EternalBlue Series Part 1: Introduction

by h3xduck

1 July 2021

Four years ago (we are in 2021 at the time of writing) the Shadow Brokers hacker group leaked what has come to be one of the most famous yet infamous vulnerabilities of all times. You may know it as CVE-2017-0144, MS17_010 or just by the name of the exploit: EternalBlue.

The EternalBlue exploit relies on a weakness of the SMB (Server Message Block) protocol in the Windows systems and, along with the backdoor implant tool DoublePulsar, it was used to infect Windows systems worldwide. One example and the most famous one is the ransomware Wannacry, which hit systems of all countries, including the spanish Telefonica and Iberdrola, and the national health system of the UK. Although at the time Wannacry spread there there was already a Microsoft patch for the vulnerability available (because the NSA alerted Microsoft that their exploit was stolen by some hacker entity, yes, it was developed and kept in secret by them) many systems had not installed the patch in time and were severely affected.

Although the exploit originally targeted SMB version 1 (which was not present in all Windows versions), it was later ported to all versions of Windows (and thus of SMB) taking advantage of different bugs in SMB, resulting in the other known exploits EternalRomance, EternalChampion and EternalSynergy. In this series of posts, however, it is our goal to focus on the low-level mechanics of Eternalblue, going deep into the old source code, and finding what, where and why caused the vulnerability, and how could it be exploited. Today we are not here to type “exploit” in Metasploit and pray, but rather we will be traveling to the past (with the knowledge and tools we have nowadays) and visiting what happened to be the origin of the Wannacry nightmare.

If you would like to come along with me in this journey, make sure you know about the following:

Memory architecture (Stack, Heap, etc)
Basic assembly language
Buffer overflows (you can start reading these posts which should be enough).
Some basic knowledge about OSes and networking.

If you are set with these, then without further delay let’s go straight ahead to the fun part!

Part 2

tags: stack - overflow - buffer - exploitation - shellcode - RCE - eternalblue - vulnerability - windows - eternalblue

This work is licensed under a Creative Commons Attribution 4.0 International License.