WannaCryAn OS course perspective

MS17-10

Pool corruption• Pools are memory regions for kernel mode code

• Used by drivers and kernel software

• Standard heap management

• Minimal protection, performance optimization

• Pool corruption: Writing over the end of your allocated region

EternalBlue Exploit• https://github.com/RiskSense-Ops/MS17-010/blob/

master/exploits/eternalblue/ms17_010_eternalblue.rb

• https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a

• https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

Attacking the pool (I)• Windows file sharing listens on port 445 for

imcoming SMB connections

• Network stack is kernel mode code (srvnet.sys)

• Incoming network data is stored in kernel mode buffer from the non-paged pool

• Problem: Heap allocation ‚fills the holes‘

Attacking the pool (II)• Approach: Allocate large chunks in pool

• Leads to ‚de-randomization‘

• Large chunks become aligned one after the other

• Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)

Overflow• Send large initial SMB1 package

• Kernel needs to store received data

• srvnet.sys allocates space in non-paged pool

• Grooming

• First connection is closed, leaving adjacent hole

• Sending of overflow data, hole is used

Overflow• Overflow overwrites SMB data structure stored in

subsequent memory

• struct SRVNET_POOLHDR

• Contains a pointer being called when finalizing a SMB request

• If accidental overwriting is done right, then the callback target is the data we sent before

• Close connection, kernel stack calls our function

Game over.