Eternalromace Exploit process

The Eternalromance module in the NSA is a vulnerability exploit tool for SMB services in Windows that targets cve-2017-0145.

When SMB is processing a request for the smb_com_transaction command, if the content sent exceeds the maximum length, it needs to use the Smb_com_transaction_secondary command to request the data after it is sent, as shown in the function smb_com_ Transaction_secondary can obtain the corresponding correct smb_com_transaction (mainly by judging whether the Pid,mid,tid and UID of two packets are consistent), the vulnerability function handles the corresponding smb_com_write in the SMB protocol. The _ANDX command is also invoked when the processing of the mid domain is confused, constructing a maliciously smb_com_write_andx packet, making the smb_com_write_andx->fid=smb_com_transaction- >mid, the wrong transcation is returned (the transcation should have been returned to the smb_com_transaction_secondary request).

The Indata field of the transcation is increased in length in subsequent code.

When processing the request packet of the Smb_com_transaction_secondary command later, there is a possibility of cross-writing when data stitching occurs.

The length of the Indata is modified as shown.

The overall use of the function call relationship is as follows:

The corresponding memory layout diagram.

Here are the related breakpoints that I used to monitor the entire utilization process (in-memory, code), Note that different versions of Srv.sys offsets may be inconsistent (my version here is 5.1.2600.5671, the corresponding vulnerability file is placed on the cloud disk, interested can directly see this version of Https://pan.baidu.com/s/1slM36Zb).

BP srvsmbtransactionsecondary". printf \ "Srvsmbtransactionsecondaryexectures:\";. Echo;g"BP srvsmbtransactionsecondary+0x26d ". printf \ "Srvsmbtransactionsecondaryexectures writeoption:\";. echo DES;DC poi (ESP);. echo SRC;DC poi (esp+4);. if (POI (esp+4)) =0x40000023|poi (POI (esp+4)) =0x00000000) {. Echo;r;. ECHO;DC esp;. Echo;u EIP;. ECHO;G}.ELSE{.ECHO;G}"BP srvfindtransaction". printf \ "Srvfindtransaction exectures:\";. Echo;g"BP srvsmbwriteandx". printf \ "Srvsmbwriteandx exectures:\";. Echo;g"BP srvsmbwriteandx+0x659 ". printf \ "Srvsmbwriteandx extend the size:\";. Echo;r;. ECHO;DC esp;. Echo;u EIP;. Echo;g"BP srvcompleteexecutetransaction". printf \ "Srvcompleteexecutetransaction exectures:\";. Echo;g"BP srvcompleteexecutetransaction+0x52a8 ". printf \ "Srvcompleteexecutetransaction readoption:\";. echo DES;DC poi (ESP);. echo SRC;DC poi (esp+4);. Echo;r;. ECHO;DC esp;. Echo;u EIP;. Echo;g"BP executetransaction". printf \ "Executetransaction exectures:\";. Echo;g"BP executetransaction+0x5a ". printf \ "Executetransaction get Poolpage:\";. ECHO;DC esi L30;. Echo;r;. ECHO;DC esp;. Echo;u EIP;. Echo;g"BP srvpeeknamedpipe". printf \ "Srvpeeknamedpipe exectures:\";. Echo;g"BP restartpeeknamedpipe". printf \ "Restartpeeknamedpipe exectures:\";. Echo;g"BP restartpeeknamedpipe+0x5f ". printf \ "Restartpeeknamedpipe set Writeleak datacount:\";. Echo;r;. ECHO;DC esp;. Echo;u EIP;. ECHO;DC ecx-1200 LA00;. Echo;g"

Reference links

Http://m.bobao.360.cn/learning/detail/3747.html

Reprint please indicate the source

Eternalromace Exploit process