This is a written assignment for Noroff University on the EternalBlue exploit.

Introduction

EternalBlue is an exploit, developed by the National Security Agency (NSA). It was leaked by a hacker group known as the Shadow Brokers on April 14th, 2017. The exploit was one of over twenty professional and advanced hacking tools leaked. It exploited a zero-day vulnerability in almost every Windows version prior to Windows 8, a flaw in the Server Message Block (SMB). The exploit allows for privilege escalation, lateral movement, and arbitrary code execution on vulnerable machines.

EternalBlue exploits a memory overflow in the srv2.sys driver in the SMB protocol, specifically a Non-Paged Pool overflow. It accomplishes this through a malformed header in the NT Trans2 packet header. The malformed header includes a pointer that points to the section of memory that holds the embedded shell-code, and by gaining control of the execution flow of the srv2.sys driver, the exploit is able to redirect it to the embedded shell-code that allows for the execution of the payload.