Eternal Blue

windows, foothold, smb, privesc, rce

Overview #

How does Eternal Blue works? #

Eternal Blue relies on a Windows function named srvSrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works. Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports and miscellaneous communications between nodes on a network.

Eternal Blue exploits three bugs:

The first bug is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow . With more data than expected being written, the extra data can overflow into adjacent memory space. Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 and SMB_COM_NT_TRANSACT.

Both have a _SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT sub-command immediately before the TRANSACTION2 one.

While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.

Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying , a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.

Wireshark Analysis #

Affected Versions #

Interesting Files and Directories #

# list of named pipes you can use
/usr/share/metasploit-framework/data/wordlists/named_pipes.txt

Detection #

# nmap
nmap -p445 --script smb-vuln-ms17-010 victim.com

References #