematics) Game controller Identifiability Thread (computing) Computer file Code Patch (Unix) Electronic mailing list Raw image format Database transaction Coprocessor Writing Oval Computer worm Information Data structure Resource allocation Loop (music) Address space Electronic mailing list Database transaction Thread (computing) Connected space Subject indexing Loop (music) Kernel (computing) Pointer (computer programming) Right angle Electric current Computer worm Asynchronous Transfer Mode
Server (computing) Computer file Principal ideal domain MIDI Database transaction Counting Database transaction Sequence Medical imaging Subject indexing Type theory Pointer (computer programming) Normal (geometry) Data buffer
Shift operator Information Displacement Mapping Electronic mailing list Counting Database transaction Maxima and minima Client (computing) Parameter (computer programming) Counting Database transaction Leak Software bug Leak Pointer (computer programming) Kernel (computing) Buffer solution Data buffer Address space
Freeware Service (economics) Memory management Device driver Barrelled space Database transaction BEEP Database transaction Exploit (computer security) Revision control Read-only memory Personal digital assistant Semiconductor memory Memory management Window
Web page Point (geometry) Slide rule Shift operator Freeware 1 (number) Memory management Barrelled space Bit Shift operator Exploit (computer security) Revision control Process (computing) Pointer (computer programming) Read-only memory Different (Kate Ryan album) Semiconductor memory Memory management Revision control Normal (geometry) Window Spacetime
Point (geometry) Shift operator Context awareness Dependent and independent variables Block (periodic table) Multiplication sign Content (media) Counting Plastikkarte Database transaction Primitive (album) Parameter (computer programming) Database transaction Leak Type theory Uniform resource locator Mathematics Pointer (computer programming) Semiconductor memory Buffer solution Address space Reading (process) Writing
Execution unit Service (economics) Sheaf (mathematics) Device driver Counting Price index Database transaction Parameter (computer programming) Connected space Similarity (geometry) Pointer (computer programming) Hooking Word Pointer (computer programming) Semiconductor memory Function (mathematics) Convex hull Table (information) Address space Wide area network
Server (computing) Link (knot theory) Information Patch (Unix) Counting Maxima and minima Database transaction Parameter (computer programming) Database transaction Leak Proper map Leak Resource allocation Different (Kate Ryan album) Summierbarkeit Information Belegleser Resource allocation Error message
Code Patch (Unix) Maxima and minima Counting Database transaction Client (computing) Database transaction Airy function Leak Subject indexing Pointer (computer programming) Buffer solution Information Remote procedure call
Email Functional (mathematics) Thread (computing) Code Multiplication sign 1 (number) Sheaf (mathematics) Primitive (album) Disk read-and-write head Leak Pointer (computer programming) Read-only memory Semiconductor memory Gastropod shell Queue (abstract data type) Information Process (computing) Data structure Address space Data type Email Information Web page Electronic mailing list Leak Connected space Process (computing) Kernel (computing) Sheaf (mathematics) Rewriting Interrupt <Informatik> Normal (geometry) Reading (process) Buffer overflow Window
Greatest element MUD Dependent and independent variables Code Electronic mailing list Similarity (geometry) Mereology Goodness of fit Software repository File archiver Energy level Quicksort Acoustic shadow Service-oriented architecture Game theory
up on stage we have a returning goon who wants to demystify some some vulnerabilities and why they're mystifying I don't know I don't understand the words in front of me but reverse engineering the eternal exploits who's excited about this I see the room is getting pretty packed life there's people alive in here that's wonderful all right with no further delay I'm gonna hand it over to zero sum zero X zero thanks everyone for coming so from a show of hands how many people pop the shell with m/s 1710 and over the past year and a half yeah how many people are finding it everywhere right how many people helped with wanna cry and net pitch and the clean ups of those right yeah yeah it's a like I've said it's been a year and a half since they got introduced we're still finding them everywhere on our red team it's a path to glory our pen tests before I do get started this is top secret information classified on we don't know exactly what it is but it's allegedly from the NSA stolen from the NSA so if you have a clearance Francis ckers it was a dirty car last year you give it talk on dander spirits and he gave a
disclaimer so I thought I would give one too so everyone leaving the room right now as a Fed and I should keep track of their names and it all stuck for 45 minutes so I did have to cut a lot from this presentation that I wanted to go over just because of time the gun probably will hook me off stage and a little bit here but hopefully we can get through it so if anyone's not aware the equation group is the tailored access operations a former department at the NSA that wrote a bunch of exploits and they've never really gotten a lot of public credit but just like hacker to hacker and all the politics and everything aside and just looking at the technicals it's a very talented team and so they deserve a lot of credit and then the shadow brokers we don't really know who they are
there's some evidence that they might be Russia they claim they're an inside job if you read their messages but they came
around and started dumping these exploits about a year and a half ago over the course of you know a couple of years it's been going on but then pretty quiet for the past year so though so I'm gonna try and get through S&B internals real quick and then we can get into the eternal exploits which are all SMB v1 vulnerabilities so SMB was
invented in 1983 by a guy named Barry Feigenbaum at IBM he also worked on the NetBIOS RFC's and stuff like that we originally saw it's there was a product from Microsoft called land manager it was later built into Windows and pretty much all modern versions of Windows have SMB built in and it's a very extensible protocol so you can build things on top of it and so that's where we get things like PS exec running on top of the distributed computing environments remote procedure call using s and B as a transport so SMB v1 looks this is kind
of the packet layout that you would expect to see from a normal s and B a well-formed SMB so normally you'll send a message block request and then if the server processes that request it'll send you a s and B reply so both replies and responses look very similar they have a command which is like the opcode hundreds of commands in SMB v1 there's a Flags field which tells you is this a request or reply are we talking unicode that kind of thing if you're getting a response from the server and it wasn't able to process that SMB there was an error it'll set an error number for you this is also where SMB signing is located and then there's the user ID tree ID process ID a multiplex ID which we will talk a little bit more about later an SMB also has a parameter block so depending on what that opcode there's gonna be a structure associated with that opcode and that's generally where the it's going to have that structure to end up and the parameter block so it's a fixed size depending on the opcode usually then datablock is just arbitrary data associated with the command so if you think about it this way if you're like creating a file your command is like create file or whatever the parameter block will be like the file name attributes and then the data block would be like the file data if you want to think about it that it's kind of an oversimplification but it works so
SMB v1 has DLC so the later version you have the more features you unlock pretty much all of these features have been available in the latest version since their earliest versions of NT so you'll have to worry about it all these exploits they date back to the early 90s before NT was really officially even released and late eighties so the main
driver that all these vulnerabilities are going to be in is the serbs the dot sister Ivor which is the SMB b1 driver those have done those who have done a low-level high concurrent networking will be familiar with a pattern called load balancer and so what you're doing is you have producers taking the network traffic and then consumer threads that are eating that traffic so we're working with queues from computer science you know first-in first-out container and this is because SNB is designed for speed and what you're actually producing and consuming are these things called work context which is so there's hundreds of s and B's and all of them
can be kind of pigeon-holed into this mega C structure called a work context and that's what's being processed but the really important thing to note on this slide is that when the server receives a s and B requests and it's going to process the response to you an SMB could be sent to the back of the queue multiple times while it's being processed and so there's two different types of cues there's the normal queue coming off the network and then if something's gonna take a really long time it'll get sent to a blocking work queue
in Vista they introduced SMB to and they took they stripped the networking portion out of the service driver and put it in a driver called Serb net dot sis so this is what's actually binding the SMB ports and then served up this and served to dot sis come along and they register callbacks with that driver and so when network traffic comes in they inspect the s and B and they're like that looks like s and B one my driver can process that and that happens
there's only a few s and BS that are
Ventris in the negotiate stage we pick our s and B dialect is at ntlm or Cairo and the server will make this connection struct later when we go to login it's called a session setup the server will create this structure called a session it will have a pointer to that connection it also have our user name or user domain at this point the server will assign us a user ID and when we login when we do the session setup we tell the server a max buffer size that our SMB client is able to process so we say if a s and B response is going to be bigger than this max buffer size send it to us in a multi-part SMB and so mainly
what you're doing with SMB is connecting to trees which are basically shares there's one that we're going to be connecting to and all these exploits that I mean you can connect any tree but the one that's usually open for anonymous logins is the inter process communication share and when you connect to a tree like that IPC share the service I need a tree ID so now I'm
gonna talk about transactions whereas which are a special subset of SMBs that are what all these exploits take advantage of so a transaction you can think of it it's like an eye octal they perform a variety of functions most of them are system-based but what's interesting about transactions is they can be split apart across multiple s and B's so you'll send the primary transaction it'll be I have you know this much data to send you the server will send an interim response saying okay I accept that send me the rest of it then you'll send a bunch of secondary transactions filling out that whatever data you say you're going to be sending and then when it finally gets all of them that's when it's going to process and send a response to you which can be broken up as well but it's kind of like a database transaction you know like it's an atomic thing as soon as that last secondary transaction comes in that's that's when it's going to be processed so a
transaction is kind of like a message block inside of the server message blocks so in addition to the SMB parameter block in the SMB data block you'll also have the transaction parameter block and the transaction data lock there's different types of
transactions over the years so trans and trans one as I might refer to it is old stuff like null slots and number remote access protocol trans - introduced support for greater than the old da style 8.3 short names and you'll see a lot of os/2 - NP conversion stuff in there and then NT trans the parameter and data block sizes were changed from shorts to Long's so that's the major difference there and they all have different dispatch tables that perform different functions so when you send a primary
transaction you'll have the parameter offset and the data offset as part of that SMB and that just tells the server how far into that s and B the trans data and parameter blocks actually begin there'll be a count so that's how much data and parameter you're sending per this SNP total count is how much we're expecting between all primary and secondary SMBs transaction s and B's and then the max count is we're telling the server if you're going to send us a reply for this transaction this is the buffer size that we're going to reserve for that response so don't send us more than that when we send our secondary
transactions a lot of the fields are the same except for now there's a displacement field and that's so as we're sending you know piecemeal transaction data we need to tell the server where in the buffer it needs to write this packet because it's not keeping track of that that's our job to do as a client part of the problem really and so when you do create a
transaction when you send a primary transaction the server will create a transaction structure you can see we have pointers to our connection our session and our tree connect then you'll see we have buffers for the incoming parameters the outgoing parameters the incoming data and the outgoing data a lot of times the server will reuse the same buffers so the request buffer it's you know smart about it it doesn't make to allocation it's not always but sometimes and then you'll see a transaction also has a tree ID a process ID and a user ID so I talked about user ID and tree ID but process ID is just our client saying any random number really but that's like our process so
when we allocate everyone send a primary transaction the server will call a function called serve allocate transaction and yeah and the nice thing about this driver is a lot of the symbol names are available through PDB files on the TechNet servers so it'll allocate a transaction generally the minimum size is going to be LX 5,000 and the reason for that is it's going to grab it from a memory look side list not always and then the maximum allocation size is going to be Oh X 10 400 generally otherwise we'll get a error saying you try to make a transaction that's too big when we send secondary transactions that transaction is already allocated so it's going to go call the function to find transaction and it's gonna look it up by our user ID our tree ID our process ID and then we have this other info field which is generally going to be a multiplex ID which is just another random number that we can send as the client and that lets us have multiple transactions going and the server know which ones we're actually talking about when we send transaction packets another thing to notice is that all of these structures I talked about our reference counted so if you want to think about it like like C++ smart pointers only like done and see when you reference it number goes up when you dereference it goes down and then eventually when you hit zero it gets freed automatically and
so that should be enough background so
there's a concept with files called extended attributes and so this is just name value key pairs metadata attached to files the concept was introduced in os/2 1.2 which is an old Microsoft IBM operating system they had the high performance file system Windows NT we don't really see extended attributes that much anymore there's a thing called alternate data streams which most malware analysts are probably aware of but one thing I was reading a modern use of extended attributes is for the windows subsystem for Linux they use it to store like file permissions and case sensitivity data and then in SMB parlance there's fee and ghee so if he means the structure has both name and value and ghee over full extended attribute and then ghee is a good extended attribute which is just the name so you might send a ghee to get a fee so here's what the os/2 fee
structure looks like it starts with the flags field which is either 0 or 80 0 means this fee or this extended attributes not really that important Aleksei T means if you're going to copy this to a file system that doesn't know extended attributes think twice because it's an important extent attribute and then it has a count of bytes for the name field and that accounted by to the value field then immediately following that it'll have a buffer or it'll store the name field which is a C string so it's not terminated and then the value is not null terminated because it can be just arbitrary binary data but a one extended attribute by itself isn't very useful so you usually find them in a fee list so this structure has the count of bytes of the entire list and then a bunch of those fee and then you can get the size of the fee its name plus its value plus the size of the structure and you can loop over this Fila structure and read each individual fee with Windows NT they they added extended attributes but they changed the structure a little bit so you see we still have flags we still have a name length and we still have a value length and then we have the name buffer and the value buffer afterwards and then there's an alignment they align it to D word I guess certain maybe certain CPU architectures they wanted to support need of that alignment or something but there is no separate fee list structure there's just this next entry offset so you parse a list of fees until that next entry offset is zero so parsing it's a
little different here's this side of the bug of eternal blue the main bug in ways what this function is doing is it's calculating when we send a OS to free list over the network the server needs to convert that into an NT fee list so this is just calculating how much size that needs to preserve in memory and then on that vulnerable line of code what it's doing is if the size of our os/2 feet list that we sent is bad it's going to try and fix it for us I don't know why it doesn't just reject the packet there and might be supporting older clients or something but I
mentioned that the count of bytes of the fee list is au long what you saw there was it's putting it into a you short so it's casting it
wrong so if I as an attacker say here's how X ten thousand bytes of V list then my high D word is set when the that function comes along and it says oh I only see FF ID valid felis there when it casts incorrectly you'll see that that high D word is still set and the sighted thinks the size of the buffer is bigger than it really is and then when it calculates the size that it needs to reserve from the NT buffer it's only going from the from the correct casted variable but here's what
it looks like in code most people are probably familiar with x86 x64 you can see that we're working with D word registers and then at the side of the vulnerability it's moving a word pointer
so I'm gonna explain the same thing just a little bit more clear here so as an attacker I'm supplying this fee list in an SMB and I say here's my Oh X 10,000 sized fee list then you'll see there's a bunch of what I'm referring to is null fee and that's just where the name and the value were both 0 it's an exercise for you to figure out why that would be the most efficient way but basically 5 bytes of OS 2 feet here become 12 bytes of NT fee cuz there's more data and T fee and so this really is the most efficient way to pack it but then as its parsing through all the fees it gets to the end of this buffalo overflow fee and it sees that the start of that fee plus the length of that fee exceeds the list the CB list size that ro x 10000 so it says I'm gonna do a great job and correct that for you and then I'm going to reserve an NT buffer so then in another function after these buffer sizes have being calculated it's going to go through and it's going to copy each fee one by one doing the conversion to NT feed and then when it gets to that buffalo over be it's gonna exceed that buffer and then you can see if we keep copying we're gonna hit unallocated space and crash the target so we can send an invalid fee that's just where the flags are not zero or eighty and when we send
that we'll get a SMB error from the server that's invalid parameter and so that's a really good sign for us that means that the overflow fee happened we didn't crash immediately you know we may not be Gucci but it might still crash later but so we're looking for the path
of least resistance to trigger this bug some some of the functions that call these vulnerable functions require a little bit more access or access to name pipes so this trans to open to is the best way to do it you're opening a file but you're also creating one that's and you can see that it takes a extended attributes list for that and so you can set most of this packet or this S&B to just saying default values and then put your exploit view list there another
thing another bug like I said we're sending a greater than no extent data but with a trans to request data and parameter blocks are only word sized so what's going on here if you look at the wireshark capture its first opening with an entity primary transaction and then it's sending trans to secondary transactions so the bug is it doesn't matter what your primary transaction is it doesn't matter what your secondary transactions are except for that last one when the transaction gets executed that's when it's going to choose the dispatch table so we can reserve since ng allows us to do D word sized parameter in data blocks that's we can use this to help us trigger the bug
there's another problem with such and set up allocations so there's many different ways to log into SMB at least two ways or NC security and extended security and depending on the flags of the SMB you can actually confuse the server and it'll read from the wrong offset where it should be allocating the size of that SMB stay to block so this bug doesn't really let you do much in terms of exploitation it does help you groom the pool which we're going to get into but basically let's just reserve a large amount of memory and then if we close that connection it'll free that memory immediately and this is still in the master branch of Windows pretty sure they still haven't fixed it but like that's not really a vulnerability it's just weird quirk so
now we have all the ingredients we need for eternal blue we have the exploit connection so we're going to opening many connections to the server during the expectation process on one connection we're gonna be setting the exploit on different connections we're going to be sending that session setup bug that lets this reserved large amounts memory and we're going to make it allocation and a whole connection and then what we're actually going to try and overflow into is a serve net this net work buffer so when served net dot cissie's network traffic it's not just a buffer right it's the structure and then a buffer that follows it and we're trying to overflow into that structure at least for Windows 7 Windows 10 again still weak but we're going to send primary grooms secondary grooms they look like SMB two packets us there was a little confusion and the early reporting that some of these bugs were SMB two and three they're all SMB one but it's before like serve Nets does callbacks and either serve two or serve one handle it the only thing that I've seen a credible claim is that it might be an IDs bypass because eventually after we overflow these serve net structures we're going to send them to the shellcode and all that over it so maybe if it looks like SMB two that was an attempt at an IDs bypass so before we
start the exploitation process there's a serve net the network buffers they have lookaside memory and then there's just me random stuff in the pool the first step is we're going to send our primary exploit transaction and all of the exploit transactions with the fee list in it except for the last one so nothing really going on a memory yet just as soon as we send that last transaction it'll trigger the bug and do the overflow we don't want to do it yet so you haven't groomed the pool then we're going to send the initial groom's so these are just basically naked SMB it's before either SMB one or two takes over and what we're trying to do here is force new pool allocations then we send open a new connection with the that allocation bug we won't we were going to reserve a large memory block but it's not going to be the same size as our incorrectly calculated NT buffer we're gonna send a whole buffer so this is the exact same size that the NT fee buffer eventually the incorrect size is we want it to fit in this hole next we're gonna close the allocation connection this let's just random stuff in the pool come along and allocate memory without messing up our exploitation process then we're going to send the secondary graham's look exactly like the primary Grim's we're just hoping that one ends up after the whole connection there and then we're gonna free the whole connection and we're gonna send the last exploit transaction and that's going to think it can fit in that hole and then during the memory copy when it's parsing all the fee it's going to overflow into the headers of the next so what are we
actually overflowing here like I said it's not just a buffer there's a structure a couple structures you'll see there's a MDL which is a memory descriptor list it's a common NT structure that lets you map virtual memory to physical memory so we can overwrite that one of those MBL's and depending what address we get it that's a right what we're primitive once we overwrite that NDL any network traffic we send over that connection instead of going to the buffer it's going to go to wherever we over wrote so the hal heap until the the very latest versions Windows 10 they were not a SLR and on Windows 7 it's not DEP either and then you'll see we are also overflowing a pointer to this wsk windsock structure we've point that pointer at the hal heap as well and then we send a fake structure which I'll do it on the next slide then we also send our shellcode at this time so that fake structure that we over wrote has a function table as the most important member that we're worried about everything else same defaults now
way so we send the shellcode to all of those primary grooms and secondary grooms are all separate connections we don't know which one actually got overflowed to the right what we're primitive so we closed all the Grimm connections and then they're going to go through and they're going to call these handlers for when the connection closes and eventually it's going to hit the function table which we have conveniently pointed the cleanup function the point at the address of the shellcode which is on the hal heap but
it's still not that simple because in eternal blue at that point we're operating at dispatch level in the kernel which means that a lot of common functionality libraries and stuff or functions exported are off-limits because we don't have access to things like paged memory so one of the quickest and dirtiest ways that you can get from dispatch level two passive level is to hook the syscall table then the next time a sis call happens instead of going to the normal Cisco handler it'll come to our function will transition gracefully from user mode you know we'll set up the kernel stack and all that and then we'll run the main stage right the double pulse our backdoor which is going to backdoor the serve transaction to dispatch table and then after we're done running double pulsar we will restore the Cisco Handler and I'm gonna go into the little pulsar
a little bit later but basically here's the patch they just fix that cast from a short to long pretty straightforward and yeah all these are patches or one-liners
so eternal champion transactions if I try to send secondary transactions after transactions already executing that'll have this executing bullying locking mechanism set so before it executes the transaction it's going to set that locked variable to true and then if I send a secondary it's just going to reject it except if I have a primary transaction where I send all of my data and parameter in one primary transaction I don't really need a secondary transaction the bug is they forgot to set that lock so then while that transaction is executing we can come on by and since secondary transactions and actually modify the data of that primary transaction so this gives us an info leak on a single core processor and then there's a stack overwrite that seems to only be triggered on multi-core and I believe it's eternal champion because champions win races and this is basically a race condition so in order
to perform the exploitation we need to leak a transaction we need kernel addresses that kind of thing so there's another so the first thing we can do with this race condition is we can look for an SMB which echoes dated back on older versions of Windows the remote access protocol has a double unite account sync and that server genome to those little echo data back to us on every version of the NT you have ends he renamed the only difference is that that requires a valid file ID so you have to open a name pipe and so there's a little bit more permissions associated with that but basically all we're going to do is we're going to send a primary transaction where the data is greater
than
Jesus sorry I spilled some water up here
just in case you needed a quick review
so we send a primary transaction where the amount of data in that is greater than when we logged in with the session setup we told it it's max buffer size that we can expect for a reply so the amount of data is to echo back to us can't fit in one reply so it's going to send it to the back of a work queue and then while it gets sent to the back of the work queue we can have another secondary transaction come in and modify the amount of data the data count on it and then just because there's bad validation this does let us when it goes to read data back to us it'll read pass the buffer into another transaction so
here's the code execution path so there's a transaction I believe to called query path information and part of its parameter block has a sub command so the first step we're going to do with that sub command is we're going to say I want to query an extended attribute size and that's going to send us to the back of a blocking work queue so when we send secondary transactions we're on a normal work queue and then the transaction is also being processed on a blocking work queue the second step is so after we've triggered that we have another transactions and secondary come by that modifies the parameter block of the transaction parameter block and then we change the subcommander is named valid and this is pointing at a stack variable now it changes our end data pointer to a stack variable and so with that end data
pointer appointed a stack variable using data displacement we can get past things like stack Canaries and stuff and we can overwrite our return address to our worker thread with a secondary transaction sorry run low on time
already so basically when we send the sexploitation sequence it's going to be a descent SMBs and one TCP packet the first one is going to be that query a size primary with all the data and all the parameter and so that's going to cause the blocking work queue to be true and then we're going to send transactions second area that changes it to the his name ballad sub-command which is making a point at a stack variable and then we're going to send six transaction to secondaries with a data displacement that's going to overwrite the return address but it's race condition so we send eight packets per exploitation attempt so we attempt we see if double pulsar has been installed and if it hasn't we run at forty two times by default when we get code
execution on a DEP thing if the thing has depth will search the connection transaction list we're looking for a special identifiers at the start of one transaction and so this is basically an egg hunter so we're gonna store the shellcode at this point we have access to allocation functions of the pool so we will copy the payload from that egg and then run it then we will increment the amount of available threads on one of the structures that we get passed into our flow code and then we can resume execution with a little NP magic so there's the processor control region which is a global variable and the kernel just going from there we can get to the current thread start address and then just jump to it and resume execution and the worker thread loop so
here's the patch for eternal champion this is primary transaction if all data was received it began executing the transaction after the patch it set that executing very cool just true that's it so I talked about when secondary transactions come by instead of allocating a transaction it's looking up a transaction generally it's going to be a randomly generated multiplex ID but there's a special SMB called a right index and if you open it a file in raw mode with right index it makes a transaction instead of whatever they do for everything else and with essen and with this weird pseudo transaction that's not really a transaction as they're copying data that you're sending to write to that file they'll increment the end data pointer of the transaction
so we can cause the type confusion sequence here so we do NT create index for opening an image pipe the server assigns us a file ID then we're going to
create just a normal everyday transaction nothing special but we're going to set our multiplex ID to the same as that file ID that just got assigned by the server and so it's got a servers gonna allocate a transaction then we're gonna do that right index
request with the F ID it's going to see oh yeah there's a transaction I was a transaction there and it's going to increment that data that end data buffer pointer so this is going to allow us to
shift the pointer so what we're gonna do
first is we're gonna groom the pool so there's an exploit transaction and then a victim transaction right after it normally our transaction end data pointer will only be able to using displacement and all that we can only access our our data buffer but after we do the the shift that pointer got incremented so if we send a secondary transaction now we can write passed our buffer so there's another bug that let's
just get an info leak because again we need kernel address is that kind of thing so normally trans peek named pipe you just peek in a named pipe it expects the next parameter count to be 16 but it takes the client value so if we are allocating from a lookaside list we can set that next parameter count most of that o X 5,000 and then we'll set the max data count to 1 you know just a really tiny value then because there's bad checking and the way that it writes where it writes the data when you're peeking that name pipe basically if we can put greater than 1 data to be caused into that named pipe then it'll be it'll just read pass the buffer when it replies to us so there's different ways
that we can groom the pool fish in a
barrel affects older versions of Windows think it's up through Vista but basically what it was doing is when service driver started up it would create a pre-allocated heap and so with a pre-allocated chunk of memory we're not fighting other drivers and stuff we're not going to the pool so it's really convenient it's also great because this private heap is only for very specific MS wrapped transactions which are very rarely used these days so it's a very straightforward beep Punk's way this what it looks like we're sending victim transactions they're called fish and then we have a dynamite which is just a transaction that with the mid-40s and another dynamite case the first one failed for whatever reason so it'll just grew in the pool that way and then attempt exploitation matched
pairs is all versions of Windows including seven plus so when they remove fish in a barrel that private heap you still have this groom available the only difference is that instead of having that private heap that no one's using now we have to go to the normal page pool which is what everybody every process everybody everybody wants page pool so it's very contentious so this is
a little oversimplification just for time and space of the slide but we're gonna send these grim transactions and they're going to take up pretty much as much as they can of several pages and then on that last page it's going to leave a little bit of extra space at the end and so that creates a special kind of pool called a frag pool and so this is we're just filling up memory at this point then we send X point something eligible for that pointer shift and there's a little extra going on there but basically yeah we just send an exploit pointer ship thing and then we come along with the brides which are specifically designed to fill that gap and so we're we're only sending like 10 or so grooms we send 48 brides and we're hoping that one of those Brides ends up after one of our exploits pointers inside that for
so now that we have the pointer shift and we can write into one of these victim transactions we can create a right what we're primitive out of it basically we modify using our exploit transaction that's been shifted we modify our victim transaction it's in data pointer we point it to where we want to write we set that executing variable to false some other clerical things also increase the reference count of the smart pointer type thing and then when we send a victim transaction secondary that whatever is in our data block is what we actually want to write read where we modified the victim transaction to point at the leak transaction and we can get the address of lead transaction we can infer its address by its contents this time we set the out data pointer from where we want to read we change its setup to a peak named pipe and then we set max data count how much data we want to read then we send a leak date trans secondary and it will echo back out data which is pointing from where we want to read so we have readwrite primitives
we're on a quest to find somewhere to store the shellcode if we set the victim transactions out parameters to null and then we send a secondary transaction it'll change that out parameters to point at the work context response buffer which is read write X memory and then we can use the read primitive to read the address that just got set and the write primitive to write the shellcode to that location and now we're
on a quest to execute the shellcode so
this is a similar methodology to what double pulsars doing only we're doing it remotely so we read in our leaked transaction it has that connection pointer on it we read in from that connection pointer it has a variable called endpoints pinlock and that's pointing to a global variable in the service driver inside of that pease data section so let me just read backwards in
memory we're looking for a special table called the service and B word count so the word counts associated with the size of transaction or SMB parameters so this is a table that's about 256 entries but it only has a hundred commands so anything that's not a legal command is going to be a negative two in this table which is o xfe so when you see a bunch of fefe when you're reading the thing you know you're getting close and then so immediately following that will be the transaction to dispatch table and then offsets 14 and 15 and to that table are not implemented and we can overwrite Oh X 14 which is with the address of the shellcode and then we send a transaction that triggers that dispatch table to be called so here's how they patched the
info leak before the max parameter count was either the user supplied max parameter count or 16 after the patch they made it always 16 and this is how
Ms 17:10 scanners one way you can write one so I mentioned before that when you allocate a transaction if it's greater than Oh X 10 400 they'll get a status and sufficient server resources so what we'll do is we'll send a transaction where the max parameter count and the max data count is going to be greater the the sum of those is greater than that LX 10 400 before the patch it will reject that packet and send us that status insufficient server resources after the patch it's going to fix that max parameter count to 16 and so now it will do a proper allocation we'll get a little bit further and get a different error message and so that's how you can tell if the targets been patched so
here's another thing they fixed was if the data count in the named pipe is greater than the max data count the size of the client buffer they'll just fix that here's the remote
code execution before the patched and after the patch so before the patch remember it was shifting that pointer during a write index after the patch instead of shifting the pointer they're just using an offset during the copy another thing they did to fix remote code execution and this does help with eternal blue as well is now when you allocate a transaction you set what you the expected secondary command should be and then later when you go to find a transaction it sees if that new incoming transect Airi transaction if that command matches up with the same expected secondary command and if not it won't return it so now we can get into eternal - synergy so this
has the same Buffalo overflow and rewrite primitives as eternal romance you also get the matched pairs and the classic grooming and I didn't get to go through the classic grooming but they inadvertently with Windows 8 they patched the info leak that was in eternal romance so we can't do the normal eternal romance methodology instead we do our info leak using the eternal champion on methodology but another thing is the address that we sort our shell code at last time has became a DEP pol which means that it's not an executable so we needed a new way to find an executable portion of memory so using our read primitives same ones as eternal romance we can read the connections preferred work queue which is going to be it's gonna have on it a member called Erb thread which gives us a K thread structure K threads have a K process and then K processes have a process list entry double linked list only normally a double linked lists you know one goes to one and then going backwards that you can traverse back and forth with the process list entries it appears to me that as you go forward you go to the next process but at each step if you try and go back you just go back to the list head instead of being able to go yeah and so that list head is actually a global variable inside NT OS kernel so you just start reading backwards in memory from that global variable until you get to the MZ header and then you can parse using the remote read you can parse the NCOs Colonel PP headers and on Windows 8
and 8.1 they have this section inside of NCOs Carlotti XD that's just a read write its names and name of sections read write exec and so the only thing that's really ever legitimately calling this portion of memory is a function called KX unexpected interrupt but this is where the eternal synergy decides to store the shellcode is right there so
here's some good list resources for this stuff I think sleep ia's github repo is probably the best if you want to look at this at the code level and then Nicolas really of nsrc did a sort of a similar talk at hit Con and then there's this more resources Jenna Matty is a nice white paper from last year and then if you're interested on the shadow brokers there's more stuff on the bottom there just some archives and I'll also be at
Derby conjuring kind of like a part to you for this so that's it Hey [Applause]
Feedback