[zigzigzag]

Yes they did. Nobody so far has posted a reverse engineering of exactly how EternalBlue works (I saw an article in Chinese but it was hard to tell if it had a real explanation given the auto-translate). WannaCry is simply using the actual NSA exploits, compiled, direct from the ShadowBrokers leaks, along with the DOUBLEPULSAR "implant".

[hiisukun]

The commentary within the metasploit module for MS17-010 [1] should count for posting 'a reverse engineering' or at least some meaningful analysis of moving parts within EternalBlue SMB exploit.

The researchers involved are @zerosum0x0 and @JennaMagius on twitter. Their work has been impressive (including eliminating a 10 second delay in some of the exploit chain iirc) if you ask me.

Of course I don't disagree with the content of your post - it does appear that the release of a working exploit has driven the release of this malware, rather than the release of the MS patch, or a description of the vulnerability in general (such as within the CVE).

[1] https://github.com/RiskSense-Ops/MS17-010

[zigzigzag]

I looked there. It doesn't explain anything beyond mentioning that the exploit involves heap manipulation.

The Metasploit eternalblue module simply runs an interpreter for a long set of commands that send massive binary blobs over the wire in a particular sequence. To me this looks like a cleaned up WireShark trace rather than anything based on true understanding of what it really does. As far as I can tell the only people who understand what these packets are doing to Windows are TAO and probably one or two developers at Microsoft.