Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

WannaCry - An OS course perspective

263 Aufrufe

Veröffentlicht am

A short presentation of the WannaCry ransomware case. Was presented as part of my operating systems course.

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

WannaCry - An OS course perspective

  1. 1. WannaCry An OS course perspective
  2. 2. MS17-10
  3. 3. Pool corruption • Pools are memory regions for kernel mode code • Used by drivers and kernel software • Standard heap management • Minimal protection, performance optimization • Pool corruption: Writing over the end of your allocated region
  4. 4. EternalBlue Exploit • https://github.com/RiskSense-Ops/MS17-010/blob/ master/exploits/eternalblue/ ms17_010_eternalblue.rb • https://gist.github.com/worawit/ bd04bad3cd231474763b873df081c09a • https://securingtomorrow.mcafee.com/executive- perspectives/analysis-wannacry-ransomware- outbreak/
  5. 5. Attacking the pool (I) • Windows file sharing listens on port 445 for imcoming SMB connections • Network stack is kernel mode code (srvnet.sys) • Incoming network data is stored in kernel mode buffer from the non-paged pool • Problem: Heap allocation ‚fills the holes‘
  6. 6. Attacking the pool (II) • Approach: Allocate large chunks in pool • Leads to ‚de-randomization‘ • Large chunks become aligned one after the other • Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)
  7. 7. Overflow • Send large initial SMB1 package • Kernel needs to store received data • srvnet.sys allocates space in non-paged pool • Grooming • First connection is closed, leaving adjacent hole • Sending of overflow data, hole is used
  8. 8. Overflow • Overflow overwrites SMB data structure stored in subsequent memory • struct SRVNET_POOLHDR • Contains a pointer being called when finalizing a SMB request • If accidental overwriting is done right, then the callback target is the data we sent before • Close connection, kernel stack calls our function
  9. 9. Game over.