EternalBlue Series Part 2: Initial study of the exploit

by h3xduck

1 July 2021

Welcome back! Now, before we start, and just in case you want to follow along our research by doing it yourself, I am going to mention what you will need to repeat the steps yourself:

Windows XP SP1 (32 bit). I will be using this one, although any non patched Windows will do the job.
Ghidra. I guess any version will serve our purpose, we will just decompile some small chunks of code.
Wireshark. Just in case you want to analyze the traffic as I will do.
Windbg (optional). I’ll use it just once to show that it can be done this way without Ghidra.

The metasploit module

In order to start our research, let’s go with the best source of information on what is going on that we have: the exploits that are everywhere in the Internet. Specifically, we will read the metasploit eternalblue module and see if we can get any hint. You should find it at exploit/windows/smb/ms17_010_eternalblue. From the ruby file we read the following:

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete.

Well, that is an awesome explanation which summarizes it all. Most probably you recognize some of the techniques they are talking about: RIP hijacking, buffer overflow, grooming, etc, but although they are telling us the what and where is happening, there is no clue on how, so it’s impossible to understand it all just by reading the paragraph. Still, this is a fantastic start for our research because, if we want to make sense of all what is said, we just have to go step by step on it until we get the full big picture.

And yes, there is a lot to learn before we see that big picture, but I promise you that, if you follow along, you will in the end fully able to comprehend even the tiniest bit of what has been said here. Let’s then divide our problem into byte-sized parts and see what we need to understand before reaching that point. Please skip any of the parts if you feel like you are confident enough with those! In each part we will be solving part of our puzzle, and only in the end we will put all pieces together.

Initial reverse-engineering of the vulnerable code.
Analysis of SMB.
1. Transactions
2. FEAs
Comprehensive analysis of the vulnerability.

Highly recommended to read part1 before part3.
Additional bugs for EternalBlue to work.
1. Bug A: Error parsing transaction types
2. Bug B: Session Setup Allocation Error & The Heap Grooming technique
Preparing the exploitation.
1. The HAL’s Heap
2. MDLs
3. SMB Buffers
4. DoublePulsar
The full picture: Eternalblue, the exploitation

Having said this, see you on the next part!

tags: stack - overflow - buffer - exploitation - shellcode - RCE - eternalblue - vulnerability - windows - eternalblue

This work is licensed under a Creative Commons Attribution 4.0 International License.