Sunday, May 14, 2017


Reading up on how WanaDecrypt0r works but details are scarce. It looks like a heap spray^1 with an unlink exploit but no confirmation of that anywhere.

No wonder Google is investing in Fuchsia?

^1: Actually, that came from some remark I read but I disagree. It might be as trivial as unlink. That is, set up non-paged memory in a deterministic manner, exploit a buffer overrun in SMB to corrupt a part of the kernel heap, unlink into the payload. I don't see why it would need a heap spray.

EDIT: Explanation here.

No comments:

Post a Comment