From MS08-067 to EternalBlue

hi everyone thanks for coming by the way if you have a burning desire to ask something before the end of the presentation you can raise your hand and I will try to answer your questions so Who am I so my name is Dennis someone could know me as a vegan group I am exploit development and reverse engineering into just at my spare time doing pen tests as daily job have all these acronyms especially I'm proud of barbecue I'm the only one who believed that my ribs are the best not my the ribs I cook so anyway so what this talk is about solo I will try to explain in a good manner in understandable manner three zero to hero

exploits that I choose I will also analyze how this exploits its words influenced mitigation techniques presented by Microsoft well and at the end I will share my thoughts and we can speak about whether we are going to expect something similar in recent time what this talk is not about so I'm not going to blame Microsoft first of all I'm not working there the second thing is I firmly believe that building a complex software is not easier than breaking this software so second thing I'm not going to discuss conspiracy theories about the patch and why it was released so quickly I have my own opinion about this and it's not in line with conspiracy theories I'm not going

through the step-by-step Explorer development I will just show you the main interesting things for me that I found during like reverse engineering and walking through these three exploits so it shouldn't be it won't be a talk about this and B particle internal so I wouldn't bother you with loads of the details and stuff like that so however I assume you have some basic understanding of exploit development and what's actually happening there so let's start with this one so am years ago away to myself like this when I saw something like I must oh wait oh six seven the general information so this exploit then was called war mobile but it will it was used by configure so malformed RPC

request doesn't require any good knowledge of internals just fast and see what's happening playing James it reversal sequence will give you a crash then you can start using the malformed PC requests and its poor the environment at the end I will publish the presentation on the github so you can find this links so I really appreciate work of these people so explanation how it was found in the wild 40 amazing paper by MWR how they port this one to x64 it's very nice to meet and some other also cool stuff to veto so I will give some quick overview so here is the brush when we have the plane crash so we have a heap here we control it we have

some space here we also control this and values and these values why it's important I will show you on the next slide so it's it's quite straightforward it doesn't require any additional tricks to actually get the code execution so you have a crash and you over I tip at it invite bytes offset so we have several registers points to our buffer and several registers rewrite it by the value in our buffer so it's quite good you have plenty of options to choose what to do so what we gonna do we over we overwrite Eve with address so we just find in the memory Jim PE Deeks we control the exit point store buffer we have enough space not

that much space as we want for putting the actual Big Shot code we will use the account just a quick recap that the egg hunter is a it was I think the idea was came from scape and the idea was there was a small code that looking through memory pages for a special tag when it's mentioned twice on the on the on the page the execution transferred there and the rest of the show code is executed so you can put wherever you want like a meta Preta any reversal there but if you have small amount of space you cannot do this and if you cannot reach your shellcode by jumping directly there you will use that counter so we store and

the place in the that we have between beep Andy Biggs we have enough space for a counter and an ops lab we use nob sleds we jump they're not means no operation you just slide down I think knob is a chronium for their exchanging XCX so instruction is doing nothing you slide down to their country than that counter is executed find your code there and so and the rest of the things happening as I said before so what we do so we control the we jump down to our buffer jump edicts that I mentioned then we have we just use as we again the control we put here a small jump back so we just jump jump to the

knob slit then their country is executed find in our final show code somewhere else and we get the profit so again overwrite heap jump down jump back Egg hunter find the show code execution so it's quite straightforward so we have am starting from XP sp2 and 2003 sp1 we have an X bit enabled so when X actually mark the page as a code the data if it's marked as data you cannot execute the code on this page so it's a excellent paper actually it's from I think 2005 how to bypass the hardware depth and it was again done by scape and skiving skiving so idea so when the was presented some software developers were a bit surprised with that and their

software is not really working with depth it was breaking the execution of the program so they asked Microsoft and Microsoft released the thing how I can disable depth for my process so if some software is not working you still want to make it work so there should be a feature that I can disable depth so the idea was to disable depth during the execution of the process there are functions there that you can use to to disable it so so with such memory for up cores and check whether they're in the cutable area so it's actually the methods there are several methods how you can disable depth so I use the method from this paper it works fine on

my example so this is just the name of this function so where is the idea the generality is that we create the stack frame in such way that then it will pass the parameters that we need to this function and it will be it and it will enable or disable depth whatever we want I will show the debugger layout of the next slide what's actually happening there so then we return to control buffer jump back and do the rest of the things so this is how it looks like so this is the function we are interested in to disable depth this is the parameters we pass there this is the 22 is the exact parameter that will disable

depth so we go so we execute the call we get zero means that's fine and this particular exploit next steps was after this jump there is a return instruction at the end of this it will return back and we specially adjust the speed that it will still point to our buffer well but it's not in the scope of this presentation but if you have questions about how to to end it and so you can ask me and I can show you after the presentation so conclusions nothing much to say so wrong path validation easy to exploit without any protections it's also by possible using Denix so it was way you go it's quite old and

nothing but nothing much you can say about this so if we go forward so the next one I'm gonna say is when so 9 all 50 so the good thing here is it was initially found by Lauren graphene as she said in three seconds of fuzziness and be too reliable exploit was made using the trick by this amazing researcher perturb Anya I encourage you to read his paper about trampoline how he made it however if you open the Metasploit you will have the version written by stuff in here and it has some limitations so the plain idea here is there is a well unison B pockets then with no actually no checks except Czech Inferno will be used to array index and

then later this location will be pointed where our control value so it's betting as you understand for many for some period of time this thing was there was the only version by Stefan here so this is the Kudus going for these two blog posts from Lauren and this is the actual research by Peter how to make it so what's happening here so we use this function as we need to integrate this function so here we have so the problem is in exploit of Stefan here we have a fare coded address from how hip and the problem is if you run exploit against physical machine or you can against the virtual machine for example in the

virtual box you wouldn't see on this address these instructions that you need why you need these instructions this instructions will help you to actually gain control execution by switching to your SMB bucket so to your controlled will you so what's for example if I run this against the virtual box here I will find everything else and except to pop it aside so this executed or PS I read and you get the control here so to say in plain words this way we specially created in our assembly packet for few reasons the reason the main reason is that this instruction wouldn't break the execution the original magic it's called magic railing header has a different value and it will break the execution of

the exploit so this one is quite nice and start and starting from this we have some good improvements so some conclusions quick to find straight quite straightforward requires effort to make it reliable so core code addresses well probably not the best option however if you have a particular target you needed to get there right now so you can spend a bit of time on the bug and find in these dresses finding the proper dress in the how hip and get it done so I so are so cut off how memory region is not a question of SLR and Windows Server 2008 so this in order to exclude this box from future operating systems from Windows 8 we have an excel heap and non

page pool Linux so it's actually a next bit enabled for how hip and non preach pool ending so you cannot execute code there so for Windows 8 so this is a bit trickier and this exploit is a bit tricky it's required a bit of time to make it reliable so this the face of most of the system engineers when they heard about this mess like nothing good will happen to us this weekend so I'm quickly to see it so released by shadow Brokers developed by equation group 4 when I say or whatever I'm not sure who did this one so I found it's quite complicated and it's required several steps to trickle vulnerability I will

try to go through them quickly and try to make it as clear as possible for more information you can use this papers so excel paper by risk sense they show how they analyze the full exploit and they ported the exploit to the Windows 10 I think it's 1:1 507 release I'm not sure so I also good paper by Trend Micro this Chinese guy made also good analysis so you need to be careful when you read which which version of it are noble they use some of them use initial one from the first bunch some of them are using the version that was ported to Metasploit so it would be a bit different so here is a plenty of exploit

from worried and here is also am that's a the actual explore it and some clarification from package store ok general concept it's also if we go to playing details it's also quite mmm not straightforward but it you will be I will try to Dave since you'll understand it so buffer overflow on the second man move or memory see preparation so in my case I see mmm CP some other prepping systems there is use my move so I use Windows Server 2008 r2 sp1 x64 Russian version so actually the whole flow happens here the size is calculated in another function and there is an Aurora when they try to subtract the war to world so size of this list so what is this what

actually this list fear it's a file extended attribute is actually file characteristics so in reality here when this can when this new list is created with all the flow over ever so it's a quite large kernel pool allocation so because it's too big for them non lodgepole so last iteration Oh the last situation over right next memory area so we need to have these two buffers go in one by one so to achieve this both offers should be aligned in order to get this aligning that cannot cannabis should be spread all it's called groom in this case it babe it's called group roomed so we can see that all the separations go on successfully when we have that this when we have the

return from service like this starts very parameter in every exploit when you run wherever it is from the first bunch or from the Metasploit it will show you this means well everything is good we are on the way to get to the target so exploit me request several price if if this buffers would be one by one to require several tries and also I read in one of the papers that it's requires actually sometimes if it's not successful cool off time when everything will be getting back to the until you can reboot the target so this is an excellent foundation helpful from from Trend Micro site so this is the way they show how they feel and prepare this so

this is actually the grooming process how they actually prepare this non-veg spool for successful overflow so they use different chunks sending them one by one keep it get the overflow here so if you want to have more details you can speak with me after the talk and I will try to explain you as much as I can so don't next slide so this is actually what they try to show this is this this is the exact value after the whole flow so I have different offsets obviously from where because they use the different version of operating system have different offsets like this then I use them this is this show code is used by the guys in the risk sense paper so just

have this and see that this is the address where it's actually so I put initial breakpoint here and this is the start of the shell code that will be executed so it's the kernel one so conclusions and sophisticated exploits required several steps to achieve reliable execution well most of these structures undocumented so it's required some additional reverse engineering and most of this information was from the actual first bunch so people have looked at the exploit and start reversing it so in depth some political knowledge also required to see how you can interact with the driver what will be the output from there so from redstone one so this is actually these two things are from the paper when

they put when this risk sends guys posted exploit against Windows 10 this updates coming out so update them to my page entries to prevent so which table table entry system structure that they use to follow and they required to patch it to to bypass depth the last one we how hip is randomized so my slot bypass is not it's not more feasible final thoughts so I would say that the security improved very well during the past years from my point of view like reliable exploitation it works around the versions from like Windows 8 to Windows 10 like to develop this exploit it's much harder now it requires a lot of knowledge of different operating system internals I don't myself I don't

expect any new like similar vulnerabilities in nearest future until there is a new class of bugs will be used for that so for example years ago there were people who like I mean everybody was doing the state corruption at the moment they start using hip so it's like a new class well I would say also they great work so they don't only patch the operating system they also try to create prevention for actual class of bugs and get rid of them so I found it quite quite good so any questions if you have any questions just after for example of now you can catch me and we can speak about if not before I would like to thanks I would like to

thank the mink who helped me and I would like to help though to thank the organizers of this event thank you guys and thanks for your attention