201765 MemoryanalysisofEternalblue

Markus
Home
Posts
About
RSS

MemoryanalysisofEternalblue
Jun4,2017

CodecommentfromtheleakedsourcecodeofWindowsNT4whichcontainedthe
vulnerability
ThispostisabouttryingtofullyunderstandthevulnerabilitybehindWanaCry(pt).

Thispostconsistsofthefollowingparts.

1.Understandingtheexploitmethod
2.Usingtheexploitandpoppingunderthehoodofavulnerablemachinetoseewhat
happens
3.Reversingtheproblemandlookingatthecode

Number3isincludedinthePart2ofthispost(whichIwillpostlater)detailingthe
vulnerabilityintheactualcode.

Understandingtheexploitmethod
Theexploitmethodologyinthispostisbasedontwodifferentexploitcode.Oneisthe
Metasploitplugin[1]andtheotheroneisbyaGithubuser@worawit[2].Worawitscodeis
verywelldocumentedandthereforeitisgoingtobetheprimarysourcewherewearegoing
tobegin.Itgivesusgreathintsaboutwheretostartthisresearch.

Theexploit
http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 1/7
201765 MemoryanalysisofEternalblue

BeforeMicrosoftpatchingit,SMBversion1wasvulnerabletoabufferoverflowattack.The
vulnerabilityisexploitablewhenamalformedTrans2requestissenttotheserverwhich
enablestheattackertooverwriteanotherpartofthememory.Thegoaloftheattacker(and
howNSAdidit)wouldbetooverwritesomeusefulmemoryportionandinthisattackitis
thebufferofanotherSMBconnectionwhichenablesarbitrarywriteandexecutionof
shellcodeinthememoryaddressoftheHardwareabstractionlayer(HAL).[1][3].Inall
WindowsversionsbeforetheWindows10,theHALisinafixedmemoryaddressandisused
duringboot,thereforemakingitanicetargetfortheshellcode.

Theexploitishappeninginnon-pagedpoolmemorywhichtheSMBserverallocatesforthe
largerequestssenttoit.Thisisquiteimportantinformationaswewillsoonsee.

FromtheMetasploitandWorawitsexploit,wecanseethattheprimaryexploitmethodworks
bycreatingmultipleSMBconnectionswhichmakestheserverreservelotsofspaceforthe
connections.Thishelpswithaligningthedatasothatthemaliciouspacketisinacorrect
positiontooverflowtothenextSMBconnection.Thisprocesswherefillinguptheheapso
thatthemaliciouscontentwouldgotoaadvantageouspositioniscalledheapgrooming.

Findingtheconnections

IlaunchedaWindows7SP1virtualmachinefortestingthisexploit.Thisisusefulbecauseitis
easytotakeamemorydumpofthewholemachine.AftersettingupmyenvironmentItooka
memorydumpinthemiddleoftheexploit.

IamusingVolatilitytoexplorethememorydumpsandtryingtofindthedatathatresidein
thenon-pagedpool.AllinallIamusingfourprimarymemorydumpstoexploretheexploit
codeoftheMetasploitplugin.

1.Afterthefirstlargebufferpacketissent(line186[1])

#Step2:CreatealargeSMB1buffer
print_status("Sendingallbutlastfragmentofexploitpacket")
smb1_large_buffer(client,tree,sock)

1.Afterthefirstgroomingpacketsaresent

#Step3:Groomthepoolwithpayloadpackets,andopen/closeSMB1packets
print_status("Startingnonpagedpoolgrooming")
#initialize_groom_threads(ip,port,payload,grooms)
fhs_sock=smb1_free_hole(true)
@groom_socks=[]
print_good("SendingSMBv2buffers")
smb2_grooms(grooms,payload_hdr_pkt)

http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 2/7
201765 MemoryanalysisofEternalblue

1.Afterthesecondgroomingpacketsaresent
2.AfterthemalformedTrans2packetissent

UsingVolatility

Volatilityincludesaplugincalled bigpagepools whichwewillbeusingheresinceweknow

theexploitishappeninginbigpools.Wewouldliketolookforthebuffersthattheserver
reservesinthememoryinordertobetterunderstandhowthegroomingprocessworks.By
trialanderrorIfoundthatthebufferhasatag LSbf andIamusingittofiltertheresultsin
volatility.

markus$./volatility_2.6_lin64_standaloneprofile=Win7SP1x64f/home/markus/2.dumpbigpoolsta
VolatilityFoundationVolatilityFramework2.6
AllocationTagPoolTypeNumberOfBytes

0xfffffa8001ad8000LSbfNonPagedPool0x11000L
0xfffffa8001ac7000LSbfNonPagedPool0x11000L
0xfffffa8001afa000LSbfNonPagedPool0x11000L
0xfffffa8001ae9000LSbfNonPagedPool0x11000L
0xfffffa8001a61000LSbfNonPagedPool0x11000L
0xfffffa8001964000LSbfNonPagedPool0x2000L
0xfffffa8001a50000LSbfNonPagedPool0x11000L
0xfffffa8001a72000LSbfNonPagedPool0x11000L
0xfffffa8001a94000LSbfNonPagedPool0x11000L
0xfffffa8001a83000LSbfNonPagedPool0x11000L
0xfffffa8001ab6000LSbfNonPagedPool0x11000L
0xfffffa8001aa5000LSbfNonPagedPool0x11000L
0xfffffa8001a3f000LSbfNonPagedPool0x11000L

Iverifiedwhetertheseareinfacttherightpagesbyrunningthesamecommandwiththe
othermemorydumpsandtheresultsareconsistentwiththecode.Forexample,hereisthe
resultsformemorydumpnumber1.

markus$./volatility_2.6_lin64_standaloneprofile=Win7SP1x64f/home/markus/old/3bigpoolstag
VolatilityFoundationVolatilityFramework2.6
AllocationTagPoolTypeNumberOfBytes

0xfffffa8001964000LSbfNonPagedPool0x2000L

Asyoucansee,thefirstbigbufferistheonlyoneallocatedasitshouldbe.

Visualizingthedata
http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 3/7
201765 MemoryanalysisofEternalblue

IwroteasmallPythonprogramthatusestheVolatilityframeworktovisualizethememory
segments.Youcanfindthefullcodeinmygithubhere.Thecodegeneratesfollowing
pictures(clicktoopentheoriginalfile):

Figure1:Beforetheexploit(step3)

Figure2:Aftertheexploit(step4)

Thismightrequiresomeexplanation

Inbothfiguresasingleverticallinerepresentsthememorycontentsofasinglebufferthatis
allocatedbytheSMBserverforanincomingconnection.Thelinesareinorderbytheirvirtual
address,butthefiguredoesnotshowtheappropriatespacebetweenthebuffers(seefigure
3).OnepixelinthefiguresrepresentsthreebytesofmemorycontentconvertedtoRGB
hexadecimalvalue.

Ifyoulookclosely,youcanseethefirstlineisabitdifferentfromtheothers.Thatisthe
smallerinitialpacketsentatstep1anditapparentlyhasadifferentkindofstructure.

IalsoextendedthePythonscripttovisualizethebuffersandwheretheyareinthememory.
Thefollowingfigurepicturesthestateofthememoryduringdifferentpartsintheexploit.
Thistime,thecontentisnotpartofthevisualization.Thecolorsarehashesofthestarting
addressesofthebufferswhichhelpswithdistinguishingdifferentbuffersandtheirlocations.

Figure3:Buffersvisualizedintheaddresspace.Afterfirstgrooming(left),afterthesecond
grooming(middle),aftertheexploithasfinished(right)

http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 4/7
201765 MemoryanalysisofEternalblue

Analysis
SMBbufferscontainastructheaderwhichcontainsomepointersanddetailsaboutthe
connection.Thisisthepartthattheexploiteventuallyoverwritesandenablesthewhole
exploit.ThedatathatisoverflowncontainsafakestructforaSMBconnectionthatis
overwrittenbytheoverflow.Iwillgointomoredetailsaboutthestructandtheoverflowin
part2,butrightnow,whatyouneedtoknowisthatthereexistsaheaderinthebufferbefore
theactualcontent.Theheaderisclearlyvisibleinfigure1sincethebeginningofthebuffers
haveasimilarcontentandthereforecolors.

Inthecode,afterstep4,theconnectionsareterminated.Figure2picturesthememory
contentofthebuffersaftertheseconnectionsareterminatedandtheexploitisfinished.As
youcansee,therearefewconnections(twotobeexact)thathavebeensuccessfully
terminatedandthememoryareacleared.Thethirdconnectionhassuccessfullyexecutedthe
exploitandthereforetherestoftheconnectionsarestilllingeringinthebuffer.The
successfulbufferoverflowisvisibleinaroundthemiddlewherethebuffermemorystartsas
normal,butendsingarbageoverwritingtherestofthefewbuffersaswell.

Wrap-up
http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 5/7
201765 MemoryanalysisofEternalblue

Wrap-up
Inthispost,IlookedatthevulnerabilityintheSMBversion1fromamemoryforensicspoint
ofview.Inthenextpost,Ihopetofindoutmoreabouthowthevulnerabilityreallyworks.
Wheredoestheheartofthevulnerabilitylie?Iwillheadfurtherintoreverseengineeringthe
codethatcontainsthevulnerability.

Sources
[1]https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb

[2]https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a

[3]https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-
eternalblue.html

Author|MarkusLehtonen

CurrentlyundergraduatestudentatAaltoUniversity.Interestedinallthingsinformation
security.

ThemeSimplebywildflame2016Poweredbyjekyll

http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 6/7
201765 MemoryanalysisofEternalblue

http://markus.co/memoryforensics/2017/06/04/eternalbluesmb.html 7/7