WannaCry - An OS course perspective
-
Upload
peter-troeger -
Category
Internet
-
view
108 -
download
1
Transcript of WannaCry - An OS course perspective
WannaCryAn OS course perspective
MS17-10
Pool corruption• Pools are memory regions for kernel mode code
• Used by drivers and kernel software
• Standard heap management
• Minimal protection, performance optimization
• Pool corruption: Writing over the end of your allocated region
EternalBlue Exploit• https://github.com/RiskSense-Ops/MS17-010/blob/
master/exploits/eternalblue/ms17_010_eternalblue.rb
• https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
• https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
Attacking the pool (I)• Windows file sharing listens on port 445 for
imcoming SMB connections
• Network stack is kernel mode code (srvnet.sys)
• Incoming network data is stored in kernel mode buffer from the non-paged pool
• Problem: Heap allocation ‚fills the holes‘
Attacking the pool (II)• Approach: Allocate large chunks in pool
• Leads to ‚de-randomization‘
• Large chunks become aligned one after the other
• Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)
Overflow• Send large initial SMB1 package
• Kernel needs to store received data
• srvnet.sys allocates space in non-paged pool
• Grooming
• First connection is closed, leaving adjacent hole
• Sending of overflow data, hole is used
Overflow• Overflow overwrites SMB data structure stored in
subsequent memory
• struct SRVNET_POOLHDR
• Contains a pointer being called when finalizing a SMB request
• If accidental overwriting is done right, then the callback target is the data we sent before
• Close connection, kernel stack calls our function
Game over.