A short presentation of the WannaCry ransomware case. Was presented as part of my operating systems course.

1. WannaCry
An OS course perspective

5. MS17-10

6. Pool corruption
• Pools are memory regions for kernel mode code
• Used by drivers and kernel software
• Standard heap management
• Minimal protection, performance optimization
• Pool corruption: Writing over the end of your
allocated region

7. EternalBlue Exploit
• https://github.com/RiskSense-Ops/MS17-010/blob/
master/exploits/eternalblue/
ms17_010_eternalblue.rb
• https://gist.github.com/worawit/
bd04bad3cd231474763b873df081c09a
• https://securingtomorrow.mcafee.com/executive-
perspectives/analysis-wannacry-ransomware-
outbreak/

8. Attacking the pool (I)
• Windows file sharing listens on port 445 for
imcoming SMB connections
• Network stack is kernel mode code (srvnet.sys)
• Incoming network data is stored in kernel mode
buffer from the non-paged pool
• Problem: Heap allocation ‚fills the holes‘

9. Attacking the pool (II)
• Approach: Allocate large chunks in pool
• Leads to ‚de-randomization‘
• Large chunks become aligned one after the
other
• Exploit triggers this by opening multiple SMB
connections and sending large packages
(grooming)

10. Overflow
• Send large initial SMB1 package
• Kernel needs to store received data
• srvnet.sys allocates space in non-paged pool
• Grooming
• First connection is closed, leaving adjacent hole
• Sending of overflow data, hole is used

11. Overflow
• Overflow overwrites SMB data structure stored in
subsequent memory
• struct SRVNET_POOLHDR
• Contains a pointer being called when finalizing a
SMB request
• If accidental overwriting is done right, then the
callback target is the data we sent before
• Close connection, kernel stack calls our function

12. Game over.