wannacry - an os course perspective
TRANSCRIPT
![Page 1: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/1.jpg)
WannaCryAn OS course perspective
![Page 2: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/2.jpg)
![Page 3: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/3.jpg)
![Page 4: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/4.jpg)
![Page 5: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/5.jpg)
MS17-10
![Page 6: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/6.jpg)
Pool corruption• Pools are memory regions for kernel mode code
• Used by drivers and kernel software
• Standard heap management
• Minimal protection, performance optimization
• Pool corruption: Writing over the end of your allocated region
![Page 7: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/7.jpg)
EternalBlue Exploit• https://github.com/RiskSense-Ops/MS17-010/blob/
master/exploits/eternalblue/ms17_010_eternalblue.rb
• https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
• https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
![Page 8: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/8.jpg)
Attacking the pool (I)• Windows file sharing listens on port 445 for
imcoming SMB connections
• Network stack is kernel mode code (srvnet.sys)
• Incoming network data is stored in kernel mode buffer from the non-paged pool
• Problem: Heap allocation ‚fills the holes‘
![Page 9: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/9.jpg)
Attacking the pool (II)• Approach: Allocate large chunks in pool
• Leads to ‚de-randomization‘
• Large chunks become aligned one after the other
• Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)
![Page 10: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/10.jpg)
Overflow• Send large initial SMB1 package
• Kernel needs to store received data
• srvnet.sys allocates space in non-paged pool
• Grooming
• First connection is closed, leaving adjacent hole
• Sending of overflow data, hole is used
![Page 11: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/11.jpg)
Overflow• Overflow overwrites SMB data structure stored in
subsequent memory
• struct SRVNET_POOLHDR
• Contains a pointer being called when finalizing a SMB request
• If accidental overwriting is done right, then the callback target is the data we sent before
• Close connection, kernel stack calls our function
![Page 12: WannaCry - An OS course perspective](https://reader031.vdocuments.us/reader031/viewer/2022022415/5a6d42cc7f8b9a10428b50ef/html5/thumbnails/12.jpg)
Game over.