|
|
|
|
|
|
by hiisukun
3317 days ago
|
|
|
The commentary within the metasploit module for MS17-010 [1] should count for posting 'a reverse engineering' or at least some meaningful analysis of moving parts within EternalBlue SMB exploit. The researchers involved are @zerosum0x0 and @JennaMagius on twitter. Their work has been impressive (including eliminating a 10 second delay in some of the exploit chain iirc) if you ask me. Of course I don't disagree with the content of your post - it does appear that the release of a working exploit has driven the release of this malware, rather than the release of the MS patch, or a description of the vulnerability in general (such as within the CVE). [1] https://github.com/RiskSense-Ops/MS17-010 |
|
|
The Metasploit eternalblue module simply runs an interpreter for a long set of commands that send massive binary blobs over the wire in a particular sequence. To me this looks like a cleaned up WireShark trace rather than anything based on true understanding of what it really does. As far as I can tell the only people who understand what these packets are doing to Windows are TAO and probably one or two developers at Microsoft.