EternalBlue Series Part 8: The full picture - Eternalblue, the exploitation
by h3xduck
22 August 20216. The full picture: Eternalblue, the exploitation
We finally have all the knowledge we need to fully understand Eternalblue. Here we will combine everything we have learned, so you may go back if something was not clear enough.
Let’s see the 10 steps EternalBlue follows to exploit the system:
1. Start a main SMB connection and send the primary transaction and all the secondary ones containing the FEAlist, except the last one, preventing the server from processing them yet.
2. Start a lot of secondary SMB connections, filling the heap with lots of srvnet buffers. They can also be seen as small heap grooms, which will help us place the NT buffer where we want.
3. Start another connection which uses the Secondary Bug B, creating a custom-sized allocation in the heap, with the same size as the NT buffer which the server will allocate once we send the last transaction. This will be the groom which will be later freed for us to place the NT buffer.
4. Start more secondary connections, filling more gaps in front of the previous main groom.
5. Free the main groom created with Secondary Bug B.
6. Send the final secondary transaction of the main connection we opened at the start. Quite likely, because of the grooming technique, the buffer for the FEAlist (the NT Buffer) is allocated in the freed space of the groom we released in the previous step. It fits perfectly.
7. The groom starts to be overwritten once we start copying the FEAs of the FEAlist into the NT buffer, because of the main bug related to the casting leading to the buffer overflow. The header and MDL of the memory consecutive srvnet buffer get overwritten with the data we want: the handler function now points to the HAL’s heap and the MDL too. The FEA copying stops when we want because the server tries to copy a FEA with an invalid flag. At that point the server sends an error message to the client.
8. The attacker because of the message now knows that the overflow was successful, and sends the DoublePulsar shellcode to the SMB connection along with a fake function handler, which instead of being stored in the srvnet buffer’s old location as data, is placed on the HAL’s heap because the MDL points there.
9. The attacker closes all the auxiliary connections sent before which created srvnet buffers in the heap. SrvNetWskReceiveComplete() is called for all the SMB connections. One of the srvnet buffers being closed is the one we overflowed, so when SrvNetWskReceiveComplete calls its handler function we move the execution flow to the HAL’s heap, where the fake function handler awaits.
10. The fake function handler moves the execution to the part of the HAL’s heap where there is the DoublePulsar’s shellcode, and since this heap has execution permissions (in fact we already executed the handler) we run it. The exploit has succeeded.
That’s it! If you’ve reached this point you should now have a solid understanding on how Eternalblue works under the hood. We decompiled the vulnerable program, studied SMB, identified the execution flow and found out how to exploit the machine. Congratulations!
Copyright & Bibliography
The Eternalblue series, including all assets, were created exclusively by me (h3xduck).
I am releasing all this material completely free to the Internet under Creative Commons Attribution 4.0 International License and, as such, you are free to redistribute it as you wish as long as you credit me. You may credit my webpage as a whole (h3xduck.github.io) providing a link to the site or you may contact me to discuss other types of credit.
Specially if you are a student like me at the time of writing this, you should be aware that some parts of this series may have been used by me to complete my own academic papers and thus are included in anti-plagiarisim databases like Turnitin’s. Unlike other online resources, you will likely get into trouble if you use my website without citation. Make sure you contact your teacher or academic supervisor before using any of the text or images here.
If you are to use my webpage under the CreativeCommons license for your own non-academic publications please provide the above warning so that no one gets into trouble.
You can find below some of the resources I used during my own research. Also, thank you for following me until here. See you on another blog post!
Resources
- Heap Grooming: guyinatuxedo.github.io
- Eternalblue white paper: risksense.com
- Eternalblue buffer overflow: www.trendmicro.com
- Eternalblue doublepulsar: medium.com/dark-roast-security
- Eternalblue DEFCON: www.youtube.com
- Eternalblue SteelCon: www.youtube.com
- Eternalblue everything-to-know: research.checkpoint.com
This work is licensed under a Creative Commons Attribution 4.0 International License.