Eternal Blue
Overview #
- CVE-2017-0144 (Aka MS17-010)
- The eternablue exploit leverages 3 bugs in SMBv1 implementaton to achieve RCE (
HandlerFunction
is executed which is pointed to shellcode)- Wrong casting bug
- Wrong parsing function bug
- Non-paged pool allocation bug
How does Eternal Blue works? #
Eternal Blue relies on a Windows function named srvSrvOS2FeaListSizeToNt
. To see how this leads to remote code execution, let’s take a quick look at how SMB works. Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports and miscellaneous communications between nodes on a network.
Eternal Blue exploits three bugs:
The first bug is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow . With more data than expected being written, the extra data can overflow into adjacent memory space. Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2
and SMB_COM_NT_TRANSACT
.
Both have a _SECONDARY
command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2
and NT_TRANSACT
is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT
sub-command immediately before the TRANSACTION2
one.
While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.
Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying , a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.
Wireshark Analysis #
Affected Versions #
- SMBv1
- All windows versions prior Windows 8
Interesting Files and Directories #
# list of named pipes you can use
/usr/share/metasploit-framework/data/wordlists/named_pipes.txt
Detection #
# nmap
nmap -p445 --script smb-vuln-ms17-010 victim.com
References #
[EternalBlue Exploit MS17-010 Explained Avast](https://www.avast.com/c-eternalblue) - MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
- HTB Blue
- EternalBlue – Everything There Is To Know by Check Point Research