EternalBlue, or CVE-2017-0143, is an exploit that was leaked by the Shadow Brokers hacker group and used in the WannaCry and NotPetya ransomware attacks. The original exploit was believed to have been developed by the NSA as part of their internal cyberattack suite, and was used in the hacker group as part of their worldwide ransomware campaign.
The exploit targets services and computers that serve as an SMBv1 server, and includes machines running Windows XP, Windows 7, Windows Server 2008, and Windows 10. With a crafted request packet, attackers can execute arbitrary code on the targeted system. The exploit itself takes advantage of three individual bugs in Windows’s implementation of SMB (Server Message Block) protocol.
First, there is a bug in which two similar but different sub-commands are allocated the same amount of memory (despite having different data needs), causing a memory overflow as one command is over-partitioned. That area of additional memory can be used to trigger a buffer overflow, caused by caused by an erroneous type casting for a specific extended attribute field in the request. With the buffer overflow, attackers can then utilize a third bug which allows them to perform heap spraying to eventually write and execute shellcode on the system.
